The Illinois First District Appellate Court threw employers a curveball when it recently held that different statutes of limitations apply to various sections of Illinois' Biometric Information Privacy Act, 740 ILCS §14/ (“BIPA” or the “Act”). See Tims v. Black Horse Carriers, 2021 IL App (1st) 200563 (Sep. 17, 2021). In addition to allowing aggrieved employees to look back five years for certain BIPA claims, another notable takeaway from the decision was the court's casual observation that, since BIPA can be violated in five different ways, individual plaintiffs suffering multiple violations can recover the statute's liquidated damage penalty ($1,000 for negligent violations or $5,000 for willful violations) for each violation. In other words, an employer that violates multiple sections of BIPA for its workforce could find its exposure doubled, tripled or quadrupled in class action litigation.
In order to put this decision in the proper context, it's important to understand the various ways an employer can violate BIPA. As discussed in a prior alert, BIPA requires certain precautions and affirmative acts for employers that collect, store or use biometric identifiers, such as fingerprints, retinal scans, facial geometry and voice prints. The law is generally applicable and protects consumers the same as it does employees, but it is the use of fingerprint time clocks by employers that has spawned most of the hundreds of BIPA class actions filed in the past several years.
Employer Obligations Under the Illinois Biometric Information Privacy Act
BIPA requires that any employer who collects, stores, or uses the biometric information of its employees must:
- Develop and make available to the public a written policy establishing a retention schedule and guidelines for destroying the biometric information, which shall include destruction of the information when the reason for collection has been satisfied or three years after the employer's last interaction with the employee, whichever occurs first. 740 ILCS § 14/15(a);
- Provide each employee with written notice that his/her biometric information will be collected and stored, including an explanation of the purpose for collecting the information as well as the length of time it will be stored and/or used and obtain the subject’s express written authorization to collect and store his/her biometric information. 740 ILCS § 14/15(b);
- Refrain from selling, leasing, trading, or otherwise profiting from employees’ biometric information. 740 ILCS § 14/15(c);
- Obtain consent prior to disclosing or disseminating employees’ biometric data. 740 ILCS § 14/15(d); and
- Take reasonable care in storing, transmitting, and protecting employees’ biometric data. 740 ILCS § 14/15(e).
The First District Appellate Court’s Split Ruling in Tims v. Black Horse Carriers
Tasked with determining which of Illinois' various statutes of limitations should govern BIPA claims, the Tims court surprised observers by saying, "it depends." Specifically, the court held that the one-year limitation period for privacy claims (§ 13-201) applies to the BIPA claims involving publication of biometric information that are found in sections 15(c)-(d) and the catchall five-year limitations period (§ 13-205) applies to claims brought under sections 15(a)-(b) and (e). This means that BIPA claims involving the failure to obtain notice and consent before collecting, storing or using biometric information can go back five years from the lawsuit filing date, but claims involving the improper transfer or "publication" of the biometric information must be brought within one year of the alleged violation.
What Does this Mean for Employers?
First, it underscores the need to make sure you are complying with BIPA if you are using biometric information (information derived from biometric identifiers) in the workforce as the ability to look back five years when certifying a class action and awarding damages dramatically increases exposure for employers caught violating BIPA.
The other takeaway from the decision is the court's casual observation that employers can violate each of the five BIPA sections and, if they do, employees can recover for each such violation. Stated another way, a plaintiff who proves violations of multiple duties under the Act could collect multiple recoveries of liquidated damages—$1,000 for each negligent violation and $5,000 for each willful violation. If other courts latch onto this comment, courts could issue penalties under the Act that are drastically larger than if a single penalty applied to each employee whose rights were violated.
It is unclear, however, if employees can recover for violations of section 15(a) of BIPA as the Seventh Circuit has previously held that the duty to make publically available a written policy on retention and destruction of biometric information is “owed to the public generally,” and not to the individual plaintiff. See Bryant v. Compass Grp. USA, Inc., 958 F.3d 617 (7th Cir. 2020); Thornley v. Clearview AI, Inc., 984 F.3d 1241, 1242 (7th Cir. 2021). While those decisions were in the context of Article III standing, this holding could prevent employees from recovering for a violation of section 15(a).
Insights and Recommendations
In addition to a possible appeal of the First District’s decision in Tims, employers should also be on alert for rulings in other cases, including:
- Seventh Circuit Court of Appeals’ decision in Cothron v. White Castle System Inc., 7th Cir., No. 20-3202, regarding whether BIPA claims accrue with each violation or just the first violation.
- Illinois Supreme Court’s decision in McDonald v. Symphony Bronzeville Park LLC, Ill. Sup. Ct., No. 126511, ruling on whether the Illinois Workers’ Compensation Act preempts employees’ claims for statutory damages under BIPA.
Regardless of how these issues resolve in the courts, we continue to recommend the following proactive measures to mitigate the risk of a BIPA claim:
- Determine whether your company is collecting, storing, or using individual biometric information (information derived from biometric identifiers) for any purpose.
- If the answer is yes, make sure your company has issued the required notice and received signed releases/consents from all affected individuals. Also make sure that you have in place a publically available written policy to cover the collection, storage, use and destruction of the data.
- Ensure any collected data is not being sold or disclosed to third parties, outside of the limited exceptions permitted by BIPA.
- Evaluate your data privacy protocols and processes for protecting individual biometric data. If a vendor has access to the individual biometric data, make sure the vendor has sufficient data privacy protocols and processes in place.
- Make sure your data breach policies recognize that individual biometric data is considered personal information under Illinois laws addressing data breach notification requirements.