Key Takeaways

  1. A Potential Increase in Claims, Costs, and Damages
  2. Reduce Liability Through Transparency

On February 2, 2023, the Illinois Supreme Court ruled that all Biometric Information Privacy Act (“BIPA”) claims are uniformly subject to a five-year statute of limitations, expanding liability for businesses collecting biometric information.[1] In Tims v. Black Horse Carriers, Inc., the court found that a longer, uniform statute of limitations for all claims under BIPA best fulfilled the legislative intent to hold private entities accountable and provide redress for data subjects.[2] The Tims decision partially reversed an appellate court’s interlocutory decision that applied a one-year statute of limitations to some sections of BIPA, while applying a five-year statute of limitations to others.[3] This highly anticipated decision will allow companies to understand and manage their liability risk and will also likely fuel the growth of future BIPA lawsuits. 

Background

The matter arises from a class action lawsuit filed by Jorome Tims against his former employer, Black Horse Carriers, Inc. (“Black Horse”), alleging that when Black Horse scanned his fingerprints, the company violated BIPA sections 15(a), 15(b), and 15(d).

The Illinois Biometric Information Privacy Act is the country’s first comprehensive biometric privacy legislation. BIPA contains five obligations for private entities collecting biometric information: 

  • 15(a) requires entities to develop and make public an information retention policy; 
  • 15(b) prohibits a private entity from collecting biometric information without first obtaining informed consent from the data subject;
  • 15(c) prohibits a private entity from profiting from the sale of biometric information; 
  • 15(d) prohibits disclosure of biometric information without the consent of the subject; and
  • 15(e) requires entities to protect biometric information from disclosure.[4] 

Statutory damages can be steep and add up quickly, accruing per violation.[5] A company that negligently violates a provision of BIPA is liable for damages of $1,000 per violation, while a company that intentionally or recklessly violates a provision is liable for damages of $5,000 per violation.[6] Plaintiffs are also entitled to pursue attorney fees, and actual damages in the event the actual damages are higher than the statutory amount.[7] The courts are currently evaluating what is considered a violation under BIPA, in particular, whether BIPA liability accrues per data subject or per incidence – in other words, per scanned employee or per fingerprint. At up to $5000 per violation, a per incident accrual would significantly increase possible damages for entities collecting biometric data and make even small businesses liable for huge sums. 

Illinois Supreme Court Decision

The Illinois Supreme Court relied on legislative intent to determine the statute of limitations for BIPA claims in Tims.[8] The court declined to apply two different limitations as to “reduce uncertainty and create finality and predictability.”[9] The court contemplated the practical impact of multiple time constraints, noting that “[t]wo limitations periods could confuse future litigants about when claims are time-barred, particularly when the same facts could support causes of action under more than one subsection of [BIPA].” Considering “the intent of the legislature, the purposes to be achieved by the statute, and the fact that there is no limitations period in [BIPA],” the court found that the five-year catchall limitation period would best apply.[10] The court believed policy considerations were best served by a longer limitation period because of “the fears of and risks to the public surrounding the disclosure of … biometric information.” The longer limitation period would enhance the ability for an aggrieved party to seek redress and lengthen the time a company could be held liable of noncompliance.[11] 

Key Takeaways

A Potential Increase in Claims, Costs, and Damages

The expansion of liability resulting from the extended five-year statute of limitations will open the door to an increased number of BIPA actions, expanding both the number of possible plaintiffs and the number of possible claims. All BIPA cases that had been stayed awaiting the Tims decision will now be allowed to proceed under the expanded statute of limitations. Additional cases may be brought that had previously been outside the one-year limitation. Further, cases that would have once excluded claims under 15(c) and 15(d) due to the one-year limitation may now be expanded to include such claims. Litigation under the expanded statute of limitations may be costlier given the likely increase in claims. Additionally, because damages accrue per violation under each claim, defendants may see damages increase significantly. 

Reduce Liability Through Transparency

Organizations contemplating the use of biometric technologies for personnel management should be thoughtful about transparency in their implementation, for example by (i) providing employees with the opportunity to consent to biometric data capture, and (ii) publishing a robust privacy policy that outlines the use and retention of their biometric information. A majority of the biometric litigation filed over the past two years have largely been based on the issue of notice and organizations can significantly mitigate their risk by establishing a culture of transparency in their business.

* * *

Crowell & Moring LLP has a robust and highly experienced team advising organizations of all sizes on compliance with biometric privacy laws. Crowell also has an extensive library of resources associated with the Illinois Biometric Privacy Act, including:

A Statute of Limitations for BIPA Claims? We May be One Step Closer

Ninth Circuit Rejects Facebook’s Article III Argument; Biometric Lawsuit Will Proceed

Illinois’ First Settlement under Biometric Law; AMA Adopts Principles for Mobile Health Apps; Ecuador to Enact Data Privacy Law

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

[1] Tims et al. v. Black Horse Carriers Inc., case number 127801, at 10.

[2] Id.

[3] Tims v. Black Horse Carriers, Inc., 184 N.E.3d 466 (2021).

[4] 740 ILCS 14/15.

[5] 740 ILCS 14/20.

[6] Id.

[7] Id.

[8] Tims et al. v. Black Horse Carriers Inc., case number 127801.

