Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations

Illinois state appellate court applies different limitation periods under BIPA

Privacy/Cyber Risk & Data Security State Issues Courts Illinois Statute of Limitations BIPA Class Action Appellate

Privacy, Cyber Risk & Data Security

On September 17, the First District Appellate Court of Illinois held that different limitation periods should be applied to the Biometric Information Privacy Act (BIPA), concluding that while Section 15 imposes various duties that all concern privacy, “each duty is separate and distinct.” Specifically, the panel stated that claims related to “[a]ctions for slander, libel or for publication of matter violating the right of privacy” have a one-year limitation period, while “all civil actions not otherwise provided for” carry a five-year limit. Plaintiffs filed a class action complaint alleging violations of BIPA Sections 15(a), 15(b), and 15(d), claiming the defendant collected, stored, used, and disseminated individuals’ biometric data obtained through fingerprint scans without, among other things, (i) informing plaintiffs of the purpose and length of the storage and use of their data; (ii) receiving written release from plaintiffs; (iii) providing a retention schedule and guidelines for destroying the data; or (iv) obtaining consent from plaintiffs and other employees to disseminate their data to third parties. The defendant moved to dismiss, arguing that the claims were filed outside the limitation period, noting that while BIPA itself has no limitation provision, “the one-year limitation period for privacy actions under Code section 13-201 applies to causes of action under [BIPA] because [BIPA’s] purpose is privacy protection.” A state trial court denied the defendant’s motion to dismiss, ruling that the plaintiffs’ claims  were subject to Illinois’ “catchall” five-year limitation provision rather than the state’s one-year privacy claim limitation period, since the plaintiffs were alleging specific BIPA violations rather than a general privacy invasion.

On appeal, the appellate court considered the limitations question and determined, among other things, that since Illinois’ one-year statute of limitations applies only to published privacy violations, it can only govern BIPA claims filed under section 15(c)’s profit restrictions and section 15(d)’s disclosure/dissemination prohibitions. As such, plaintiffs suing under BIPA’s section 15(a)’s retention requirements, section 15(b) informed consent, and section 15(e) data safeguarding requirements have five years to bring such claims since these duties “have absolutely no element of publication or dissemination.”