Illinois Supreme Court Rules Privacy Act Claims Have Five Year Statute of Limitations

On February 2, 2023, the Supreme Court of the State of Illinois ruled that all claims under Section 15 of the state’s Biometric Information Privacy Act (Privacy Act or BIPA) have a five year statute of limitations.

The decision partially overturns an appellate court ruling that had found claims under subsections 15(c) and 15(d) of the Privacy Act were governed by a one-year limitations period under Illinois law for defamation and privacy claims. Despite the fundamental purpose of the Privacy Act to prevent publication or disclosure of biometric data, the court ruled that all claims under Section 15 are instead subject to a catchall five-year statute of limitations.

Background

An employee filed suit against his former company, alleging that the company’s use of a fingerprint scanning biometric time clock violated subsection 15(a) of the Privacy Act, which requires a publicly available policy regulating the retention and deletion of biometric information, and subsections 15(b) and 15(d), which requires consent for the collection and disclosure of biometric information.

The Privacy Act does not contain an express limitations period for bringing claims. The employee argued that a catchall five-year limitations period should apply to all the subsections, while the company argued that since the claims are rooted in privacy, a one-year statute of limitations under Illinois law “for publication of matter violating the right of privacy” should apply.

The Decision

In the decision by Justice P. Scott Neville Jr., the Illinois Supreme Court held that the appellate court erred in applying two different limitations periods to the Section 15 subsections, and that only the five-year statute of limitations governed.

The court recognized that the one-year statute of limitations could apply to subsections 15(c) and 15(d) because the words “sell,” “lease,” “trade,” “disclose,” redisclose,” and “disseminate,” contained in the subsections “could be defined as involving publication.” Nonetheless, the court ruled that “it would be best to apply the five-year catchall limitations period” to all the subsections, in part because it would further the “goal of ensuring certainty and predictability in the administration of limitations periods.”

The court further noted that in defamation and privacy cases, plaintiffs are expected to quickly learn of it and to act quickly to stop it in order to protect their reputation. Conversely, “the full ramifications of the harms associated with biometric technology is unknown,” and therefore “it is unclear when or if an individual would discover evidence of the disclosure of his or her biometrics in violation of the Act.”

However, the analysis in the relatively short opinion did not delve into the overall purpose of the Privacy Act to protect biometric privacy and enable individuals to control the collection of their biometric information and prevent the unauthorized dissemination or publication of that information.

The company argued that the subsections of Section 15 work together for this purpose, especially to guard against identity theft, and that the purpose does not change depending on what subsection is at issue. Even if claims do not allege “publication,” the company argued, the nature of Section 15 claims is that of privacy rights and the one-year statute of limitations for privacy claims should govern Section 15.

Key Takeaways

The case is the latest to review the bounds of the Privacy Act as employers are increasingly using biometric technology to improve efficiency in the workplace. Had the Illinois Supreme Court ruled that that the one-year limitation applied to claims under Section 15 of the Privacy Act, it could have substantially reduced the overall number of potential class members in pending and future Privacy Act lawsuits. As a result of the decision, employees (and consumers) will have five years to file claims for violations of the collection, retention, and dissemination of their biometric information.

Employers may want to review their policies for collecting and storing employee biometric information and review their workplace technology to determine to what extent, if any, they are collecting biometric data from their employees.