[9] Id at 5.

[10] Id at 11.

[11] Id at 13.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jeffrey L. Poston Jeffrey L. Poston

Jeff Poston is a partner in Crowell & Moring’s Washington, D.C. office, where he serves as co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and is a member of the Litigation Group. A seasoned trial lawyer with more than 25 years…

Jeff Poston is a partner in Crowell & Moring’s Washington, D.C. office, where he serves as co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and is a member of the Litigation Group. A seasoned trial lawyer with more than 25 years of experience leading investigations and litigation for corporate clients, Jeff counsels and defends clients in complex data protection matters involving class-actions and regulatory enforcement actions, as well as commercial disputes. Jeff also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

Read more about Jeffrey L. Poston
Show more Show less
Photo of Jason Stiehl Jason Stiehl

Balance and comprehension are Jason Stiehl’s strengths. Splitting his practice between class action defense and trade secret protection, Jason immerses himself in the business of his clients. With a depth of understanding and appreciation for the risks and growth strategies in his clients’…

Balance and comprehension are Jason Stiehl’s strengths. Splitting his practice between class action defense and trade secret protection, Jason immerses himself in the business of his clients. With a depth of understanding and appreciation for the risks and growth strategies in his clients’ markets, he defends the assets and brands most valuable to his clients before trouble strikes.

Jason is a partner in Crowell & Moring’s Chicago office, where he is a member of the firm’s Litigation and Technology and Brand Protection groups. Jason is an experienced trial lawyer with a nationwide practice in federal and state courts focusing on complex litigation, consumer class actions, and advertising disputes. He serves clients in the retail, food and beverage, pharmaceutical and medical equipment, advertising, and technology sectors defending allegations related to consumer fraud, false labeling and deceptive practices, and Lanham Act violations. As a leading consumer class action defense lawyer, Jason also defends clients in matters involving the regulatory alphabet soup. His experience includes defense and counseling regarding the Illinois Biometric Information Privacy Act and the Telephone Consumer Protection Act and navigating the myriad varying state consumer protection statutes, including California’s Legal Remedies Act and the California Consumer Privacy Act.

Read more about Jason Stiehl
Show more Show less
Photo of Laura Foggan Laura Foggan

Laura Foggan is a partner in Crowell & Moring’s Washington, D.C. office, and chair of the firm’s Insurance/Reinsurance Group. She has been described by LawDragon 500 Magazine as “one of the most successful advocates for the insurance industry to ever practice.” Laura was…

Laura Foggan is a partner in Crowell & Moring’s Washington, D.C. office, and chair of the firm’s Insurance/Reinsurance Group. She has been described by LawDragon 500 Magazine as “one of the most successful advocates for the insurance industry to ever practice.” Laura was recently recognized as a Global Elite Thought Leader for Insurance & Reinsurance by Who’s Who Legal (2019), who praised her as a “dynamic and creative thinker” who has “very high standards and delivers superior work.” She is a Chambers-ranked Band 1 practitioner and included in the Best Lawyers in America directory, and consistently named one of Washington D.C.’s “Top 100 Lawyers” and “Top 50 Women Lawyers” and a “Super Lawyer” for Insurance Coverage by Super Lawyers Magazine. Laura represents clients in a variety of litigation and counseling matters.

Read more about Laura Foggan
Show more Show less
Photo of Garylene “Gage” Javier Garylene “Gage” Javier

Garylene “Gage” Javier, CIPP/US is a Privacy & Cybersecurity associate in the firm’s Washington, D.C. office. Gage practices focuses on privacy, data security, and consumer protection, assisting financial services clients overcome regulatory challenges and achieve their business goals. Gage assists clients concerns that…

Garylene “Gage” Javier, CIPP/US is a Privacy & Cybersecurity associate in the firm’s Washington, D.C. office. Gage practices focuses on privacy, data security, and consumer protection, assisting financial services clients overcome regulatory challenges and achieve their business goals. Gage assists clients concerns that arise from state and federal laws that apply to data privacy and information security, including: the Gramm-Leach-Bliley Act (GLBA); California Consumer Privacy Act (CCPA); California Privacy Rights Act (CPRA); California Financial Information Privacy Act (CFIPA); the Fair Credit Reporting Act (FCRA) and its Affiliate Marketing Rule; the Virginia Consumer Data Protection Act (CDPA); and the EU General Data Protection Regulation (GDPR).

Read more about Garylene “Gage” Javier
Show more Show less
Photo of Alexis Ward Alexis Ward

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity and Government Contracts groups, Alexis has assisted clients in matters including False Claims Act investigations; developing corporate policies, procedures and governance; and in diverse matters involving cybersecurity and data privacy compliance, risk assessment and mitigation, and incident response.

During law school, Alexis founded USC Gould’s Privacy and Cybersecurity Law Society and was on the board of OUTLaw. Alexis also worked as a teaching assistant for the graduate programs’ Information Privacy Law course. Her paper The Oldest Trick in the Facebook: Would the General Data Protection Regulation Have Stopped the Cambridge Analytica Scandal? was published by the Trinity College Law Review.

Read more about Alexis Ward
Show more Show less
Related Posts
Illinois High Court Rules Every Collection or Disclosure is a Separate BIPA Violation
February 23, 2023