The Illinois Biometric Privacy Act (“BIPA”) has been a fertile source of class action litigation in recent years as courts continue to grapple with the scope of potential liability of employers and other entities who have collected and/or used biometric data such as fingerprints or facial recognition without providing written notice and consent as required by the statute. On February 2, 2023, the Illinois Supreme Court laid to rest the longstanding question of whether the statute of limitations for BIPA claims is one year or five years, holding that the five-year “catchall” limit set in Section 13-205 for all civil actions that do not contain a specific statute of limitations applies to all BIPA claims.
In Tims v. Blackhorse Carriers, Inc., plaintiffs, Jerome Tims and Isaac Watson, filed a class action lawsuit against their employer alleging that it violated BIPA by unlawfully collecting, possessing, and disclosing their fingerprints without providing the required notice and consent when the employees clocked in and out of work using a finger scanning timeclock. The appellate court initially “split the baby” – finding that the one-year limitations period of section 13-201, which applies to actions for torts alleging privacy violations, governs actions under section 15(c) and 15(d) of the Act for selling and disclosing biometric information) and that the five-year “catchall” limitations period of Section 13-205 governs actions under section 15(a), 15(b), and 15(e) of the Act for failing to develop a written policy, failing to inform, or failing to use reasonable care in storage of biometric information. The First District reasoned that selling and disclosing were privacy violations, but violations under the remaining sections were not.
On appeal, the Illinois Supreme Court held that the five-year limitations period applied to all BIPA actions. In so holding, the Court reasoned that the lower court’s decision violated the maxim that statutes should be interpreted with the presumption that the legislature did not intend absurd, inconvenient, or unjust consequences. The court found that two limitations periods could confuse future litigants about when claims are time-barred, “particularly when the same facts could support causes of action under more than one subsection” of the Act.
The Court found that, in practice, all five subsections of Section 15 of the Act have a common purpose: to prescribe rules to regulate the collection, retention, disclosure, and destruction of biometric identifiers and biometric information. Citing the desirability of predictability and finality, the court ultimately found that applying the five-year statute of limitations to all subsections was appropriate.
Finally, the Court reasoned that, “[i]n light of the extensive consideration the General Assembly gave to the fears of and risks to the public surrounding the disclosure of highly sensitive biometric information, it would thwart legislative intent” to apply the one-year statute of limitations, especially where the “full ramifications of the harms associated with biometric technology is unknown.”
This decision substantially increases the potential liability for employers and other entities who have failed to provide the necessary disclosures and obtain the necessary consent to collect and use biometric data. In addition to Tims, the Illinois Supreme Court will soon issue a ruling in Cothron v. White Castle Systems, which is expected to resolve the question of whether a BIPA violation accrues when an individual’s biometric information is first collected, or if every subsequent collection constitutes an independent violation. Because each “violation” of BIPA potentially exposes the violator to a $1000 penalty regardless of whether the violation has caused any actual harm to the individual whose data was collected, this ruling will also have a significant impact on the potential exposure to BIBA liability for employers who have used fingerprint scanning time clocks or other biometric devices without following the notice and consent requirements of BIPA.
As should be apparent, if a business collects biometric information (such as finger scans) from employers or customers for timekeeping or other purposes, to avoid potential exorbitant liability it should immediately take steps to comply with BIPA’s notice and consent requirements.