Illinois Supreme Court Applies Five-Year Statute of Limitations on All BIPA Claims

Under the Illinois Supreme Court’s recent decision in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, individuals now have five years to file claims under any and all subsections of the Illinois Biometric Information Privacy Act (BIPA).

BIPA regulates companies that obtain, use, store, sell, or disclose biometric identifiers or information. The statute requires that these entities comply with certain requirements, namely developing written policies around biometric identifiers, obtaining consent from individuals before collecting or storing biometric information, and taking reasonable care that biometric identifiers remain secure. Companies are also required to comply with certain usage requirements and are prohibited from (1) disclosing or disseminating a person’s biometric information without their consent, and (2) selling, leasing, trading or otherwise profiting from a person’s biometric information. BIPA allows for a private right of action and provides for statutory damages as high as $5,000 per violation.

The BIPA statute does not specify a statute of limitations. Since BIPA litigation began to take off around 2016, defendants have argued that the statute of limitations for all claims under BIPA was either one year or two years, contending that claims were either subject to Illinois’ one-year statute of limitations for privacy actions, 735 ILCS 5/13-201, or two-year statute of limitations for statutory penalties/personal injuries, 735 ILCS 5/13-202. Plaintiffs have argued in response (with more success) that the catch-all five-year limitations of 735 ILCS 5/13-205 should apply.

In 2021, the First District Appellate Court in Illinois decided neither the defense bar nor the plaintiffs’ bar was entirely correct. Rather, it ruled that different limitations periods governed different subsections of BIPA. For claims brought under Sections 15(c) and 15(d) — which govern improper disclosure or improperly profiting from biometrics — a one-year statute of limitations applied because, as defendants argued, these claims involved “publication of matter violating the right to privacy.” For claims brought under Sections 15(a), (b) and (e) — the most frequently litigated sections, governing retention policy, informed consent and data safeguarding requirements — Illinois’s catch-all five-year limitation period applied.

On February 2, 2023, on cross-appeals of the First District decision, the Illinois Supreme Court reversed the lower appellate court’s decision and held that plaintiffs have five years to file suit under all subsections of BIPA. In analyzing the arguments for both the one- and five-year statutes of limitations, the Court agreed with the First District that the one-year statute of limitations for privacy actions could conceivably apply to Sections 15(c) and 15(d) of BIPA, and that it definitely did not apply to Sections 15(a), 15(b) and 15(e). However, the Illinois Supreme Court disagreed with applying two different statutes of limitation, reasoning that bifurcating the statute would “create an unclear, inconvenient, inconsistent and potentially unworkable regime as it pertains to the administration of justice for claims under [BIPA].” Tims, 2023 Ill. Sup. Ct. 127801, ¶ 21. Accordingly, the court held that considering the plain language of the statute, the lack of a statute of limitations embedded in the statute itself and the legislature’s intent to safeguard individuals’ biometric identifiers, shortening the statute of limitations to less than five years would “thwart legislative intent” to allow aggrieved parties to seek redress and to hold violators accountable. Tims, ¶ 32, 39.

Regardless of the limitation period, the question of when BIPA claims begin to accrue remains to be answered. This issue was argued before the Illinois Supreme Court in Cothron v. White Castle System, Inc., in May 2022, with a decision still pending.

Companies doing business in Illinois should continue to closely monitor their use of technology that may utilize biometric identifiers or biometric information as defined by Illinois law. The Tims decision is the latest in a long line of plaintiff-friendly outcomes, beginning with Rosenbach v. Six Flags, holding that plaintiffs need not suffer actual harm under the statute, and Rogers v. BNSF Railway, where a jury awarded approximately $228 million in damages to plaintiffs for 45,600 willful or reckless violations of BIPA. And on January 25, 2023, the Illinois Supreme Court denied defendants’ appeal in Mosby v. Ingalls Memorial Hospital, which held that health care providers’ collection of employees’ finger scans did not fall within BIPA’s statutory exclusion for “information collected, used, or stored for health care treatment, payment[ ], or operations under the federal Health Insurance Portability and Accountability Act of 1996” (HIPAA).

The affirmation of a five-year statute of limitations for all claims under BIPA, alongside these decisions emphasizing BIPA’s scope and the recent nine-figure damages awards, all but ensures that BIPA class action lawsuits will continue to be filed in Illinois state and federal court for some time to come.