Chicago, Ill. (September 17, 2021) - Today, in a highly-anticipated opinion, the Illinois First District Appellate Court ruled in Tims v. Black Horse Motor Carriers, Inc. that different statutes of limitations apply to different provisions of the Illinois Biometric Information Privacy Act (BIPA, or the Act). This ruling has far reaching implications for all pending BIPA litigation and is likely to be appealed.

The First District held that Illinois' five-year catch-all statute of limitations applies to Sections 15(a), 15(b) and 15(e) of the Act, which requires private entities to develop and adhere to a publicly-available written policy and data retention schedule and obtain consent to collect biometric data from an individual before doing so. The First District also held that Illinois' one-year statute of limitations for privacy claims involving publication applies to Sections 15(d) and 15(c) of BIPA. Those provisions of BIPA mandate that companies in possession of biometric data cannot sell, trade, or disclose biometric data to third parties without first obtaining consent from the user to do so.

Prior to the First District's opinion in Tims, state and federal trial courts had held, nearly uniformly, that a five-year statute of limitations applied to all provisions of BIPA. In reaching the conclusion that Sections 15(c) and 15(d) are covered by the one-year limitations period for privacy claims, the First District looked to the Illinois Supreme Court's holding in Sekura v. West Bend Mutual Insurance Co. that "publication" includes dissemination of information to a single entity as well as the public at large. The First District's opinion thus affirmed that allegations that a company unlawfully disclosed users' biometric data to third-party vendors are covered by the one-year limitations period and not the five-year period as argued by plaintiffs.

The First District concluded its opinion by noting, in dicta, that because a "'prevailing party may recover for each violation,' a plaintiff who alleges and eventually proves violations of multiple duties could collect multiple recoveries of liquidated damages." The court therefore signaled that a plaintiff may be able to stack multiple violations of the Act and recover $1,000 or $5,000 for each violation. Should the court hold as much, companies that use biometric technology without abiding by BIPA notice and consent regime could face draconian liability for damages under the Act.

The statute of limitations issue decided in Tims also bears directly on the open issue of when the statute of limitations begins to accrue, whether that is the first time an individual's data are collected or whether a violation occurs each time a company obtains biometric identifiers. The Seventh Circuit Court of Appeal heard argument on that issue in Cochron v. White Castle earlier this week. We will monitor that case and provide an update when a decision is rendered.

Lewis Brisbois has been on the cutting edge of BIPA litigation defense and compliance services and established the country's first dedicated BIPA practice, chaired by Chicago Partners Mary Smigielski and Josh Kantrow. Our BIPA team stands ready to defend businesses that are facing BIPA claims and assist with BIPA compliance obligations. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.