Parties alleging violations of the Illinois Biometric Information Protection Act (“BIPA”) now have five years to bring their claim. The Illinois Supreme Court issued its decision last week, which overruled an intermediate appellate decision that applied a one-year statute of limitations to certain violations, while allowing five years for others. In so holding, the Court found the unique legislative intent behind BIPA and the lack of a specific limitations period within the Act warranted application of the longer default limitations period.
Background – Nature of the Action vs. Elements of the Claim
In Tims v. Black Horse Carriers, Inc, No. 127801, 2023 IL 127801 (IL 2023), a former employee filed a class action against the company alleging that it violated sections 15(a), (b), and (d) of BIPA. Specifically, the plaintiffs alleged that the violations stem from the company’s use of a fingerprint authentication time clock. They alleged that the company violated section 15(a) by failing to adhere to a publicly available biometric information retention and destruction policy; violated section 15(b) by failing to obtain consent when collecting the fingerprints; and violated section 15(d) by disclosing the biometric information to third parties without consent.
In response, the company moved to dismiss. The company argued that the former employees’ claim was time barred by Section 13-201 of the Illinois Code of Civil Procedure (the “Code”), which prescribed a one-year statute of limitations. The company – looking to the nature of the action – reasoned that Section 13-201 governed actions for the “publication of matter violating the right of privacy,” which, it argued, should apply to violations of “privacy statutes” like BIPA.
The former employees looked to the elements of the claims. They argued that all BIPA violations were instead governed by Section 13-205 of the Code – a catch-all statute that applied a five-year limitations period. The employees further argued that the one-year limitation could not apply because their claims did not involve the “publication” of biometric data. The trial court agreed with the employees and denied the motion to dismiss, reasoningthat the employees only alleged violations of the Act, not invasions of privacy or defamation. Moreover, the trial court noted that BIPA itself does not contain a limitations period, making the catch-all limitation appropriate.
The appellate court reversed in part, finding the one-year limitation period applied to section 15(c) and 15(d) violations, while the five-year limitation applied to section 15(a) violations. The appellate court reasoned that the one-year limit applied to claims under section 15(c) and 15(d) because those claims “clearly” included publication or disclosure of biometric information as an element of the claim. Further, the court reasoned that the section 15(a) claim should have a five-year limit because that claim had “no element” of publication or dissemination.
The Supreme Court Decision
The Illinois Supreme Court found that all BIPA claims are subject to a five-year statute of limitations.
First, the Court agreed with the parties that only one limitations period should govern the Act. To rule otherwise, the Court reasoned, would create an “unclear” and “unworkable regime,” which courts should seek to avoid.
Second, the Court agreed with the appellate court’s finding that claims under section 15(a) (as well as (b) and (e)) contain “no words” that could be defined as “publication.”
The Court, however, noted that section 15(c) and 15(d) claims were a closer call. The Court acknowledged the argument that those sections contain words involving “publication” (such as “disclose,” “redisclose,” and “disseminate”), especially in light of the Court’s definition of “publication” in West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978 (finding “publication” has more than one meaning, and could mean disclosure to one person). But the Court found that the language of the statute alone was not dispositive.
Instead, the Court looked to the legislative intent behind BIPA in addition to its language. The Court found that the legislature intended to regulate the collection, use, retention, disclosure, and destruction of biometric information. The Court noted that the legislature was aware of public weariness around the use of biometric information, that the “full ramifications of biometric information” are not fully known, and that there is “no recourse” once that information is compromised. As such, the Court reasoned that shortening the time for seeking redress under the Act would thwart legislative intent to safeguard the unique information.
Third, the court distinguished BIPA claims from other “privacy-related” claims like defamation. The Court noted that defamation claims have a short limitations provision because aggrieved parties are expected to quickly discover injury to their public reputation. Conversely, little is known about the potential harm from disclosure of biometric information, so it is unclear whether an aggrieved party would discover evidence of the disclosure. Therefore, the Court found a longer limitation provision was appropriate.
Accordingly, absent a specific limitations period in the Act, and based on the strong legislative intent to protect biometric information, the Court held that all BIPA claims are subject to the five-year catch-all limitations provision.
The Tims decision further boosts BIPA’s potency as a major liability risk for companies that collect and disseminate biometric data.
The Tims decision further boosts BIPA’s potency as a major liability risk for companies that collect and disseminate biometric data. BIPA, which provides a private right of action to those whose biometric data has been collected or used without consent, has resulted in hundreds of suits to date, including a suit against Google settled for $100 million and a recent $228 million jury verdict against BNSF Railway finding 45,600 discrete BIPA violations.
Illinois courts consistently have found that various types of insurance, including Comprehensive General Liability (CGL) and Employment Practices Liability (EPL) policies, provide coverage for BIPA violations, mostly rejecting insurance companies’ attempts to deny coverage by invoking general exclusions pertaining to disclosure of confidential information and data-related liability. As we noted in our discussion of the BNSF verdict, however, policyholders should expect insurance companies to continue to attempt to add biometric or BIPA-specific exclusions to such policies – and perhaps to start adding them to other types of policies as well, such as cyber and D&O policies. The ruling in Tims, applying the extended statute of limitations to all BIPA suits, provides further stimulus to insurance companies to try to exclude BIPA liability from coverage going forward.
Policyholders should be on the lookout for these exclusions and seek to avoid them if at all possible. Similarly, if offered endorsed coverage specifically for biometric privacy violations, companies should be wary of inadequate sublimits. To avoid such coverage pitfalls, companies should consult with brokers and experienced coverage counsel to review both existing policies and new or renewal policies.
To download this article please click here.