What Is the Appropriate Statute of Limitations Period for BIPA Claims?

At the same time, in a perfect storm for plaintiffs' attorneys, the use of biometric information grew exponentially. Aside from high-tech uses for biometric information, such as the facial recognition technology at issue in the Ninth Circuit's recent decision in Patel v. Facebook Inc., 932 F.3d 1264 (9th Cir. 2019), employers increasingly implemented biometric finger or hand print scanners to track their employees' attendance and hours. The increased use of biometric information combined with the plaintiffs' bar's discovery of a long-neglected privacy statute with a private right of action has resulted in hundreds class action lawsuits under BIPA in the last three years. The lion's share of these lawsuits have been brought by hourly employees against their employers, or ex-employers.

The BIPA compliance lag has led companies using or collecting biometric information to consider how far back their liability may extend. The Illinois General Assembly, however, did not include an explicit statute of limitations period in BIPA, nor do claims brought under the law fit nicely into one of Illinois' prescribed statutory periods. As a result, the statute of limitations has become one of BIPA's primary battlegrounds as litigants argue about potential class sizes and damages awards.

Possible Statutory Periods

Where a statute does not prescribe a statute of limitations period, Illinois has several default statutory limitations periods. Of these, several are arguably applicable to BIPA. Of course, plaintiffs' and defendants' views differ significantly about which statute applies, with defendants pushing for a one- or two-year period and plaintiffs seeking five years. The three limitations periods most often cited by litigants are:

• One-Year (Privacy Actions): 735 ILCS 5/13-201 provides a one-year limitation period for "[a]ctions for slander, libel, or for publication of matter violating the right to privacy …." The typical argument for applying a one-year statute of limitations is that, at its heart, BIPA is a privacy law. The law is primarily concerned with protecting individuals' personal information, and dissemination of an individual's biometric information to a third party is a violation of BIPA without the individual's consent. On the other hand, the plaintiffs' bar has argued that while the improper disclosure or publication of biometric information may give rise to a cause of action under BIPA, there is no prerequisite for such a dissemination in order to bring a claim. Moreover, plaintiffs argue that there is a uniformity interest in applying a single limitations period for all BIPA claims rather than parsing out the limitations period based on whether a particular claim involved publication.
• Two-Year (Personal Injury/Penal Statutes): 735 ILCS 5/13-202 provides a two-year limitations period for "[a]ctions for damages for an injury to the person, … or for a statutory penalty …." Several litigants have argued that applying the two-year period is appropriate as BIPA provides for statutory damages for each violation of the law. Illinois case law defines statutory penalties as a penalty that subjects one person to the payment of a sum of money to another without reference to any actual injury and without requiring him to allege or prove an actual injury. That definition applies to instances where a BIPA plaintiff seeks the statutorily prescribed liquidated damages. However, plaintiffs argue that while the vast majority of BIPA complaints seek the statutory penalty, the law allows plaintiffs to alternatively plead actual damages in instances they exceed the statutory penalty. Thus, BIPA does not award statutory damages in every instance and, according to the plaintiffs' bar, these exceptions invalidate the application of the two-year limitations period.
• Five-Year (Catch-All): 735 ILCS 5/13-205 provides a catch-all limitation period of five years for "all civil actions not otherwise provided for." The five-year limitations period applies where no other period is applicable. Thus, in the event that a court is not convinced by arguments regarding the applicability of one the specific limitations period provided for by Illinois law, BIPA could be subject to a default five-year statute of limitations.

In addition to the three limitations periods cited above which litigants have focused on to date, there could be an additional argument that the three-year statute of limitations period used by the Consumer Fraud and Deceptive Business Practices Act (CFA), 815 ILCS 505/1 et seq., could be applied to BIPA. The CFA serves as Illinois' primary consumer protection statute and a violation of several privacy laws (e.g., the Student Online Personal Protection Act and the Personal Information Privacy Act) constitutes a violation of the CFA. In addition, BIPA uses a three-year record retention period, which aligns with the CFA's limitations period. However, the potential counter argument is that, unlike the laws listed above, a violation of BIPA does not constitute a violation of the CFA and there is no direct link between the laws other than that they both are designed to protect individuals' privacy rights.

Case Law So Far

BIPA case law is, in many ways, still in its infancy. Until January 2019, most decisions focused on interpreting BIPA's private right of action, which allows "aggrieved" individuals to bring suit. Defendants argued that this standard required plaintiffs to demonstrate some type of actual harm (e.g., identity theft) beyond a technical violation of the law (e.g., neglecting to obtain the required consent). However, in January 2019, the Illinois Supreme Court disagreed. In Rosenbach v. Six Flags Entertainment Corporation, 2019 IL 123186 (Ill. 2019), the court held that a technical violation of BIPA was enough to state a claim under BIPA.