CURRENT MONTH (February 2023)
Illinois Supreme Court Holds 5-Year Statute of Limitations for Violations Applies to BIPA
By Alan S. Wernick, Esq., Aronberg Goldgehn
The Illinois Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1) became effective in October 2008. In Tims v. Black Horse Carriers, Inc., 2023 IL 127801 (February 2, 2023), the Illinois Supreme Court was asked to determine the applicable statute of limitations for BIPA violations. The Court held that the Illinois five-year catch-all statute of limitations (735 ILCS 5/13-205 – Five year limitation) applies to BIPA violations.
Defendant argued that the 735 ILCS 5/13-201 (Defamation – Privacy) one year statute of limitation should apply to parts of BIPA and the five year statute of limitations to other parts. In its statutory interpretation analysis, the Court states, in part: “Because statutes should be interpreted with the presumption that the legislature ‘did not intend absurd, inconvenient, or unjust consequences’ when enacting the statute, we will not apply two different statutes of limitations to the Act.” (Citations omitted.) In holding that the five year statute of limitations applies, the Court notes “This would also further our goal of ensuring certainty and predictability in the administration of limitations periods that apply to causes of actions under the Act [BIPA].”
The Court also points to the text of 740 ILCS 14/5(f), in which this BIPA section states: “The full ramifications of biometric technology are not fully known,” and the Court goes on to state “…absent the Act’s protections, it is unclear when or if an individual would discover evidence of the disclosure of his or her biometrics in violation of the Act. Moreover, a shorter limitations period would prejudice those whom the Act is intended to protect. Therefore, we find that a longer limitations period would comport with the public welfare and safety aims of the General Assembly by allowing an aggrieved party sufficient time to discover the violation and take action.”
The bottom line is that businesses subject to BIPA should not wait to test the limits of BIPA’s applicability to the businesses’ use of biometric information or BIPA’s statute of limitations. Businesses should seek knowledgeable counsel to assist in the proactive pursuit of compliance with the BIPA and similar privacy/cybersecurity laws.
© 2023 Alan S. Wernick and Aronberg Goldgehn.
An Update on the Current State of Data Privacy in the United States
By Aja Finger, J.D. Candidate, Class of 2024, Howard University School of Law
While stakeholders wait to see if the American Data Privacy Protection Act (ADPPA) will go through another round of edits, individual states have continued to enact their own legislation, building out the nationwide patchwork of privacy laws. On January 1, 2023, the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Privacy Act (VCDPA) went into effect. The CPRA complements the California Consumer Privacy Act (CCPA) by expanding consumer rights to include the right to correct personal information, and the right to opt out of automated decision-making. Additionally, it requires businesses to conduct data privacy risk assessments and explicitly prohibits discrimination in exercising rights. The VCDPA mostly includes the same consumer rights and business obligations as the CPRA. However, while the VCDPA does not include a private right of action, it does include the right to opt in for sensitive data processing.
Although the California and Virginia laws are newly effective, with a new legislative session underway, lawmakers have been quick to propose updates. For example, the Virginia Senate General Laws and Technology Committee considered a proposal to add verifiable parental consent requirements for adolescents ages 13–17. However, on January 25, it was “passed by indefinitely” in a 9–6 vote, likely killing the proposal. Moreover, in California, lawmakers proposed numerous amendments that would potentially establish a five-year statute of limitations for Attorney General enforcement and extend business obligations to delete personal information about consumers “related to accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care.”
As California and Virginia continue to adjust their data privacy laws, businesses are also preparing to comply with additional state legislation. On July 1, 2023, both the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CDPA) will go into effect. Although the CPA has not been fully effectuated, on February 23, the Colorado Privacy Act Rules were adopted, subject to review by the Colorado Attorney General. The Utah Consumer Privacy Act (UCPA) will become effective on December 31, 2023. Nevertheless, lawmakers are not waiting for enactment to propose other data privacy legislation. Utah legislators have been considering two related social media bills: SB 152, which has a greater focus on increasing parental controls of minor use on social media platforms, and HB 311, which focuses on prohibiting social media designs and features that can lead to addiction in minors. Most recently, Connecticut’s General Law committee introduced SB 1103, which would both establish a task force to study artificial intelligence (AI) and develop an AI Bill of Rights.
As technology continues to grow more deeply ingrained into our lives, it will be interesting to watch lawmakers continue to build out laws to regulate safe online use for minors and consumers. Although only the five states discussed here have passed comprehensive data privacy laws, businesses should also be mindful of legislative activity in Iowa, New Hampshire, New York, Indiana, and Oregon, which have all introduced their own comprehensive data privacy bills this year.
Illinois Supreme Court Holds That Under BIPA Every Scan Counts
By Alan S. Wernick, Esq., Aronberg Goldgehn
The Illinois Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1) became effective in October 2008. In Cothron v. White Castle System, Inc., 2023 IL 128004 (February 17, 2023), the Illinois Supreme Court, on a question certified to the Court by the United States Court of Appeal for the Seventh Circuit, was asked to resolve the question: “Do section 15(b) and 15(d) [of BIPA] claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?” The Illinois Supreme Court held that a BIPA “…claim accrues under the Act with every scan or transmission of biometric identifiers or biometric information without prior informed consent.”
In its recitation of the facts provided by the 7th Circuit, the Illinois Supreme Court notes: “White Castle moved for judgment on the pleadings, arguing that plaintiff’s action was untimely because her claim accrued in 2008, when White Castle first obtained her biometric data after the Act’s effective date. Plaintiff responded that a new claim accrued each time she scanned her fingerprints and White Castle sent her biometric data to its third-party authenticator, rendering her action timely with respect to the unlawful scans and transmissions that occurred within the applicable limitations period.”
In its analysis, the Illinois Supreme Court focused on the language of the BIPA. BIPA §15(b), in part, requires informed consent from an individual before a private entity collects biometric identifiers or biometric information. BIPA §15(d), in part, requires the individual’s consent before disclosure or redisclosure of the individual’s biometric identifier or biometric information. The Court noted, in a comment from the perspective of the intersection of technology and law, that “[a] fingerprint scan system requires a person to expose his or her fingerprint to the system so that the print may be compared with the stored copy, and this happens each time a person uses the system.”
The Court states further: “Put simply, our caselaw holds that, for purposes of an injury under section 15 of the Act, the court must determine whether a statutory provision was violated. Consequently, we reject White Castle’s argument that we should limit a claim under section 15 to the first time that a private entity scans or transmits a party’s biometric identifier or biometric information. No such limitation appears in the statute. We cannot rewrite a statute to create new elements or limitations not included by the legislature.”
BIPA §5 reflects the legislative findings and intent and notes, in part, in §5(c): “Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” And, in §5(f): “The full ramifications of biometric technology are not fully known.”
The bottom line is that the Illinois Supreme Court holding that a claim accrues under BIPA with every scan or transmission of biometric identifiers or biometric information without prior informed consent, underscores the need for businesses to seek knowledgeable counsel’s assistance in proactively pursuing compliance with BIPA and other privacy/cybersecurity laws.
© 2023 Alan S. Wernick and Aronberg Goldgehn.
§13-205. States, in part: “Five year limitation. Except as … actions on unwritten contracts, expressed or implied, or on awards of arbitration, or to recover damages for an injury done to property, real or personal, or to recover the possession of personal property or damages for the detention or conversion thereof, and all civil actions not otherwise provided for, shall be commenced within 5 years next after the cause of action accrued.” ↑
§ 13-201. States: “Defamation–Privacy. Actions for slander, libel or for publication of matter violating the right of privacy, shall be commenced within one year next after the cause of action accrued.” ↑