Biometric Data

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

Over the past three years, one of the hottest class action litigation trends in the United States has been Illinois' Biometric Information Privacy Act (BIPA). BIPA requires entities that collect biometric information or identifiers to obtain prior written consent, provide notice of biometric privacy practices, and maintain reasonable security features to protect any collected data. Although BIPA was enacted in 2008, the law went largely unnoticed until 2016, leading many companies to unknowingly operate outside of strict compliance with the law for nearly a decade. Unfortunately, this could be a costly mistake, as BIPA provides a private right of action as well as statutory damages of up to $5,000 per violation.

At the same time, in a perfect storm for plaintiffs' attorneys, the use of biometric information grew exponentially. Aside from high-tech uses for biometric information, such as the facial recognition technology at issue in the Ninth Circuit's recent decision in Patel v. Facebook Inc., employers increasingly implemented biometric finger or hand print scanners to track their employees' attendance and hours. The increased use of biometric information combined with the plaintiffs' bar's discovery of a long-neglected privacy statute with a private right of action has resulted in hundreds class action lawsuits under BIPA in the last three years. The lion's share of these lawsuits have been brought by hourly employees against their employers, or ex-employers.

The BIPA compliance lag has led companies using or collecting biometric information to consider how far back their liability may extend. The Illinois General Assembly, however, did not include an explicit statute of limitations period in BIPA, nor do claims brought under the law fit nicely into one of Illinois' prescribed statutory periods. As a result, the statute of limitations has become one of BIPA's primary battlegrounds as litigants argue about potential class sizes and damages awards.

|

Possible Statutory Periods

Where a statute does not prescribe a statute of limitations period, Illinois has several default statutory limitations periods. Of these, several are arguably applicable to BIPA. Of course, plaintiffs' and defendants' views differ significantly about which statute applies, with defendants pushing for a one- or two-year period and plaintiffs seeking five years. The three limitations periods most often cited by litigants are:

One-Year (Privacy Actions): 735 ILCS 5/13-201 provides a one-year limitation period for "[a]ctions for slander, libel, or for publication of matter violating the right to privacy …." The typical argument for applying a one-year statute of limitations is that, at its heart, BIPA is a privacy law. The law is primarily concerned with protecting individuals' personal information, and dissemination of an individual's biometric information to a third party is a violation of BIPA without the individual's consent. On the other hand, the plaintiffs' bar has argued that while the improper disclosure or publication of biometric information may give rise to a cause of action under BIPA, there is no prerequisite for such a dissemination in order to bring a claim. Moreover, plaintiffs argue that there is a uniformity interest in applying a single limitations period for all BIPA claims rather than parsing out the limitations period based on whether a particular claim involved publication.

Two-Year (Personal Injury/Penal Statutes): 735 ILCS 5/13-202 provides a two-year limitations period for "[a]ctions for damages for an injury to the person, … or for a statutory penalty …." Several litigants have argued that applying the two-year period is appropriate as BIPA provides for statutory damages for each violation of the law. Illinois case law defines statutory penalties as a penalty that subjects one person to the payment of a sum of money to another without reference to any actual injury and without requiring him to allege or prove an actual injury. That definition applies to instances where a BIPA plaintiff seeks the statutorily prescribed liquidated damages. However, plaintiffs argue that while the vast majority of BIPA complaints seek the statutory penalty, the law allows plaintiffs to alternatively plead actual damages in instances they exceed the statutory penalty. Thus, BIPA does not award statutory damages in every instance and, according to the plaintiffs' bar, these exceptions invalidate the application of the two-year limitations period.

Five-Year (Catch-All): 735 ILCS 5/13-205 provides a catch-all limitation period of five years for "all civil actions not otherwise provided for." The five-year limitations period applies where no other period is applicable. Thus, in the event that a court is not convinced by arguments regarding the applicability of one the specific limitations period provided for by Illinois law, BIPA could be subject to a default five-year statute of limitations.

