Time Is On My Side: The Illinois Supreme Court Decides Which Statute of Limitations Governs BIPA Lawsuits and When BIPA Violations Occur

ABSTRACT: When enacted, BIPA left many unanswered questions due to a lack of certain provisions and terms in the Act. One such question was which statute of limitations governed BIPA lawsuits.  Since BIPA contains no statute of limitations provision, the question has been left to the courts to resolve.  Similarly, BIPA does not indicate whether a violation occurs, and thus a claim accrues, every time an entity scans or transmits a person’s biometric information, or only upon the first scan or first transmission.  After much anticipation, the Illinois Supreme Court determined that the Illinois five-year “catchall” statute of limitations applies to BIPA claims and that a claim accrues each time an entity scans or transmits a person’s biometric information in violation of the Act.

When reading the Biometric Information Privacy Act (“BIPA”), the reader may come away with more questions than answers due to a lack of certain important provisions in the Act. For example, what is the statute of limitations for filing a BIPA suit? Even though BIPA grants aggrieved parties the right to file suit, BIPA contains no statute of limitations provision.  Not surprisingly, the lack of a statute of limitations provision has created confusion and invited disputes over which statute of limitation applies to BIPA claims. 

A related question involves when BIPA violations occur, such that a claim accrues (i.e., the right to file suit) and the limitations period begins to run.  In particular, do claims accrue under BIPA only the first time an entity violates the Act against an individual, thus triggering the statute of limitations, or do claims accrue each time an entity violates the Act against an individual, triggering a new limitations period for each violation?

There has been much anticipation as cases involving both questions worked their way through the lower courts, given the likely impact their resolution will have on BIPA lawsuit filing rates and the amount of damages available in BIPA lawsuits.  In February 2023, the Illinois Supreme Court answered both questions.  In doing so, the court issued opinions consistent with its recent holdings in other BIPA lawsuits, broadly interpreting the scope of and rights available under the Act.    

Statute of Limitations

In January 2022, we discussed the Illinois Supreme Court granting a petition for leave to appeal in a case involving which statute of limitations applies to BIPA claims.  One year later, on February 2, 2023, the Illinois Supreme Court issued its opinion in the case Tims v. Black Horse Carriers, Inc., 2023 IL 127801.  In that case, Tims filed a class-action complaint against his former employer, Black Horse, alleging that it violated Sections 15(a), (b), and (d) of BIPA.  Black Horse filed a motion to dismiss, arguing that the plaintiff’s claims were barred by Illinois’ one-year statute of limitations (735 ILCS 5/13-201).  The one-year statute of limitations applies to claims involving the “publication of matter violating the right of privacy.”  Black Horse reasoned that this limitations period applied because the plaintiff’s BIPA claims concerned violations of privacy.

In response, the plaintiff argued that the one-year limitations applies to privacy claims where “publication” is an element of the claim.  According to the plaintiff, BIPA claims do not involve publication of biometric data and, therefore, the one-year limitations should not apply.  Instead, the plaintiff argued that Illinois’ five-year “catchall” statute of limitations (735 ILCS 5/13-205) applied.  The “catchall” limitations provision applies to “all civil actions not otherwise provided for.”  The plaintiff reasoned that since BIPA does not have a statute of limitations provision, BIPA claims are “not otherwise provided for.”  

The circuit court denied the defendant’s motion to dismiss, finding that the five-year limitations period applied.  On appeal, the Illinois First District Court of Appeals determined that claims under Sections 15(c) and (d) of BIPA are governed by the one-year limitations provision because “publication or disclosure of biometric data is clearly an element” of those claims.  By contrast, the court determined the five-year limitations provision applied to claims under Sections 15(a), (b), and (e) because “no element of publication or dissemination” existed in those claims.

The Illinois Supreme Court began by determining that applying two statutes of limitations to BIPA failed to align with one of the purposes of a limitations period; namely, to reduce uncertainty and create finality and predictability in the administration of justice.  The court explained that two limitations periods could confuse future litigants about when claims are time-barred, particularly when the same facts could support claims under more than one subsection of Section 15.  The court further noted that statutes should be interpreted with the presumption that the legislature did not intend absurd, inconvenient, or unjust consequences when enacting a statute, which the court believed would result by applying two different statutes of limitations to BIPA.

