Client Alert: Attention Employers: Illinois Appellate Court Applies One-Year and Five-Year Limitation Periods for Biometric Privacy Claims

On September 17, 2021, the Illinois Appellate Court for the First Judicial District issued its highly anticipated decision in Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, ruling that the applicable statute of limitations for claims under the Biometric Information Privacy Act (“BIPA” or the “Act”) depends on the particular violation at issue. Specifically, the Court held that BIPA claims relating to the profit from, or the disclosure of, biometric information (under Sections 15(c) and (d) of the Act) must be brought within one year of the alleged violation, while BIPA claims relating to the failure to develop a written retention policy, obtain informed written consent, or safeguard biometric information (under Sections 15(a), (b), and (e) of the Act) must be brought within five years. Employers had been hopeful that the Tims Court would limit potential exposure by capping the time for plaintiffs to assert BIPA claims to one year. However, in light of the Court’s ruling, it is more important than ever for employers to ensure their existing policies and practices relating to the collection, use, and retention of biometric information comply with BIPA requirements.

Enacted in 2008, BIPA protects individuals’ rights in their biometric information and identifiers, including retina/iris scans, fingerprints, voiceprints, facial geometry, and other unique biological markers. BIPA prohibits private entities from collecting biometric information unless, among other things, they develop a written policy establishing a retention schedule for the destruction of biometric data, obtain informed written consent prior to the collection of biometric information, and take reasonable care to prevent the sale or disclosure of biometric information. A violation of the Act may result in an award for actual damages, liquidated damages of $1,000 (for each negligent violation) or $5,000 (for each intentional or reckless violation), reasonable attorneys’ fees and/or injunctive relief.

In recent years, hundreds of class action lawsuits have been filed alleging BIPA violations. In defending such claims, defendants have asserted (among other things) that a one-year statute of limitations for privacy claims (under 735 ILCS 5/13-201) should apply. Plaintiffs’ counsel have argued for application of the catchall five-year statute of limitations (under 735 ILCS 5/13-205). The Act is silent as to the applicable statute of limitations, and thus litigants have looked to the courts for guidance on this issue.

In Tims, the First District Illinois Appellate Court, for the first time, opined as to the applicable statute of limitations under BIPA. However, the Court’s long-awaited ruling failed to offer the relief sought by employers. In particular, after examining the defendant’s arguments in support of the one-year statute of limitations for privacy claims, the Court concluded that the one-year limitations period applies only to BIPA claims based on the unlawful profiting from, or disclosure of, biometric information as “publication or disclosure of biometric data is clearly an element” of such claims. Conversely, the Court ruled that a five-year limitations period applies to claims relating to the failure to establish the required retention policy, obtain written informed consent prior to the collection of biometric information, and/or safeguard biometric information from disclosure. In support of its ruling, the Court noted that, contrary to the defendant’s arguments, BIPA notice and retention claims are not “action[s] for publication of matter violating the right to privacy,” and thus could not fall within the one-year limit on privacy claims.

Although the Tims Court’s ruling may be subject to further challenge, the decision is significant as it provides the first Illinois appellate court guidance as to the applicable statute of limitations for BIPA claims. In light of this newly established standard, plaintiffs counsel may be emboldened in their efforts to identify and file suit concerning perceived BIPA violations. Accordingly, it is imperative that employers that utilize biometric information for timekeeping or other purposes ensure that cybersecurity policies and procedures address reasonable administrative, technical, and physical safeguards,  and a BIPA compliant policy is in place and that written releases have been obtained for all individuals from whom biometric information is collected. Absent such precautions, employers will continue to face significant exposure from potential BIPA litigation.

If you have any questions regarding employer rights and obligations under the Biometric Information and Privacy Act, please contact Alex Dominguez, Kaytee Okon, or your Neal Gerber Eisenberg attorney.

The content above is based on information current at the time of its publication and may not reflect the most recent developments or guidance. Neal Gerber Eisenberg LLP provides this content for general informational purposes only. It does not constitute legal advice, and does not create an attorney-client relationship. You should seek advice from professional advisers with respect to your particular circumstances.