What is the Appropriate Statute of Limitations Period for BIPA Claims?

This article was originally published in Cybersecurity Law & Strategy Newsletter. Any opinions in this article are not those of Winston & Strawn or its clients. The opinions in this article are the author’s opinions only. 

Over the past three years, one of the hottest class action litigation trends in the United States has been Illinois’ Biometric Information Privacy Act (BIPA) 740 ILCS 14/1 et seq. BIPA requires entities that collect biometric information or identifiers to obtain prior written consent, provide notice of biometric privacy practices, and maintain reasonable security features to protect any collected data. Although BIPA was enacted in 2008, the law went largely unnoticed until 2016, leading many companies to unknowingly operate outside of strict compliance with the law for nearly a decade. Unfortunately, this could be a costly mistake, as BIPA provides a private right of action as well as statutory damages of up to $5,000 per violation.

At the same time, in a perfect storm for plaintiffs’ attorneys, the use of biometric information grew exponentially. Aside from high-tech uses for biometric information, such as the facial recognition technology at issue in the Ninth Circuit’s recent decision in Patel v. Facebook Inc., 932 F.3d 1264 (9th Cir. 2019), employers increasingly implemented biometric finger or hand print scanners to track their employees’ attendance and hours. The increased use of biometric information combined with the plaintiffs’ bar’s discovery of a long-neglected privacy statute with a private right of action has resulted in hundreds class action lawsuits under BIPA in the last three years. The lion’s share of these lawsuits have been brought by hourly employees against their employers, or ex-employers.

The BIPA compliance lag has led companies using or collecting biometric information to consider how far back their liability may extend. The Illinois General Assembly, however, did not include an explicit statute of limitations period in BIPA, nor do claims brought under the law fit nicely into one of Illinois’ prescribed statutory periods. As a result, the statute of limitations has become one of BIPA’s primary battlegrounds as litigants argue about potential class sizes and damages awards.

Read the full Cybersecurity Law & Strategy article to learn more about the statute of limitations period for BIPA claims.