The court next examined the plain language of Section 15 of BIPA.  Although the plaintiff brought claims only under subsections (a), (b), and (d), the court addressed all five subsections of Section 15.  As to subsections (a), (b), and (e), the court agreed with the appellate court’s conclusion that there is no language in these subsections that could be defined as involving publication.  Rather, these subsections regulate the development of a retention schedule and guidelines for destroying biometric information, require notice and written consent before collecting or storing biometric information, and prohibit selling or profiting from biometric information.  Thus, the court determined that these subsections do not involve publication of matter violating a privacy right, as required to fall within the purview of the one-year limitations period.  Accordingly, the court concluded that the five-year limitations period applies to claims brought under these subsections.

As to subsections (c) and (d), the court explained that the use of the words “sell,” “lease,” “trade,” “disclose,” “redisclose,” and “disseminate” in those subsections could be defined as involving publication and, thus, fall within the one-year limitations period.  The court, however, indicated that when considering not just the plain language of Section 15 but also legislative intent, the purposes to be achieved by BIPA, and the lack of a limitations period in BIPA, the “best” result would be to apply the five-year limitations period.  The court reiterated that this conclusion achieves the goal of ensuring certainty and predictability in the administration of limitations periods.

Next, the court determined that the five-year limitations period should be applied because BIPA does not contain a statute of limitations provision.  In doing so, the court explained that Illinois courts have routinely applied the catchall limitations period to other statutes lacking a specific limitations period.  The court cited as examples refund actions, Prevailing Wage Act claims, and Wage Payment and Collection Act claims.

Finally, the court concluded that the legislature’s policy concerns would be accomplished by applying the five-year limitations period.  Specifically, the court cited legislative concerns over public fears of and risks to the public surrounding the disclosure of highly sensitive biometric information.  According to the court, it would “thwart legislative intent” to shorten the amount of time:  1) an aggrieved party would have to seek redress for a violation of BIPA, and 2) a private entity would be held liable for noncompliance with BIPA.  Similarly, the court contrasted BIPA claims with defamation torts, which are subject to the one-year limitations provision.  For defamation claims, individuals are expected to quickly become apprised of their injury and act just as quickly when their reputation has been publicly compromised.  By contrast, the court reasoned that the full ramifications of the harms associated with biometric technology is unknown, and absent BIPA’s protections, it is unclear when or if an individual would discover evidence of the disclosure of his or her biometric information. 

You can find the full opinion in Tims here. 

Accrual of BIPA Claims

As previously discussed here, courts also have had to address when violations of BIPA occur to determine if a BIPA lawsuit is timely.  In Cothron v. White Castle System, Inc., 2023 IL 128004 the Illinois Supreme Court specifically examined when claims under Sections 15(b) and (d) accrue.  In that case, the plaintiff had been employed by White Castle since 2004.  Shortly after her employment began, White Castle began requiring employees to scan their fingerprints and using a third-party vendor to analyze the biometric data.  BIPA became effective in 2008.  The plaintiff, however, did not file suit until 2018.  In her complaint, the plaintiff alleged that White Castle collected her biometric information in violation of Section 15(b) and disseminated the information in violation of Section 15(d).  

White Castle argued that the plaintiff failed to file suit within the applicable limitations period because her claim accrued in 2008, when White Castle first obtained her biometric data after BIPA’s effective date.  In other words, White Castle took the position that: 1) only one violation of BIPA existed, 2) the violation occurred the first time White Castle collected her biometric data after BIPA became effective, and 3) the statute of limitations began running on the date of that violation.  In response, the plaintiff argued that a new claim accrued – and, therefore, a new statute of limitations period began – each time White Castle scanned her fingerprints and sent her biometric information to a third-party vendor.  The plaintiff was successful at the district court level, prompting White Castle to appeal.  Based upon the novelty of the questions and the reasonableness of the parties’ arguments, the Seventh Circuit Court of Appeals certified the question to the Illinois Supreme Court. 

