Illinois companies took one on the chin this week. The Illinois Supreme Court gave individuals five years to launch any claim under the Biometric Information Privacy Act. The ruling reversed an intermediate appellate court that put a one-year limit on claims that companies unlawfully profited from or shared people's data.
The Illinois Supreme Court said the lower appellate court was wrong when it said the state's one-year privacy limit governed BIPA claims brought under Section 15(c)'s profit restrictions and Section 15(d)'s dissemination prohibitions. The ruling applies the state's "catchall" five-year limitation period to those claims, along with those under BIPA's 15(a) retention policy, Section 15(b) informed consent and Section 15(e) data safeguarding requirements.
The case resolves how to handle BIPA claims limits, because the act itself did not directly address statutes of limitations. The decision hinged on how tightly related certain BIPA causes of action were tied to the publication of people's data, since the state's one-year statute of limitations for privacy violations applies to claims "for publication of matter violating the right of privacy." Plaintiffs in the case argued that the justices should apply the state's five-year limit to all BIPA claims because "publication in and of itself is never the trigger" for a claim brought under any of BIPA's subsections.
However, plaintiffs also argued that the one-year limit should govern each of BIPA's subsections because the word "for" in the limitation means "in relation to or concerning" and that BIPA claims clearly relate to and concern published privacy violations, even if publication is not a core element of the claim.
The lower appellate panel found in 2021 that the state's one-year privacy limit can only govern BIPA claims brought under Section 15(c)'s profit restrictions and Section 15(d)'s dissemination prohibitions since the limitation period applies only to published privacy violations. It also said BIPA's Section 15(a) retention policy, Section 15(b) informed consent and Section 15(e) data safeguarding requirements are governed by the state's "catch-all" five-year limit since those causes of action "have absolutely no element of publication or dissemination."
The limitations question reached the panel after a state trial court rejected a transportation company’s argument that its employees had launched untimely claims over its biometric data collection, storage and dissemination practices, according to the opinion. If you have questions about how this development might affect your organization, please contact Johnson & Bell Shareholders, Garrett L. Boehm, Jr. or Kevin G. Owens or Counsel Pat Gloor.