On February 2, 2023, the Illinois Supreme Court held in a unanimous opinion that individuals have five years after an alleged violation to bring claims under the state’s Biometric Information Privacy Act (BIPA). This ruling raises the potential compliance risk associated with BIPA even more, as not only do companies have to worry about the law’s private right of action and statutory damages but also have to account for an extended statute of limitations period.
Companies that have not been BIPA-compliant for all of the past five years should take note that there may be some BIPA-related litigation risk that they had not previously accounted for if they had assumed a one-year statute of limitations. This risk can be quite substantial given that BIPA allows up to a $5,000 penalty per violation. For example, in October 2022, a jury awarded a class of over 45,000 truck drivers a $228 million judgment against BNSF Railway Co. for collecting—through a third-party vendor—the truck drivers’ fingerprints without proper consent in violation of BIPA.
Businesses that collect and process biometric information (particularly of Illinois residents) should review their notice and consent processes to ensure that they align with BIPA. Companies should also be aware of laws in other states that regulate the use of biometric information. For example, a number of the comprehensive state privacy laws that are in effect or will go into effect in 2023 (such as in California and Colorado) regulate biometrics as “sensitive” information. Additionally, a number of states have proposed biometric laws that are similar to BIPA, including proposals that also include a private right of action.
We have provided additional background on BIPA and the relevant case in this blog post, as well as other key considerations that businesses should be aware of when processing biometric data pursuant to BIPA. We are happy to answer any questions you may have on these issues.
The underlying case addressed by the Illinois Supreme Court, Tims v. Black Horse Carriers, Inc., is a class-action against an employer—Black Horse—alleging violations of sections 15(a), 15(b), and 15(d) of BIPA based on Black Horse’s use of a fingerprint-based system for employees to clock-in and clock-out. Through a series of immediate appeals at the motion to dismiss stage, the certified question before the Illinois Supreme Court was whether the BIPA claims were governed by the one-year limitations period of section 13-201 of the Code of Civil Procedure (Code) (735 ILCS 5/13-201 (West 2018)) or the five-year limitations period of section 13-205 of the Code.
BIPA-related damages risks may become even greater depending on the outcome of another case with a certified question pending before the Illinois Supreme Court, Cothron v. White Castle System Inc., Ill. In Cothron, the court will decide whether each scan or transmission of a person’s biometric identifier—like an employee’s fingerprint—constitutes a separate BIPA violation or whether only the first scan and transmission count.