In addition to the three limitations periods cited above which litigants have focused on to date, there could be an additional argument that the three-year statute of limitations period used by the Consumer Fraud and Deceptive Business Practices Act (CFA) could be applied to BIPA. The CFA serves as Illinois' primary consumer protection statute and a violation of several privacy laws (e.g., the Student Online Personal Protection Act and the Personal Information Privacy Act) constitutes a violation of the CFA. In addition, BIPA uses a three-year record retention period, which aligns with the CFA's limitations period. However, the potential counter argument is that, unlike the laws listed above, a violation of BIPA does not constitute a violation of the CFA and there is no direct link between the laws other than that they both are designed to protect individuals' privacy rights.

|

Case Law So Far

BIPA case law is, in many ways, still in its infancy. Until January 2019, most decisions focused on interpreting BIPA's private right of action, which allows "aggrieved" individuals to bring suit. Defendants argued that this standard required plaintiffs to demonstrate some type of actual harm (e.g., identity theft) beyond a technical violation of the law (e.g., neglecting to obtain the required consent). However, in January 2019, the Illinois Supreme Court disagreed. In Rosenbach v. Six Flags Entertainment Corporation, the court held that a technical violation of BIPA was enough to state a claim under BIPA.

Rosenbach opened the BIPA floodgates, with scores of class actions filed in the subsequent months as a major pleading hurdle for plaintiffs was removed. And with that procedural fight taken care of, other legal issues rose to the forefront as parties were able to proceed further into litigation. One of the main questions related to how courts would treat the statute of limitations.

We received our first, albeit not definitive, answer to that question in July 2019 when, in Robertson v. Hostmark Hospitality Group, Inc., a Cook County circuit court found that BIPA was subject to a five-year statute of limitations. In a brief memorandum and order, the court went through the potential limitations periods discussed above and concluded that BIPA claims fit none of the specific categories. The court found that the one-year limitation period was inappropriate because, even though the plaintiffs had alleged improper publication of their biometric information, BIPA does not require publication to state a claim. Similarly, the court found the two-year period inapplicable because, while BIPA allows for statutory damages, a plaintiff could seek actual damages instead. In doing so, the court analogized to Illinois case law interpreting the federal statute of limitations period for Telephone Consumer Protection Act (TCPA) claims. 28 U.S.C. §1658(a). The court noted that the TCPA, like BIPA, contains the option for statutory or actual damages and has been treated by Illinois courts as a remedial, rather than penal, statute. In addition, the court concluded that BIPA was a remedial statute because it was intended to "grant remedies for the protection of rights" and protect the public good rather than attempting to fulfill "purely punitive or deterrent goals."

Because the court found that the one- and two-year limitations periods were inapplicable, it applied the five-year catchall statute of limitations.

|

Effect of Robertson

While Robertson is an interesting guidepost in analyzing BIPA's statute of limitation, and is one of the first meaningful decisions we have on that point, it is not the end of the analysis and parties will continue to battle on this point. As an Illinois circuit court decision, Robertson is a persuasive, but not precedential decision, and we expect additional and potentially contradictory interpretations amongst the lower courts until an appellate court weighs in on the matter.

Aside from the impact Robertson may have on litigation itself, defendants should also consider its effect on strategy and internal risk assessment. While Robertson is not binding, it will likely guide plaintiffs' arguments as to why a five-year limitations period is appropriate. In addition, Robertson is likely to affect settlement and mediation negotiations over class size as a guidepost for how Illinois courts might resolve the limitations issue.

|

Conclusion

The appropriate statute of limitations is one of a few key issues being developed in BIPA case law. Organizations that are currently, or have in the past, collecting or storing biometric information should take steps now to ensure that they are in compliance with BIPA. In addition, these organizations or interested parties should continue to monitor developments in the statute of limitations battles, as determining the retroactive reach of BIPA is a critical step in determining the potential liability for a particular BIPA class of plaintiffs.

 

Sean G. Wieber is a partner in the Chicago office of Winston & Strawn LLP and Chair of the Biometric Information Privacy Act (BIPA) and Telephone Consumer Protection Act (TCPA) practices. He can be reached at [email protected]Patrick R. O'Meara is an associate within the Litigation Department of the firm and focuses his practice on complex commercial litigation. Eric J. Shinabarger is a privacy and litigation associate whose practice focuses on privacy counseling, data breach response, and regulatory compliance.