Illinois Supreme Court Shifts BIPA Landscape with 5-Year Limitations Period Applicable to All Claims


thumb print

By Pat Eckler, Amy Frantz, Glenn Klinger, Michael Sanders, and Jonathan Schwartz

Finding all claims under Illinois’ Biometric Information Privacy Act, 740 ILCS 14/1 (“BIPA”), subject to a five-year statute of limitations, the Illinois Supreme Court’s February 2, 2023 Opinion in Tims v. Black Horse Carriers, Inc., 2023 IL 127801 continues the assault on Illinois’ business climate.  Insurers should be keenly aware of this ruling because it allows five years of alleged BIPA violations premised upon an alleged “publication” of biometric information to be included in the wave of class action lawsuits that already have clogged Illinois courts.  As a result, multiple insurers and insurance policies will find themselves in every class action lawyer’s crosshairs. 

BIPA, the first state statute of its kind, regulates the collection, use, safeguarding, handling, storage, retention, and destruction of “biometric identifiers” (e.g., retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry) and “biometric information” (e.g., any information converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual).  Reasoning that the “full ramifications” of biometric technology were unknown, and the public should be shielded from improper collection, use, safeguarding, handling, storage, retention, and destruction of biometric data, BIPA was enacted to regulate and/or require:  the establishment, maintenance, and adherence to a retention schedule and guidelines for destroying collected biometrics (740 ILCS 14/15(a)); entities to provide notice and obtain written consent before collecting or storing biometrics (Id. § 15(b)); the selling or otherwise profiting from collected biometric information (Id. § 15(c)); the disclosure or dissemination of biometric information without consent (Id. § 15(d)); and the proper storage and protection of collected biometric information (Id. § 15(e)). 

Despite the “extensive consideration the General Assembly gave to the fears of and risks to the public” observed by the Black Horse Court, the legislature failed to include a statute of limitations.  Court battles over whether a one-year or five-year limitations period applied thus ensued. 

Before the Illinois Supreme Court’s Opinion, the Illinois Appellate Court, First District, held that the five-year limitations period codified at 735 ILCS 5/13-205 (the catch-all statutory provision stating that, “… all civil actions not otherwise provided for, shall be commenced within 5 years next after the cause of action accrued.”) applied to subsections 15(a), 15(b), and 15(e).  Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563.  The Appellate Court found that the one-year limitations period in 735 ILCS 5/13-201 (“[a]ctions for slander, libel or for publication of matter violating the right of privacy, shall be commenced within one year next after the cause of action accrued.”) (emphasis added) applied to claims under subsection 15(d), however, because “publication or disclosure of biometric data is clearly an element of an action under section 15(d) … which is violated by disclosing or otherwise disseminating such data absent specified prerequisites such as consent or a court order.”  

Like the Appellate Court, the Illinois Supreme Court observed that the one-year limitations period could logically apply to claims under subsections (c) and (d); yet, it still decided to apply the five-year catch-all period to all claims under BIPA.  The Court reasoned that the purpose of limitations periods is to reduce uncertainty and create finality and predictability in legal actions, and thus, there must be a single limitations period for each statute.  Moreover, concluding that the “the full ramifications of the harms associated with biometric technology is unknown,” the Court held that claimants must be allowed more time, not less time, to discover BIPA violations.  

What’s Next? 

An anomalous statute in that it provides a private cause of action for individuals who are not actually injured due to its violation, the Black Horse Opinion significantly increases the potential exposure of businesses subject to BIPA, and consequently, their insurers.  That insurers are now potentially on the risk for five years for claims under subsection 15(d) also does little to provide certainty and create finality in BIPA lawsuits because, for example, questions like when BIPA claims accrue or how damages for violations are calculated remain unresolved – not to mention the myriad coverage questions that still must be decided by the Illinois appellate courts. 

This means that the anticipated decision in Cothron v. White Castle is of great importance so businesses and insurers may assess their potential exposure.  In Cothron, the Illinois Supreme Court will grapple with whether claims under subsections 15(b) and 15(d) accrue each time a private entity scans an individual’s biometric identifier and each time a private entity transmits the scan to a third party, or only upon the first scan and first transmission.  With the limitations period now unmistakably five years, if it is decided that a claim accrues each time a violative scan or violative transmission occurs, insurers’ potential exposure is exponentially higher than if a claim accrues only upon the first violative scan or first violative transmission.  We will continue to monitor and report on the shifting BIPA landscape and its impact on insurers, and what insurers can do to limit or lessen exposure.   

On that note, while the Black Horse Opinion necessarily creates more uncertainty for insurers, and in turn, more coverage litigation, the saving grace for insurers is that their duty to indemnify claims under 15(d) for unauthorized disclosure of biometric information hinges upon the actual unauthorized disclosure of class members’ biometrics to third parties during the relevant policy period.  It will therefore become significant for insurers and their counsel to investigate whether and when any unauthorized disclosures took place to properly allocate any indemnity to the correct policies.  Plus, insurers should still be able to rely on multiple, potentially dispositive exclusions commonly found in insurance policies.  Therefore, the key to curtailing the wave of BIPA litigation is for the courts to recognize that the standard policy exclusions preclude coverage for BIPA claims. 

If you have questions about data breach reporting requirements, please contact your FMG attorney for more information.