Victims of BIPA Violations Have Five Years to File Suit
(February 7, 2023) Persons who believe their biometric information was wrongly collected or retained have five years to assert a claim under the Biometric Information Privacy Act (“BIPA”), the Illinois Supreme Court found.
The court found that, while unlawfully collecting or retaining biometric information may violate a person’s privacy, which normally would have a one-year deadline to bring the case, the proper statute of limitations for filing a BIPA case is governed by the state’s general limitations provisions giving a plaintiff five years. BIPA does not contain its own limitations period.
BIPA is one of the nation’s most stringent statutes regarding biometric information. BIPA provides a private right of action against improper collection, use, and retention of biometric information, which includes any information “based on an individual’s biometric identifier used to identify an individual” such as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.
The case before the Supreme Court was brought by an employee of Black Horse Carriers, Inc., a trucking company that required employees to use a fingerprint authentication time clock. The employee alleged that the company failed to provide notice that fingerprints were being collected and retained and that the company failed to obtain the employee’s consent. The company moved to dismiss the claim, arguing that the lawsuit actually was for a violation of the right of privacy that is restricted by the one-year statute of limitations.
Looking to the Legislature’s intent when it passed BIPA, the court found in “light of the extensive consideration the General Assembly gave to the fears of and risks to the public surrounding the disclosure of highly sensitive biometric information, it would thwart legislative intent to (1) shorten the amount of time an aggrieved party would have to seek redress for a private entity’s noncompliance with the Act and (2) shorten the amount of time a private entity would be held liable for noncompliance with the Act.”
In addition, the court said that while some privacy actions for libel and slander are subject to short limitations period because aggrieved individuals can quickly be apprised of the injury, the full ramifications of harms associated with biometric technology are unknown. Absent BIPA’s protections, “it is unclear when or if an individual would discover evidence of the disclosure of his or her biometrics in violation” of BIPA. Therefore, it is appropriate to allow an aggrieved party under BIPA “sufficient time to discover the violation and take action.”
Jorome Tims v. Black Horse Carriers, Inc., Docket No.127801, filed February 2, 2023.