Despite its enactment in 2008, the Illinois Biometric Information Privacy Act's (BIPA) legal standards were largely undeveloped until its emergence to the main stage circa 2017. But with the decisions in Rosenbach v. Six Flags in 2019 (standing) and McDonald v. Symphony in 2022 (workers' compensation), and the recent $228 million jury verdict against BNSF Railway in the first-ever BIPA trial, we continue to see the BIPA landscape take shape. With more than 250 lawsuits filed in 2022 alone, BIPA litigation shows no signs of slowing down. As we look forward to another busy year of BIPA litigation in 2023, attorneys on both sides of the 'v.' eagerly await two critical decisions from the Illinois Supreme Court that could significantly impact pending and future litigation.

Statute of Limitations – decision to be issued on February 2, 2023

Tims v. Black Horse Carriers, Inc. (No. 127801) seeks to resolve the longstanding debate about the appropriate statute of limitations for BIPA actions. Because the law is silent on the issue, the defense bar (including in Tims) argues that the one-year limitations period for privacy actions outlined in 735 ILCS 5/13-201 should apply. On the other hand, plaintiffs argue (like in Tims) that the five-year "catch-all" limitations period contained in 735 ILCS 5/13-205 is more appropriate for actions under BIPA. However, in 2021, the Illinois Appellate Court complicated matters when it decided that the one-year and five-year limitations periods applied to different sections of the Act. See, generally, 2021 IL App (1st) 200563. Specifically, the Appellate Court held that the one-year period under § 201 applies to Section 15(c) and 15(d) BIPA claims because those sections involve the "publication" of biometric data, which is a term explicitly used in § 201. Conversely, since the Appellate Court found that Sections 15(a), (b), and (e) of the BIPA do not involve the publication of an individual's biometric data, it applied the five-year limitations period from § 205 to those sections.

Given the split among limitations and claims by the Appellate Court, a reversal by the Illinois Supreme Court on any claim could be significant for both plaintiffs and defendants. For example, suppose the Supreme Court decides that a blanketed one-year limitation applies to BIPA claims. In that case, it could significantly reduce the class size of current class actions and certainly result in some time-barred lawsuits. However, the opposite would hold if the Supreme Court decides that a blanketed five-year limitation applies. Indeed, hundreds of BIPA lawsuits have been stayed for more than a year as this issue gets resolved, many with a pending motion to dismiss, raising the statute of limitations issue. Tims was argued before the court in September 2022, and today, the Illinois Supreme Court announced that a decision will come down on February 2, 2023.

Claim Accrual

Cothron v. White Castle (No. 128004) will determine whether claims asserted under 15(b) and 15(d) of BIPA accrue only once upon the initial collection or disclosure of biometric information, or each time a private entity collects or discloses biometric information. While currently before the Illinois Supreme Court, the case is pending in the U.S. District Court for the Northern District of Illinois. Following the district court's rejection of White Castle's "one time only" accrual theory at summary judgment, the court found the question close enough to warrant an interlocutory appeal under 28 U.S.C. § 1292(b). During the appeal, the plaintiff asked the Seventh Circuit to certify the question to the Illinois Supreme Court. See 20 F.4th 1156, 1159 (7th Cir. 2021). The Seventh Circuit obliged and directed the Illinois Supreme Court to answer the following question: "Do Section 15(b) and 15(d) claims accrue each time a private entity scans a person's biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?" Id. at 1167.

Oral argument before the Illinois Supreme Court in Cothron occurred in May 2022. White Castle argued that a first-scan theory is appropriate because that is when the privacy right is first invaded, and the loss of control occurs. White Castle also stressed that the issue of damages is necessarily intertwined with the issue of accrual and encouraged the court to weigh the consequences of holding that accrual occurs at each collection. Citing proximity to the issue before the court, White Castle suggested that the damages component be analyzed because the only safeguard against future plaintiffs seeking damages on a "per-scan" model are Due Process concerns and the possibility that lower courts may not find such significant awards appropriate. While conceding that Due Process concerns would likely safeguard against a per-scan damages model, the plaintiff argued that White Castle's view would obviate the need for defendants to course correct and would avoid consequences for existing issues.

Resolution of the claim accrual issue is crucial for BIPA litigation. If the court decides that a claim accrues upon each scan without addressing the damages component, penalties for even the smallest of companies could be astronomical with only a Due Process argument to rely upon. Indeed, if the court does not address the damages component of accrual at this juncture, it will likely result in another round of stays until the issue is decided on a later appeal. A decision on this matter is expected in the first quarter of 2023.

For up to date information on these cases, the Seyfarth Shaw Commercial Consumer Class Action Defense practice group will provide detailed summaries of the decisions as they are released by the Illinois Supreme Court.

Compliance Recommendations

Despite these BIPA issues still up in the air, there are a few basic practices that can already be followed to avoid, or mitigate exposure under the statute:

  1. Maintain a public privacy policy;
  2. Permanently destroy biometric information in a timely manner;
  3. Provide pre-collection notice;
  4. Obtain pre-collection consent;
  5. Maintain security measures to safeguard biometric information;
  6. Strictly prohibit sales and any other form of profiting from biometric information, including for any vendors; and
  7. Obtain vendor compliance with BIPA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.