Varied Limitations Periods Apply to Different Sections of BIPA
In a ruling that is unlikely to change the tide or significantly impact the disposition of litigation under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.), the Illinois Appellate Court recently held that (i) a five-year limitations period applies to claims under BIPA Sections 15(a), (b) and (e); and (ii) a one-year limitations period applies to claims under BIPA Sections 15(c) and (d). The Appellate Court’s holding in Tims, et al. v. Black Horse Carriers, Inc. clarifies the applicable statutes of limitations under the Act, while leaving open a number of additional questions, including when a BIPA claim begins to accrue.
The Tims, et al. v. Black Horse Carriers, Inc. Decision
In the Tims case, Plaintiff Jorome Tims sued Black Horse Carriers, Inc. (“Black Horse”) in March 2019, alleging that Black Horse violated BIPA when it scanned the fingers of its employees, including plaintiff, for timekeeping purposes.1 Specifically, plaintiff alleged that Black Horse violated Sections 15(a), (b) and (d) of the Act. Those Sections of the Act place both restrictions and affirmative obligations on private entities related to biometric identifiers (such as fingerprints, voiceprints, retinal scans and facial geometry) and biometric information (e.g., information based on biometric identifiers to the extent used to identify an individual), including the following:
Private entities in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for destroying the information. 740 ILCS 14/15(a).
Private entities which collect, capture, purchase, receive or otherwise obtain biometrics must first inform the subject of that fact in writing, as well as the specific purpose and length of time for which the information will be retained, and must obtain a written release executed by the subject. 740 ILCS 14/15(b).
Private entities are prohibited from selling or disclosing biometric identifiers or biometric information, subject to certain exceptions. 740 ILCS 14/15(d).
Notably, the Act contains no provision as to the applicable statute of limitations. Therefore, Black Horse moved to dismiss the complaint, arguing that the one-year limitations period applied for privacy actions under Section 13-201 of the Illinois Code of Civil Procedure (the “Code”). The one-year limitations period established by Section 13-201 applies to “actions for slander, libel or for publication of matter violating the right of privacy.” 735 ILCS 5/13-201. Plaintiffs argued that the five-year limitations period should apply to the Act, for all civil actions where no statute of limitations is otherwise provided, as stated under Section 13-205 of the Code. See 735 ILCS 13/201 and 13/205.
The Appellate Court found that different statutes of limitations applied to different Sections of the Act. The Appellate Court reasoned that the one-year limitations period under Section 13-201 “does not encompass all privacy actions but only those where publication is an element or inherent part of the action.” As a result, the Appellate Court held that the one-year limitations period applies to claims under BIPA Sections 15(c) (which forbids a private party to “sell, lease, trade, or otherwise profit from” biometric data) and 15(d) (which prohibits the selling or disclosing of biometric data). In contrast, the Appellate Court found that claims under BIPA Sections 15(a), (b) and (e,)2 which do not require a defendant’s publication or disclosure of biometric data, are subject to the five-year limitations period under Section 13-205 of the Code.
The Tims Ruling’s Impact on Your Business
The Tims decision appears unlikely to have a significant impact on the typical BIPA case. Just like Tims, most BIPA cases are brought against an employer or other user of devices that allegedly capture or collect biometric data for timekeeping or security purposes. As a result, the typical BIPA case includes claims for violations of Section 15(a) or (b), which place affirmative obligations on private entities related to written policies and notices. Almost all trial-level courts to consider the issue applied a five-year limitations period to these claims, and so the Illinois Appellate Court’s Tims decision is consistent with these prior rulings. Since it is uncommon for a BIPA case to be limited to claims for violation(s) of Section 15(c) or (d), the one-year limitations period announced in Tims will rarely affect a BIPA case in its entirety.
Nor has Tims completely resolved the BIPA statute of limitations issue. Specifically, Tims did not address when a BIPA claim accrues for purposes of applying the limitations period. The accrual issue is currently pending before the Seventh Circuit Court of Appeals in Cothron v. White Castle System, Inc. In addition, the Illinois Third District Appellate Court is considering the applicable BIPA limitations period in Marion v. Ring Container Technologies LLC. In light of the potential for inconsistent rulings between Tims and Marion, and Cothron’s request that the Seventh Circuit refer the accrual issue to the Illinois Supreme Court, significant questions remain and weigh heavily over the BIPA landscape. It may well take rulings by the Illinois Supreme Court to provide final clarity as to these questions.
Ultimately, every business should perform a critical analysis as to any business practice that potentially concerns biometrics (including employee timekeeping, identification procedures or security protocols). The failure to fully comply with BIPA, even when such a failure results in no actual injury to an individual, may lead to significant liability. Vedder Price attorneys are at the forefront in defending BIPA claims and counseling clients on BIPA-related policy and disclosure language.
1 In September 2019, the complaint was amended to add Isaac Watson as a plaintiff.
2 Section 15(e) of the Act requires a private entity in possession of biometric data to “store, transmit, and protect from disclosure all” biometric data using a reasonable standard of care. 740 ILCS 14/15(e).