illustration of various biometric information sourcesIllinois’ Biometric Information Privacy Act (BIPA) establishes safeguards and procedures relating to the retention, collection, disclosure, and destruction of biometric data. 740 ILCS 14/15. Passed in October 2008, BIPA is intended to protect a person’s unique biological traits – the data encompassed in a person’s fingerprint, voice print, retinal scan, or facial geometry. Id. But in the last few years, BIPA – with its statutory penalties of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation – has quickly become the bane of corporate defendants. The situation became even worse after the Illinois Supreme Court’s Rosenbach decision. Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186. In Rosenbach, the Court held that a “violation [of the statute], in itself, is sufficient to support the individual’s or customer’s statutory cause of action.” Id. at ¶33 (emphasis added). In other words, a bare statutory violation confers standing on a BIPA plaintiff. See id.

The Supreme Court’s ruling has, predictably, spurred additional litigation asserting bare violations of the statute. Hundreds of lawsuits have now been filed following the January 2019 decision, with almost all of the lawsuits brought as class actions. The lack of standing had been a key argument for defendants facing BIPA lawsuits. With that argument now foreclosed, corporate defendants are pinning their hopes on four cases that are currently pending before state and federal appellate courts in Illinois.

Which Statute of Limitations Applies to BIPA?

BIPA itself does not include a statute of limitations. Stauffer v. Innovative Heights Fairview Heights, LLC, 480 F. Supp. 3d 888, 904 (S.D. Ill. 2020).[1] When a statute does not delineate its limitations period, the limitations period is five years – unless there is statute of limitations that is “more specifically applicable.” Id. (citing 735 ILCS 5/13-205). On the other hand, invasion of privacy claims come with a one-year statute of limitations. Id. (citing 735 ILCS 5/13-201). And because BIPA is, fundamentally, a privacy statute, the argument is that BIPA should be subject to a one-year limitations period. See id. (summarizing the argument). Statutes that carry a statutory penalty come with a two-year statute of limitations. Meegan v. NFI Indus., Inc., No. 20-CV-465, 2020 WL 3000281, at *4 (N.D. Ill. June 4, 2020) (citing 735 ILCS 5/13-202). And because almost all BIPA actions claim the statutory damage amount (rather than seeking actual damages), the argument is that BIPA should be subject to a two-year limitations period. See id. (summarizing the argument).

To date, both the federal courts and the Illinois trial courts have concluded that BIPA is subject to the five-year catchall limitations period. See, e.g., Stauffer, 480 F. Supp. 3d at 905; Meegan v. NFI Indus., Inc., 2020 WL 3000281, at *4; Robertson v. Hostmark Hospitality Group, Inc., 2019 WL 8640568, at *4 (Ill. Cir. Ct. Chan. Div. July 31, 2019). Clarity may be coming soon, however. Two cases – Tims v. Black Horse Carriers, Inc., No. 1-20-0562, and Marion v. Ring Container Techs., LLC, No. 3-20-0184 – are currently pending before the Illinois Court of Appeals. See Herron v. Gold Standard Baking, Inc., No. 20-CV-07469, 2021 WL 1340804, at *2 (N.D. Ill. Apr. 9, 2021). Tims and Marion could each soon decide “whether BIPA claims are [] subject to a one-, two-, or five-year statute of limitations.” Id.

When Does BIPA Statute of Limitations Begin

A related issue is also pending before the U.S. Court of Appeals for the Seventh Circuit. See In Re: White Castle System, Inc., No. 20-8029 (7th Cir. Nov. 9, 2020). In November 2020, the Seventh Circuit accepted an interlocutory appeal, where the “controlling question . . . is whether a private entity violates BIPA only when it first collects or discloses an individual’s biometric data without making the required disclosures, or whether a violation occurs each time the entity collects or discloses the data.” Herron, 2021 WL 1340804, at *4 (citing In Re: White Castle System, Inc.). The court’s ruling in White Castle System could bar many pending claims as stale and beyond the statute of limitations if Tims and Marion conclude that a one-year or two-year statute of limitations applies. See id.

Is BIPA Pre-Empted by Illinois Workers’ Compensation Act?

Finally, the Illinois Supreme Court is poised to decide whether “BIPA claims brought by employees against their employers are preempted by the Illinois Workers’ Compensation Act (“IWCA”), 820 ILCS 305/1. See McDonald v. Symphony Bronzeville Park, LLC, No. 126511. McDonald – like In Re: White Castle System, Tims, and Marion – has the potential to upend the current BIPA landscape. The vast majority of BIPA claims have been brought by employees against their employers for the use of biometric time-keeping devices. A finding that employees’ BIPA claims are preempted could wipe out hundreds of pending lawsuits. At least one federal court believes this is an unlikely outcome. Herron, 2021 WL 1340804, at *2. In Herron, the court refused to stay the case based on McDonald, finding that the Illinois Court of Appeals had “already ruled that the IWCA does not preempt BIPA claims brought by employees” and that “nearly every state and federal court to consider the question” had reached a similar conclusion. Id.

The Takeaway

McDonald seems unlikely to offer corporate defendants the preemption panacea they are hoping for. However, Tims, Marion, and White Castle System have the potential to ease some of the current crush of BIPA litigation.

[1] Disclosure: the author is counsel of record for Innovative Heights Fairview Heights, LLC.

 

 

The post Four Appellate Decisions Could Alter the Current Landscape for Claims Under Illinois’ Biometric Information Privacy Act (BIPA) appeared first on HeplerBroom Blog.