For several years, companies that collect, use, and store the biometric information of Illinois residents have lived in fear of violating the Biometric Information Privacy Act (BIPA),¹ due to a tidal wave of class action filings resulting in multi-million dollar settlements and verdicts in Illinois and elsewhere. In the wake of back-to-back opinions issued by the Illinois Supreme Court in February 2023, companies subject to BIPA now face even greater legal exposure. The decisions, which establish a five-year statute of limitations period, and allow for accrual of each independent use of biometric information, respectively, create the potential for astronomical statutory damages awards that will put businesses at risk of financial peril.

Enacted in 2008, BIPA establishes a regulatory framework for the private collection, use, retention, destruction, and disclosure of Illinois citizens’ biometric identifiers and information. The statute is unique among the small number of biometric privacy laws in the United States in that it provides a private right of action to persons “aggrieved by a violation” of the statute. Specifically, BIPA allows for $1,000 per violation ($5,000 if willful), plus recovery of attorneys’ fees and costs. Not surprisingly, BIPA has been the subject of hundreds of class actions filed against companies of all sizes and industries, with jury verdicts and class settlements sometimes ranging into the eight- or even nine-figure range.

Although plaintiffs file BIPA class action complaints nearly every day, state and federal courts are still defining the contours of the law. Due to the lack of clarity in the statute itself, courts have had trouble answering two questions in particular. First, what statute of limitations period should apply? There had been support for a one-, two-, or even five-year period under Illinois law. Second, when do claims accrue: at each violation, or only at the first violation? On both questions, the Illinois Supreme Court found in favor of the plaintiffs.

The impact of the Illinois Supreme Court’s recent decisions will expand the size of most classes as well as the number of violations for which companies will be responsible. The risk of running afoul of BIPA’s stringent requirements has thus never been greater.

Statute of Limitations

BIPA does not contain a statute of limitations. In the absence of guidance from BIPA itself, courts have considered which of three Illinois statute of limitations laws applies to BIPA claims. Section 13-201 of the Illinois Code of Civil Procedure provides a one-year statute of limitations for “[a]ctions for slander, libel or for publication of matter violating the right to privacy. . . .”² This could theoretically apply to claims under BIPA section (d), which addresses the disclosure or dissemination of biometric information. Section 13-202 provides a two-year statute of limitations for damage “for an injury to the person. . . or for a statutory penalty. . . .”³ This could theoretically apply because a violation of the statutory rights granted by BIPA is arguably a personal injury for which there is a statutory penalty. Section 13-205 provides a catchall five-year statute of limitations for “all actions not otherwise provided for. . . .”⁴ This could theoretically apply because BIPA, as stated, does not provide a statute of limitations. In Tims v. Black Horse Carriers, Inc.,⁵ the Illinois Supreme Court resolved this uncertainty and held that a five-year statute of limitations applies to all BIPA claims.

As is the situation in many BIPA complaints, the plaintiff in Tims filed a class action against his former employer for violating multiple sections of BIPA in connection with the collection of employees’ biometric information through its fingerprint-authentication time clock. The plaintiff alleged that the defendant Black Horse violated three sections of BIPA. First, section 15(a), by failing to maintain and adhere to a publicly-available regarding biometric information destruction and retention. Second, section 15(b), by failing to notify and obtain the plaintiff’s consent when collecting his biometrics. And third, section 15(d), by disclosing or disseminating the plaintiff’s biometric information to third parties without his consent.

In a motion to dismiss, Black Horse argued that the plaintiff’s claims were barred because the plaintiff had not asserted his claims within the Illinois’ one-year statute of limitations period that governs violations of privacy rights. The plaintiff argued that the one-year limitations period is inapplicable to BIPA claims because it applies to privacy claims involving “publication,” and liability under BIPA is not limited to the publication of biometric information. Instead, the plaintiff asserted that a five-year statute of limitations period controlled.

After the trial court denied Black Horse’s motion to dismiss, an appellate court held that two statutes of limitations apply to BIPA claims. A one-year statute of limitations for sections 15(c) and 15(d), and a five-year statute of limitations for sections 15(a), 15(b), and 15(e).

In an opinion issued on February 2, 2023, the Illinois Supreme Court held that applying two different statutes of limitations to BIPA would create an inconsistent, unclear, and inconvenient regime, and decided that a five-year statute of limitations applies to all claims under BIPA. The court gave three reasons for its holding.

