By Gerald L. Maatman, Jr., Thomas E. Ahlering, Alex W. Karasik, and Sarah Bauman

Seyfarth Synopsis: On September 17, 2021, the Illinois Appellate Court issued its highly-anticipated decision in Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563 (1st Dist. Sept. 17, 2021), on whether a one-year or five-year statute of limitations period applies to claims under the Biometric Information Privacy Act, 740 ILCS 14/15 (“the BIPA”) The Illinois Appellate Court’s holding was two-fold — a one-year limitations period governs actions brought under sections 15(c) and (d) of the BIPA, while claims under sections 15(a), (b), and (e) are subject to the catch-all five-year limitations period.

The ruling in Tims is sure to be appealed to the Illinois Supreme Court. That being said, it has the potential to be a game-changer for BIPA class action litigation, and likely the plaintiffs’ bar will aggressively push for the five-year statute of limitations when pursing class-wide relief.

Case Background

In March 2019, Plaintiff (“Plaintiff”) filed a class action complaint claiming that Black Horse Carriers, Inc.’s (“Defendant”) timekeeping practices, which involved the scanning and storing of employees’ fingerprints, violated the BIPA.  Id. at ¶ 5.  The first count of the complaint asserted that Defendant violated section 15(a) of the BIPA in failing to institute, maintain, and adhere to a retention schedule for biometric data.  Id. at ¶ 7.  The second and third counts alleged that Defendant violated sections 15(b) and (d), respectively, by obtaining their employees’ biometric data and disclosing it to third-parties without first obtaining their written, informed consent.  Id.  Although Plaintiff did not allege claims under sections 15(c) or (e), those provisions prohibit the sale of a person’s biometric data for a profit (740 ILCS 14/15(c)), and impose a duty of reasonable care in storing and protecting biometric data from disclosure (id. at 14/15(e)).

In June 2019, Defendant filed a motion to dismiss on the ground that Plaintiff filed the complaint outside of the applicable statute of limitations period.  Id. at ¶ 8.  Defendant argued that the one-year limitations period prescribed by 735 ILCS 5/13-201 applied to Plaintiff’s claims because the BIPA’s main concern is privacy protection.  Plaintiff countered that the five-year catch-all limitations period prescribed by 735 ILCS 5/13-205 covered Plaintiff’s claims, in that a “publication element” was required for a claim to be covered by section 13-205 — an element which, according to Plaintiff, the BIPA clearly lacked.  Id. ¶ 9.

In September 2019, the trial court denied the motion to dismiss.  Id. at ¶ 11.  It held that section 13-201 did not apply because Plaintiff alleged a violation of the Act itself, rather than a general violation of privacy.  Id.  As such, the trial court opined that a five-year limitations period applied to Plaintiff’s claims.  Id.  The trial court did not address the issue of when Plaintiff’s claims accrued — upon Plaintiff’s first finger scan vs. Plaintiff’s last finger scan — because the complaint was timely filed under either scenario.  Id. at ¶ 10.

Defendant then sought an appeal to the Illinois Appellate Court for the First District.

The Appellate Court’s Decision

At issue in the appeal was the question of whether a one or five-year statute of limitations period applies to the BIPA.  First, the Appellate Court noted the “sole concern” in determining which limitations period applies was the intent of the legislature.  Id. at ¶ 19.  Given the BIPA’s silence on the issue, the Appellate Court turned to the language of section 13-201, which establishes a one-year limitation period for “[a]ctions for slander, libel, or for publication of matter violating the right of privacy.”  Id. at ¶  20.  Relying on its decision in Benitez v. KFC National Management Co., 305 Ill. App. 3d 1027, 1033 (1999), the Appellate Court explained that Illinois trial courts have recognized two types of privacy interests in the right to privacy — secrecy and seclusion — and held that section 13-201 applies only to those claims premised on the right to secrecy, such as false-light publicity and the appropriation of the name or likeness of another.  Id. at ¶  21.  The Appellate Court also noted the language of section 13-205, which “provides for a five-year limitation period for, in relevant part, ‘all civil actions not otherwise provided for.’”  Id. at ¶ 22.

In addition, the Appellate Court highlighted the various “duties” enforced by the BIPA, citing the Illinois Supreme Court’s landmark decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 1 (2019), which held in pertinent part that a violation of the BIPA causes an individual’s  “biometric privacy [to] vanish[] into thin air.”  Id. at ¶ 25 (citations and quotations omitted).  The Appellate Court reasoned that at this point, “[t]he precise harm the Illinois legislature sought to prevent is then realized.”  Id.

Applying these principles to the question at issue, the Appellate Court concluded that the section 13-201 one-year limitations period covers only privacy actions in which publication is an element or an “inherent part of the action.”  Id. at ¶ 29.  The Appellate Court did not address the legislative history of the BIPA, because it could answer the certified question “based on the relevant statutory language, which is ambiguous.”  Id. at ¶ 35.  Indeed, the Appellate Court reasoned that the legislature did not intend for section 13-201 to include all privacy actions, in that it “would have written something like ‘actions for slander, libel or privacy,’” or used “broad language rather than the narrower ‘for publication.’”  Id.

Accordingly, the Appellate Court found that the section 13-201 one-year statute of limitations governs only those actions brought under sections 15(c) and (d) of the BIPA.  Id. at ¶¶  30, 32.  It explained that the BIPA imposes various duties that are separate and distinct from one another.  Id. at ¶ 30.  While each of the duties set forth under sections (a)-(e) “concern privacy,” the Appellate Court reasoned that a private entity could violate sections (a), (b), or (e) “without having to allege or prove that the defendant . . . published or disclosed any biometric data.”  Id. at ¶  31.  Thus, any such action would not be one “‘for publication of matter violating the right of privacy.’”  Id. (quoting 735 ILCS 5/13-201).

Conversely, the Appellate Court held that the “publication or disclosure of biometric data is clearly an element of an action under” sections 15(c) and (d).  Id. at ¶ 32.  It opined that, to the extent (c) and (d) prohibit the disclosure or sale of biometric data, these sections “entail[] publication, conveyance, or dissemination of such data.”  Id. at ¶ 32.

In sum, the Appellate Court held that a one-year limitations period pursuant to 13-201 governs actions under sections 15(c) and (d) of the BIPA, while a five-year statute of limitations pursuant to section 13-205 applies to sections 15(a), (b), and (e).  Id. at ¶ 35.

Takeaways For Employers

While the ruling in Tims v. Black Horse Carrier has the potential to significantly limit Illinois employers’ liability under the BIPA in some respects, the plaintiffs’ bar will likely use this decision to continue to push for a five-year damages period relative to sections 15(a), (b), and (e).    At the same time, given the stakes at issue, a further appeal to the Illinois Supreme Court is virtually certain. Nonetheless, employers should be extra cautious in their compliance with those requirements that do concern “publicity” — i.e., sections 15(a), (b), and (e).  They should consider establishing policies that enable employees to  give their express, written consent before scanning their fingerprints or otherwise furnishing their biometric data to their employers.  Further, employers should ensure that such biometric data is destroyed upon an employee’s termination or resignation with the company; have a widely-accessible policy regarding the destruction and retention of biometric information; and exercise heightened caution when storing any biometric data within their possession.