By Moiré Morón, VP, Advocacy and Technical
Key Points on BIPA
- First, BIPA provides a private right of action to any individual who is aggrieved.
- Second, BIPA claims are usually brought as class actions, with a large share of lawsuits brought by employees against employers arising out of the use of fingerprint time-keeping policies, widely used in retail and hospitality.
- Third, BIPA is effectively a strict liability statute. This means that any violation, whether negligent or reckless, automatically results in stringent statutory penalties of $1,000 for every negligent violation, and $5,000 for every reckless violation.
In Tims v. Black Horse Carriers, Inc., the Illinois Supreme Court recently established that a five-year statute of limitations period applies to claims filed under the Biometric Information Privacy Act (BIPA). With this ruling, the Court resolved the hotly contested issue of which statute of limitations period applies to claims filed under BIPA: the one-year period under the Code of Civil Procedure’s Section 13-201, or the five-year period under Section 13-205.
This decision has significant legal and financial implications for employers, as plaintiffs now have an extended limitations period within which to file class actions. This will result in a continued upward trajectory of class actions.
Minimizing Liability for Biometric Information
Importantly, management liability policies commonly exclude BIPA claims, often including broad exclusions, so any exposure will be the sole responsibility of the employer. That can result in a detrimental blow to a company’s financial operations. In light of this uninsurable exposure, companies should:
- Carefully review current biometric collection policies, ensuring strict compliance with the statute. It is recommended that experts be retained to assist with the audit.
- Ensure that biometric collection, use, and destruction policies are clearly written and communicated to all employees.
- Review whether employees’ consents were received and obtain, as necessary. When in doubt, do not do without. A post factum review may not prevent a lawsuit, but it could potentially reduce the number of litigations and liability by eliminating any issues before they can arise and cause substantial harm.
- Establish and utilize reasonable safety precautions for the protection of collected and stored biometric information.
- Ensure that any vendors providing biometric collection technology are also in compliance. They are often named as co-defendants in litigation.
Ultimately, the Tims case is just the latest in an ongoing trend. As such, we should expect these types of suits to remain popular and plan accordingly. Understanding how these actions are interpreted and addressed by the courts is a key first step.
The Court Proceedings
Circuit Court
In Tims, plaintiffs Jorome Tims and Isaac Watson filed a class action complaint against their former employer, Black Horse Carriers, Inc. (Black Horse). The complaint alleged that Black Horse had violated sections 15(a), (b) and (d) of BIPA, which provide for the retention and deletion of biometric information, and for the consensual collection and disclosure of biometric identifiers and information when it scanned employees’ fingerprints.
Black Horse moved to dismiss the complaint as untimely under section 13-201 of the Code of Civil Procedure, arguing that claims brought under BIPA concern privacy violations, and therefore, the one-year statute of limitations codified in Section 13-201 of the Code should apply to those privacy claims. Black Horse further argued that Section 13-201 governs actions for the “publication of matter violating the right of privacy.”
Tims rebutted, first conceding that while BIPA is in fact a privacy statute, the five-year catchall limitations period codified in Section 13-205 of the Code should apply, because the one-year limitations period only applies to violations of privacy claims where “publication” is an element of the cause of action. Tims argued that because violations of BIPA do not involve the publication of biometric data, the one-year statute of limitations should apply. The circuit court denied Black Horse’s motion to dismiss and subsequent motion to reconsider, but certified the issue for appeal.
Appellate Court
On appeal, the appellate court did little to resolve the issue, but gave both sides a nod.
The court held that a one-year statute of limitations per Section 13-201 applies to claims brought under Sections 15(c) and 15(d). These sections prohibit “profiting” from the sale, lease or trade of biometric data and the disclosure, redisclosure or dissemination of biometric data, respectively.
They also held that a five-year statute of limitations period under Section 13-205 applies to actions brought under Sections 15(a) (requiring entities to develop and publicly disclose a retention schedule and guidelines for the destruction of biometric data), 15(b) (requiring entities to provide written notice and obtain consent prior to collecting biometric data) and 15(e) (regulates the proper storage, transmission and protection of collected biometric data).
Ultimately, the case was remanded to the circuit court, and Black Horse thereafter appealed the appellate court’s decision to the Illinois Supreme Court.
Illinois Supreme Court
On appeal, the Illinois Supreme Court unequivocally held that the Section 13-205 five-year statute of limitations period applies to all claims brought under BIPA . In so holding, the Court considered the plain language of Section 15 of BIPA, legislative intent, the purpose of the statute, and the fact that there is no limitations period in BIPA.
The Court agreed that Sections 15(a), (b), and (e) did not involve publication, but acknowledged that the language in Sections 15(c) and (d) could arguably be interpreted as such. However, the Court determined that “[o]ne of the purposes of a limitations period is to reduce uncertainty and create finality and predictability in the administration of justice.” Because of that, “applying two different limitations periods or time-bar standards to different subsections of 15 the [Biometric Information Privacy] Act would create an unclear, inconvenient, inconsistent, and potentially unworkable regime as it pertains to the administration of justice for claims under the Act.”
The Future of BIPA Litigation
While BIPA was initially enacted in 2008, it was dormant until approximately 2015. Claims under it later skyrocketed with the 2019 Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corporation, et al., 2019 IL 123186 (Ill. 2019), and subsequent rulings. BIPA class actions have continued to gain in popularity among plaintiffs’ attorneys, largely because of the guaranteed million-dollar settlements and exorbitant defense fees and costs associated with such claims. Employers hoping to minimize their financial risk should tread carefully as they work with employee biometric information moving forward.
Download Full PDF