The Illinois Supreme Court recently held that all claims brought under the Biometric Information Privacy Act (“BIPA”) are subject to a five-year statute of limitations, partly overturning a lower court decision that had applied a one-year limitations period to some claims brought under the law. See Tims v. Black Horse Carriers, Inc., 2023 IL 127801 (Feb. 2, 2023).
The plaintiff, Jorome Tims, filed a putative class action against his former employer, alleging that the trucking and logistics company violated BIPA by requiring its employees to use a time clock with a fingerprint scanner without (i) implementing a publicly available data retention and destruction policy; (ii) notifying employees and obtaining their consent when collecting their biometrics; and (iii) obtaining employee consent before disclosing their biometric information to third parties. The defendant moved to dismiss the complaint, arguing that the plaintiff’s claims were barred by the one-year statute of limitations under the Illinois Code of Civil Procedure that governs actions for the “publication of matter[s] violating the right of privacy.”
The trial court denied the defendant’s motion, holding that the one-year limitations period was inappropriate because plaintiffs had not alleged defamation or an invasion of privacy, and instead applied the five-year catchall limitation for claims without a defined statute of limitations. On appeal, the appellate court ruled that BIPA was subject to both statutes of limitations, reasoning that the one-year limit applied to claims based on the subsections of BIPA that concerned the “publication or disclosure” of biometric data, while the five-year catchall limit governed other BIPA claims that did not involve the publication or dissemination of data. Both parties appealed and requested that a single limitations period be applied to the entire statute.
The Illinois Supreme Court first held that the appellate court erred in invoking two different statutes of limitations, which “could confuse future litigants about when claims are time-barred, particularly when the same facts could support [multiple] causes of action” under BIPA. Analyzing the statute’s language, the court found that the subsections regulating the establishment of a data retention and destruction policy; notice and written consent prior to collecting biometric data; and the proper storage and protection of collected data contained “no words that could be defined as involving ‘publication[.]’” The court thus found that those subsections were subject to the Illinois Code of Civil Procedure’s five-year catchall limitations period for claims that have no defined statute of limitations.
While acknowledging that claims based on other sections of BIPA that address the sale, disclosure, and dissemination of data could plausibly involve “publication,” the court nevertheless held that a five-year limitations period should apply to those claims as well. The court reasoned that a five-year statute of limitations would “ensure certainty, predictability, and uniformity” in determining when claims under BIPA expire, and better comport with the intent of the legislature “by allowing an aggrieved party sufficient time to discover the violation and take action.” Accordingly, the court ruled that a five-year limitations period controls all claims under BIPA, and remanded the case to the trial court for further proceedings.
The Illinois Supreme Court’s decision in Tims may dramatically expand the pool of eligible plaintiffs under BIPA, and underscores the need for companies to closely monitor their compliance with the statute in collecting, retaining, and disclosing biometric data.