Illinois Supreme Court Allows Five-Year Statute of Limitations for BIPA Claims
March 6, 2023
**** UPDATE ****
On February 17, the Illinois Supreme Court ruled that BIPA claims accrue at each collection or dissemination of biometric information (per scan accrual). In a 4-3 decision, the Illinois Supreme Court in Cothron v. White Castle Sys., Docket No. 128004, Feb. 17, 2023, held that biometric information is captured each time a scan is taken (Section 15(b)), and that an entity violates the statute every time it disseminates biometric information without obtaining consent (Section 15(d)). This decision creates the potential for significant damages for entities that violate BIPA. The majority held that courts have discretion when presiding over class actions to “fashion a damage award that (1) fairly compensated claiming class members and (2) included an amount designed to deter future violations, without destroying defendant’s business” and acknowledged that the legislature “chose to make damages discretionary rather than mandatory under the Act” and “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.” While defendants can invoke these principles to argue against disproportionate damages awards, defendants face uncertainty about whether and the extent to which trial courts will apply them. The majority also did not address the constitutional concerns with potentially large statutory damage awards that may not be linked to the amount of actual harm, if any, and instead suggested that the legislature review the concern about potentially excessive damages awards “and make clear its intent regarding the assessment of damages under the Act.” This development, along with the establishment of a five year statute of limitations we addressed in our original alert below, will exert significant pressure on entities that are collecting or are accused of collecting biometric information.
****
On February 2, the Illinois Supreme Court held that claims brought under Illinois Biometric Information Privacy Act (“BIPA”) are subject to a five-year statute of limitations, rather than the one and two-year limitations that some lower courts had established for at least some violations under BIPA. Tims v. Black Horse Carriers, Inc., 2023 IL 127801 (Ill. Feb. 2, 2023). The Illinois Supreme Court stated that the longer limitations period would further the legislative intent of BIPA to protect the safety of the public. The decision will surely be welcomed by the plaintiffs’ bar and could contribute to the already robust volume of BIPA litigation.
BIPA sets certain duties for private entities that collect, store, or use biometric data, such as fingerprints, of individuals in Illinois. These duties include making certain data retention and destruction protocols publicly available if biometric data is collected or otherwise obtained, obtaining consent before collection or disclosure, refraining from selling biometric data, and storing and transmitting biometric data according to a reasonable standard of care. 740 ILCS 14/15.
In Tims, a plaintiff sued his former employer for scanning his fingerprints, alleging three BIPA violations: that his employer did not adhere to a retention and destruction protocol, did not obtain his consent before collecting his data, and disclosed his data to third parties without his consent. The defendant moved to dismiss the claims as untimely, arguing that claims under BIPA should be subject to section 13-201 of the Illinois Code of Civil Procedure, which governs “actions for the ‘publication of matter violating the right of privacy’” and was, therefore, subject to a one-year statute of limitations. The trial court held that the Code’s five-year “catch-all” statute of limitations governed instead. The appellate court disagreed in part, applying a one-year statute of limitations to claims involving publication or disclosure of biometric data (such as claims for selling data or disclosing data without consent), but applying a five-year statute of limitation for claims where “no element of publication or dissemination” exists (such as claims regarding the retention policy, collection, and reasonable care measures). The Illinois Supreme Court concluded that applying two different time limitations for different BIPA subsections would “create an unclear, inconvenient, inconsistent, and potentially unworkable regime,” so it applied the state’s “five-year catchall limitations period” for all subsections of BIPA.
BIPA suits present a significant risk to companies, with potential statutory penalties of up to $1,000 for each negligent violation and $5,000 for each intentional or reckless violation of the Act. It is important that entities that may have information about persons in Illinois evaluate their current policies and practices for compliance. And with a five year statute of limitations now established, entities should be mindful that historical deficiencies in their practices could lead to present-day lawsuits.
And there may be more significant BIPA developments on the horizon. In Cothron v. White Castle Sys., 20 F.4th 1156 (7th Cir. 2021) (certifying question), the Illinois Supreme Court will address questions about accrual of BIPA claims, which could include deciding whether a BIPA claim accrues from a single overt act (single accrual) or at each collection or dissemination of biometric information (per scan accrual). If the Court were to decide that the “per-scan” theory of accrual is correct, this would significantly increase potential damages for at least some BIPA claims.
Adopting litigation strategies swiftly to address and minimize the risk of multiple, protracted lawsuits will be key to managing BIPA risk. BIPA suits have been a hot area of privacy litigation, and the Tims decision – and potentially upcoming Cothron decision – will only add fuel to that fire.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Sid Mody, an O’Melveny partner licensed to practice law in Texas, Randall W. Edwards, an O’Melveny partner licensed to practice law in California, Scott W. Pink, an O’Melveny special counsel licensed to practice law in California and Illinois, John Dermody, an O'Melveny counsel licensed to practice law in California and the District of Columbia, and Shruti Kannan, an O'Melveny associate licensed to practice law in the District of Columbia and New York, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2023 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.