Melissa G. Powers, Associate

Since the Illinois Supreme Court’s 2019 landmark decision in Rosenbach v. Six Flags Entertainment Corp., holding that mere statutory non-compliance, without more, is sufficient “injury” to allow individuals to sue for damages and injunctive relief under the Illinois Biometric Information Privacy Act (“BIPA”), the floodgates have opened for BIPA litigation, with groups of individuals bringing hundreds of class action suits against companies. These suits brought issues to light not expressly addressed by BIPA’s statutory language, including the applicable statute of limitations, and many suits settled in part due to the uncertainty of the legal landscape. After inconsistent decisions among lower courts, with some even applying different limitations periods to different subsections of BIPA, the Illinois Supreme Court has finally set the record straight. On February 2, 2023, in Tims v. Black Horse Carriers, Inc., No. 2023 IL 127801, the Illinois Supreme Court unanimously established a five-year statute of limitations for all BIPA claims. This pivotal decision is the first of two highly anticipated rulings from the Illinois Supreme Court in 2023 on BIPA liability and appears certain to further increase companies’ exposure under BIPA.

Because BIPA itself does not contain a statute of limitations, lower courts had been analyzing whether the one-year limitations period under 735 ILCS 5/13-201 for violations of the right to privacy or the catch all five-year limitations period under 735 ILCS 5/13-205 govern claims under BIPA. Lower courts had split on the issue, and, in the Tims case, the Illinois appellate court had held that a one-year statute of limitations applies to claims under sections 15(c) and 15(d) of BIPA, but that the five-year statute of limitations applies to claims under sections 15(a), 15(b) and 15(e) of BIPA. For the plaintiff in Tims, claims subject to the one-year limitation would be bared, while claims subject to the five-year limitation would survive.

In establishing the five-year statute of limitations for all BIPA claims, the Illinois Supreme Court explained that it looked to “purposes to be achieved” by BIPA and to “reduce uncertainty and create finality and predictability in the administration of justice.” However, while the court’s ruling gives parties some predictability, there remains uncertainty as to when a claim starts to accrue, another ambiguity in the statutory text that the Court is anticipated to interpret this year.

BIPA allows a prevailing party to recover “for each violation” (1) liquidated damages of $1,000 or actual damages, whichever is greater, for negligent violations; and (2) liquidated damages of $5,000 or actual damages, whichever is greater, for intentional or reckless violations. Some Illinois courts have interpreted “for each violation” to mean that a BIPA violation accrues only once—at the time of the first violation with respect to each individual—while other Illinois courts have interpreted it to mean that the violation accrues every time a BIPA violation occurs with respect to each individual. This similarly crucial issue remains before the Illinois Supreme Court in the case Cothron v. White Castle System, Inc., which was argued in May 2022.

No matter how the Court ultimately rules in Cothron, the statutory damages for BIPA violations will add up quickly and the five-year limitations period set forth in Tims will give groups a lengthy window to bring claims for such damages.

As courts continue to interpret BIPA cases and other cases involving biometric data collection, use, or breaches, the companies utilizing biometric technology or using this data need to stay aware of potential pitfalls, liability, and increasing regulation. If you need assistance complying with biometric information laws or other privacy laws, please contact one of our Cybersecurity & Data Privacy attorneys.