The Illinois Supreme Court recently held that all claims brought under the Biometric Information Privacy Act (“BIPA”) are subject to a five-year statute of limitations, partly overturning a lower court decision that had applied a one-year limitations period to some claims brought under the law.  See Tims v. Black Horse Carriers, Inc., 2023 IL 127801 (Feb. 2, 2023).

The plaintiff, Jorome Tims, filed a putative class action against his former employer, alleging that the trucking and logistics company violated BIPA by requiring its employees to use a time clock with a fingerprint scanner without (i) implementing a publicly available data retention and destruction policy; (ii) notifying employees and obtaining their consent when collecting their biometrics; and (iii) obtaining employee consent before disclosing their biometric information to third parties.  The defendant moved to dismiss the complaint, arguing that the plaintiff’s claims were barred by the one-year statute of limitations under the Illinois Code of Civil Procedure that governs actions for the “publication of matter[s] violating the right of privacy.”

The trial court denied the defendant’s motion, holding that the one-year limitations period was inappropriate because plaintiffs had not alleged defamation or an invasion of privacy, and instead applied the five-year catchall limitation for claims without a defined statute of limitations.  On appeal, the appellate court ruled that BIPA was subject to both statutes of limitations, reasoning that the one-year limit applied to claims based on the subsections of BIPA that concerned the “publication or disclosure” of biometric data, while the five-year catchall limit governed other BIPA claims that did not involve the publication or dissemination of data.  Both parties appealed and requested that a single limitations period be applied to the entire statute.

The Illinois Supreme Court first held that the appellate court erred in invoking two different statutes of limitations, which “could confuse future litigants about when claims are time-barred, particularly when the same facts could support [multiple] causes of action” under BIPA.  Analyzing the statute’s language, the court found that the subsections regulating the establishment of a data retention and destruction policy; notice and written consent prior to collecting biometric data; and the proper storage and protection of collected data contained “no words that could be defined as involving ‘publication[.]’”  The court thus found that those subsections were subject to the Illinois Code of Civil Procedure’s five-year catchall limitations period for claims that have no defined statute of limitations.

While acknowledging that claims based on other sections of BIPA that address the sale, disclosure, and dissemination of data could plausibly involve “publication,” the court nevertheless held that a five-year limitations period should apply to those claims as well.  The court reasoned that a five-year statute of limitations would “ensure certainty, predictability, and uniformity” in determining when claims under BIPA expire, and better comport with the intent of the legislature “by allowing an aggrieved party sufficient time to discover the violation and take action.”  Accordingly, the court ruled that a five-year limitations period controls all claims under BIPA, and remanded the case to the trial court for further proceedings.

The Illinois Supreme Court’s decision in Tims may dramatically expand the pool of eligible plaintiffs under BIPA, and underscores the need for companies to closely monitor their compliance with the statute in collecting, retaining, and disclosing biometric data.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Raymond Lu Raymond Lu

Raymond Lu is a litigator who handles a wide range of complex commercial disputes and class actions in federal and state courts. He represents clients in the technology, financial, and pharmaceutical industries, among others, and maintains an active pro bono practice.

Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She regularly defends clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories…

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She regularly defends clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories for clients in the technology, entertainment, consumer product, and financial services industries. In addition, Kate has substantial experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), and common law and constitutional rights of privacy, among others.

Photo of Eric Bosset Eric Bosset

Eric Bosset is a senior counsel whose practice encompasses a broad range of complex litigation matters, with an emphasis on (1) privacy, data security and consumer protection, (2) employment and ERISA, and (3) financial products and services. Eric has extensive experience in class…

Eric Bosset is a senior counsel whose practice encompasses a broad range of complex litigation matters, with an emphasis on (1) privacy, data security and consumer protection, (2) employment and ERISA, and (3) financial products and services. Eric has extensive experience in class actions, MDL proceedings, and other multi-party lawsuits. His trial victories include a jury verdict in an employment class action lawsuit that The National Law Journal ranked among the 25 most notable defense verdicts of the year.

Privacy and Consumer Protection

Eric was named “Most Valuable Player” in Privacy & Consumer Protection by Law360. He has an extensive practice representing Internet service providers, publishers and advertisers in class action litigation involving claims of unauthorized collection and disclosure of personally identifiable information (“PII”). He has successfully represented Microsoft, AOL, CBS, McDonald’s, Mazda, the Indianapolis Colts, and other companies in obtaining the dismissals of putative class action lawsuits that asserted federal law claims under the Electronic Communications Privacy Act (“ECPA”), Computer Fraud and Abuse Act (“CFAA”), and Video Privacy Protection Act (“VPPA”), as well as state law claims under the Illinois Biometric Information Privacy Act (“BIPA”) and for unfair practices, trespass, and invasion of privacy.

Eric also represents companies in connection with matters arising under the Fair Credit Reporting Act (“FCRA”), Fair and Accurate Credit Transaction Act (“FACTA”), Telephone Consumer Protection Act (“TCPA”), and other consumer protection statutes.

Employment and ERISA

Eric has extensive experience defending companies in individual and class action litigation brought under federal and state laws concerning discrimination, retaliation, whistleblowing, wage and hour disputes, and wrongful termination, as well as in class action litigation involving the Employee Retirement Income Security Act (“ERISA”). Eric has the rare distinction of having tried and won a jury verdict in a class action lawsuit alleging “pattern or practice” discrimination on the basis of age in connection with a corporate reduction in force. Bush, et al. v. Deere & Company (C.D. Ill.). He also secured the reversal on appeal of a class certification order in a “stock drop” lawsuit that claimed breaches of fiduciary duty in the administration of a company retirement savings plan. In re Schering Plough Corporation ERISA Litig., 589 F.3d 585 (3d Cir. 2009). Eric also represents clients in EEOC investigations.

Financial and Fintech

Eric’s practice includes the representation of financial and fintech companies on a broad array of civil litigation, arbitration, and regulatory enforcement matters relating to financial products and services, including matters for Wells Fargo Bank, JPMorgan Chase, Synchrony Bank, Envestnet, Yodlee, and MidFirst Bank.