First, the five-year, catchall statute of limitations provided in section 13-205 of the Illinois Code is regularly applied to statutes that do not specify a limitations period. Second, sections 15(a), 15(b), and 15(e) do not contain language associated with publication, placing them outside of the purview of the one-year statute of limitations for privacy claims involving publication.

Third, the intent of the legislature and the purpose for which BIPA is intended support giving plaintiffs a longer statute of limitations. Even though the language of sections 15(c) and 15(d) could warrant application of the one-year statute of limitations because of references to words involving publication, it would undermine legislative intent to reduce the amount of time a plaintiff has to bring a claim and hold a private entity liable for noncompliance with BIPA. Because the full extent of harm associated with biometric technology is not yet known or understood, the Illinois Supreme Court held that the longer, five-year statute of limitations would better support the legislature’s intent and provide protection to those BIPA is intended to protect.

Claims Accrual

The second of the decisions expanding the legal exposure under BIPA, Cothron v. White Castle Systems,⁶ addressed claim accrual under sections 15(b) and (d) of BIPA, which, as noted, prohibit an entity from collecting and disclosing an individual’s biometric data without the person’s consent. The statute does not specifically address whether a claim accrues only once (when the biometric data is first unlawfully collected or disclosed) or multiple times (with each unlawful collection or disclosure), and prior decisions interpreting these sections had not addressed this precise question. Cothron provided the opportunity for the state court to finally resolve this question. And so it did, finding that the statutory text and the legislature’s intention supported accrual of multiple claims.

Cothron arose from a proposed class action filed by an Illinois employee of a famous fast food chain. The plaintiff pled that, since at least 2008, her employer has used a system that requires employees to scan their fingerprints in order to access their pay stubs and work computers. A third-party vendor then verified the fingerprint scans to authorize the employee’s access. According to the plaintiff, the fast food chain failed to obtain her consent to such scans and disclosure until 2018.

In federal court, the defendant moved for judgment on the pleadings on the basis that the plaintiff’s suit was untimely. The defendant argued that the plaintiff’s claims accrued in 2008, when the defendant first obtained and disclosed plaintiff’s data after BIPA’s effective date. The plaintiff countered that a new claim accrued with each scan and disclosure to the third-party vendor, thus the action was timely for scans and transmissions made during the applicable statute of limitations period.

Ultimately, the Seventh Circuit certified the issue to the Illinois Supreme Court, which held that claims under section 15(b) and (d) accrue with each collection and disclosure of a person’s biometric identifier or information. The majority reasoned that the plain language of the statutory text supported the plaintiff’s argument that the prohibition applies to each and every unauthorized collection or disclosure of biometric information. Although the Illinois Supreme Court acknowledged arguments that “allowing multiple or repeated accruals of claims by one individual could potentially result in punitive and ‘astronomical’ damage awards”, it stated that it could not overcome the clear statutory language, even if the consequences may be “absurd” or “unwise.” The court also noted the legislature’s intent to impose the “strongest possible incentive” to abide by the statute, and any such concerns about the fairness of the outcome should be addressed by the legislature.

Conclusion

Plaintiffs’ lawyers are likely rejoicing at the statute of limitations and claims accrual decisions because they dramatically increase both the size of potential classes and the statutory damages available to plaintiffs. With liquidated damages of $1,000 per negligent violation or actual damages (whichever is greater) and $5,000 per intentional or reckless violation or actual damages (whichever is greater), plus attorneys’ fees and costs, and no limit on total damages, companies that end up on the wrong side of the statute could face crippling liability. Moreover, the offer for the legislature to take up the claims accrual issue, is likely of little comfort to companies subject to BIPA’s provisions. Should the legislature consider the issue at all, any such reform could take significant time to work through the legislative process.

The significant financial exposure companies face under BIPA is now heightened even more with these two decisions. In light of these decisions and the outsize damages at stake, companies that choose to use biometric technology should ensure that they comply with all aspects of BIPA, including by obtaining effective consent that covers each use of the biometric data, posting and abiding by a BIPA-compliant retention and destruction policy, and treating biometric data with the same level of care as other sensitive information.

___________

1 740 ILCS §§ 14/1 – 14/99.

[View source.]