On appeal, the court began by examining Section 15(b).  That Section requires entities to obtain informed consent from an individual or their legally authorized representative before collecting, capturing, purchasing, receiving, or otherwise obtaining the individual’s biometric information.  White Castle argued that a claim under this Section can accrue only once – when the biometric information is initially collected, captured, purchased, received, or obtained.  White Castle reasoned that the requirement of first obtaining informed consent refers to a singular point in time; namely, before the initial collection of biometric information.  Additionally, White Castle claimed that the verbs used in Section 15(b) (i.e., collect, capture, purchase, receive, and obtain) all mean to gain control, which White Castle argued could happen only once based on the plain meaning of the terms. 

In rejecting this argument, the court explained that White Castle’s system required the capture of the plaintiff’s biometric information each time she scanned her fingerprints, rather than on only one occasion.  Moreover, the court noted flaws with White Castle’s suggestion that “collection” or “capture” of biometric information occurs only when an entity first obtains a fingerprint to store in its database and subsequent scans are merely “routine” authentication scans.  White Castle maintained that the plaintiff’s claim accrued in 2008 with the first scan of her fingerprint after BIPA’s enactment.  However, White Castle first obtained a copy of her fingerprint years before 2008.  Thus, the first scan after BIPA went into effect was a routine authentication scan rather than the type of capture or collection White Castle claimed was required to trigger liability under Section 15(b).  The court further noted that BIPA requires entities to inform individuals how long their biometric data will be collected, which shows that the legislature contemplated collection as being something that would happen more than once.  Ultimately, the court concluded that an entity violates Section 15(b) each time it collects, captures, or otherwise obtains a person’s biometric information without informed consent. 

As to Section 15(d), that Section prohibits an entity from disclosing, redisclosing, or disseminating a person’s biometric information unless the entity has obtained consent or certain exceptions apply.  White Castle argued that the plain meaning of Section 15(d) implicates the disclosure of biometric information by one party to a new, third party that has not previously possessed the biometric information.  Thus, according to White Castle, a violation of Section 15(d) can occur only on the first instance of a disclosure of biometric information to a third party.  In response, however, the court noted that Section 15(d) applies not only to disclosure, but also to the “redisclosure” of biometric information.  The term redisclose suggests repeated disclosures of the same biometric information to the same third party.  Moreover, the court likened 15(d)’s use of the phrase “otherwise disseminate” to a catchall provision that broadly applies to any way that an entity may disseminate a person’s biometric information.   Consequently, the court determined that a Section 15(d) claim accrues upon each transmission of a person’s biometric information without prior informed consent.

Next, the court rejected White Castle’s “nontextual” arguments.  Specifically, White Castle contended that an injury occurs under BIPA when an individual loses the right to control his or her biometric information.  White Castle characterized this loss as a “single overt act” that occurs only the first time the individual’s biometric information is collected or disclosed.  The court, relying on its prior decision in Rosenbach v. Six Flags Ent. Corp., indicated that an injury under Section 15 is the statutory violation itself.  Stated differently, it is the violation of Section 15 that constitutes an injury and, therefore, causes a claim to accrue.

Finally, the court addressed White Castle’s argument that construing Sections 15(b) and (d) to mean that a claim accrues for each scan or transmission of biometric information made in violation of the Act would result in “astronomical” damage awards that would constitute “annihilative liability.”  According to the court, the legislature intended to subject private entities who violate BIPA to “substantial potential liability.”  Additionally, the court noted that it has repeatedly held that where statutory language is clear, it must be given effect, even though the consequences may be harsh, unjust, absurd, or unwise.  Despite that language, the court explained that the legislature apparently chose to make damages discretionary rather than mandatory under BIPA.  See, 740 ILCS 14/20 (detailing the damages a prevailing party “may” recover).  Similarly, the court highlighted that there is no language in BIPA suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.

You can find the full opinion in Cothron here.

Conclusion