Illinois’ Biometric Information Privacy Act (“BIPA”) regulates companies that obtain, use, store, sell, and disclose the biometric data of Illinois residents.  Companies that fall under BIPA must provide notice to and receive consent from Illinois residents before obtaining their biometric data, and must take reasonable care that the biometric data remains secure.  In addition, BIPA includes a private right of action, and if a regulated company fails to comply with its provisions, statutory damages can be as high as $5,000 for each violation.  BIPA litigation is active in Illinois State Court and in Federal Courts across the United States.

A sticking point for litigants has been the statute of limitations for a party to bring a BIPA claim.  BIPA does not include its own statute of limitations.  Generally speaking, plaintiffs have argued that a longer limitations period applies, such as the five-year limitations period under section 13-205 of Illinois’ Code of Civil Procedure.  And generally speaking, defendants have argued that a shorter limitations period applies, like the one-year period under section 13-201 of the Code of Civil Procedure.

Clearer guidance on the correct statute of limitations for BIPA claims will allow companies to better manage their biometric data and manage their liability risks.

In September, an Illinois appellate court split the baby:  It held that “section 13-201 governs actions under section 15(c) and (d) of the Act, and section 13-205 governs actions under section 15(a), (b), and (e) of the Act.”  Sections 15(c) and 15(d) govern the sale and disclosure of biometric data, sections 15(b) and (e) govern the collection and storage of biometric data, and section 15(a) governs written policies on and the destruction of biometric data.

Just last week, on January 26, 2022, the Illinois Supreme Court granted a petition for leave to appeal this case.  It is a small step, but hopefully one step closer to the Illinois Supreme Court resolving once and for all what statute of limitations governs BIPA.

We are available to answer your BIPA questions and are continuing to monitor BIPA developments.

Photo of Jeffrey L. Poston Jeffrey L. Poston

Jeff Poston is a partner in Crowell & Moring’s Washington, D.C. office, where he serves as co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and is a member of the Litigation Group. A seasoned trial lawyer with more than 25 years…

Jeff Poston is a partner in Crowell & Moring’s Washington, D.C. office, where he serves as co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and is a member of the Litigation Group. A seasoned trial lawyer with more than 25 years of experience leading investigations and litigation for corporate clients, Jeff counsels and defends clients in complex data protection matters involving class-actions and regulatory enforcement actions, as well as commercial disputes. Jeff also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

Photo of Jarno Vanto Jarno Vanto

Jarno Vanto (CIPP/E, CIPP/US) is a partner in the Privacy & Cybersecurity Group in Crowell & Moring’s New York office. With an extensive understanding of the complex international regulatory environment and cross-industry technologies, he provides a differentiated global perspective to clients on personal…

Jarno Vanto (CIPP/E, CIPP/US) is a partner in the Privacy & Cybersecurity Group in Crowell & Moring’s New York office. With an extensive understanding of the complex international regulatory environment and cross-industry technologies, he provides a differentiated global perspective to clients on personal information privacy, cybersecurity, technology transactions, and corporate matters.

With a keen understanding of client risk level and risk tolerance, he partners with clients to help them achieve their business goals and provides a range of legal services, including privacy and cybersecurity compliance counseling, complex cross-border and domestic technology and data transactions, data and software licensing, other technology and data transfer agreements, as well as regulatory investigations involving personal information.

Photo of Jacob Canter Jacob Canter

Jacob Canter is an attorney in the San Francisco office of Crowell & Moring. He is a member of the Litigation and Privacy & Cybersecurity groups. Jacob’s areas of emphasis include technology-related litigation, involving competition, cybersecurity and digital crimes, copyright, trademark, and patent…

Jacob Canter is an attorney in the San Francisco office of Crowell & Moring. He is a member of the Litigation and Privacy & Cybersecurity groups. Jacob’s areas of emphasis include technology-related litigation, involving competition, cybersecurity and digital crimes, copyright, trademark, and patent, as well as general complex commercial matters.

Jacob graduated from the University California, Berkeley School of Law in 2018, where he launched Berkeley’s election law outreach program and pro bono project. He joins the firm after a year of practice at an international law firm in Washington, D.C., and a year clerking in the Southern District of New York for the Hon. Lorna G. Schofield. Jacob was exposed to and provided support in a variety of complex substantive and procedural legal topics during the clerkship, including trade secrets, insurance/reinsurance, contracts, class actions, privacy, intellectual property, and arbitrability.

Photo of Garylene “Gage” Javier Garylene “Gage” Javier

Garylene “Gage” Javier, CIPP/US is a Privacy & Cybersecurity associate in the firm’s Washington, D.C. office. Gage practices focuses on privacy, data security, and consumer protection, assisting financial services clients overcome regulatory challenges and achieve their business goals. Gage assists clients concerns that…

Garylene “Gage” Javier, CIPP/US is a Privacy & Cybersecurity associate in the firm’s Washington, D.C. office. Gage practices focuses on privacy, data security, and consumer protection, assisting financial services clients overcome regulatory challenges and achieve their business goals. Gage assists clients concerns that arise from state and federal laws that apply to data privacy and information security, including: the Gramm-Leach-Bliley Act (GLBA); California Consumer Privacy Act (CCPA); California Privacy Rights Act (CPRA); California Financial Information Privacy Act (CFIPA); the Fair Credit Reporting Act (FCRA) and its Affiliate Marketing Rule; the Virginia Consumer Data Protection Act (CDPA); and the EU General Data Protection Regulation (GDPR).