Illinois Supreme Court Holds 5-Year Statute of Limitations for Violations Applies to BIPA
By Alan S. Wernick, Esq., Aronberg Goldgehn
The Illinois Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1) became effective in October 2008. In Tims v. Black Horse Carriers, Inc., 2023 IL 127801 (February 2, 2023), the Illinois Supreme Court was asked to determine the applicable statute of limitations for BIPA violations. The Court held that the Illinois five-year catch-all statute of limitations (735 ILCS 5/13-205 – Five year limitation) applies to BIPA violations.
Defendant argued that the 735 ILCS 5/13-201 (Defamation – Privacy) one year statute of limitation should apply to parts of BIPA and the five year statute of limitations to other parts. In its statutory interpretation analysis, the Court states, in part: “Because statutes should be interpreted with the presumption that the legislature ‘did not intend absurd, inconvenient, or unjust consequences’ when enacting the statute, we will not apply two different statutes of limitations to the Act.” (Citations omitted.) In holding that the five year statute of limitations applies, the Court notes “This would also further our goal of ensuring certainty and predictability in the administration of limitations periods that apply to causes of actions under the Act [BIPA].”
The Court also points to the text of 740 ILCS 14/5(f), in which this BIPA section states: “The full ramifications of biometric technology are not fully known,” and the Court goes on to state “…absent the Act’s protections, it is unclear when or if an individual would discover evidence of the disclosure of his or her biometrics in violation of the Act. Moreover, a shorter limitations period would prejudice those whom the Act is intended to protect. Therefore, we find that a longer limitations period would comport with the public welfare and safety aims of the General Assembly by allowing an aggrieved party sufficient time to discover the violation and take action.”
The bottom line is that businesses subject to BIPA should not wait to test the limits of BIPA’s applicability to the businesses’ use of biometric information or BIPA’s statute of limitations. Businesses should seek knowledgeable counsel to assist in the proactive pursuit of compliance with the BIPA and similar privacy/cybersecurity laws.
© 2023 Alan S. Wernick and Aronberg Goldgehn.
An Update on the Current State of Data Privacy in the United States
By Aja Finger, J.D. Candidate, Class of 2024, Howard University School of Law
While stakeholders wait to see if the American Data Privacy Protection Act (ADPPA) will go through another round of edits, individual states have continued to enact their own legislation, building out the nationwide patchwork of privacy laws. On January 1, 2023, the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Privacy Act (VCDPA) went into effect. The CPRA complements the California Consumer Privacy Act (CCPA) by expanding consumer rights to include the right to correct personal information, and the right to opt out of automated decision-making. Additionally, it requires businesses to conduct data privacy risk assessments and explicitly prohibits discrimination in exercising rights. The VCDPA mostly includes the same consumer rights and business obligations as the CPRA. However, while the VCDPA does not include a private right of action, it does include the right to opt in for sensitive data processing.
Although the California and Virginia laws are newly effective, with a new legislative session underway, lawmakers have been quick to propose updates. For example, the Virginia Senate General Laws and Technology Committee considered a proposal to add verifiable parental consent requirements for adolescents ages 13–17. However, on January 25, it was “passed by indefinitely” in a 9–6 vote, likely killing the proposal. Moreover, in California, lawmakers proposed numerous amendments that would potentially establish a five-year statute of limitations for Attorney General enforcement and extend business obligations to delete personal information about consumers “related to accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care.”
As California and Virginia continue to adjust their data privacy laws, businesses are also preparing to comply with additional state legislation. On July 1, 2023, both the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CDPA) will go into effect. Although the CPA has not been fully effectuated, on February 23, the Colorado Privacy Act Rules were adopted, subject to review by the Colorado Attorney General. The Utah Consumer Privacy Act (UCPA) will become effective on December 31, 2023. Nevertheless, lawmakers are not waiting for enactment to propose other data privacy legislation. Utah legislators have been considering two related social media bills: SB 152, which has a greater focus on increasing parental controls of minor use on social media platforms, and HB 311, which focuses on prohibiting social media designs and features that can lead to addiction in minors. Most recently, Connecticut’s General Law committee introduced SB 1103, which would both establish a task force to study artificial intelligence (AI) and develop an AI Bill of Rights.
As technology continues to grow more deeply ingrained into our lives, it will be interesting to watch lawmakers continue to build out laws to regulate safe online use for minors and consumers. Although only the five states discussed here have passed comprehensive data privacy laws, businesses should also be mindful of legislative activity in Iowa, New Hampshire, New York, Indiana, and Oregon, which have all introduced their own comprehensive data privacy bills this year.