Illinois Clarifies Limitations on Data Privacy Claims

Written by

A court in Illinois has issued an opinion clarifying how the statute of limitations should be applied to the state's Biometric Information Privacy Act (BIPA).

In what The National Law Review described as "a highly anticipated ruling," the Illinois Appellate Court published an opinion that while a one-year deadline would be applied to claims based on unlawful profit or disclosure, claims relating to data retention policy disclosure, informed consent, and safeguarding would have a limitation period of five years. 

The ruling was made by a panel of three judges in the case of Tims v. Black Horse Carriers, Inc. The panel said that the different limitation periods are necessary because each BIPA requirement is "separate and distinct."

The five-year statute of limitations period applies to all BIPA claims that assert (1) unlawful collection of biometric data without written notice, or (2) issues relating to storing or transmitting it, or (3) claims involving the company's failure to develop a publicly available retention and destruction schedule.

BIPA claims that allege (1) improper disclosure or (2) improper sale, lease, trade, or profit from biometric data will fall under the one-year limitations period.

"This long-awaited decision provides much-needed clarity for businesses and entities involved in the collection or processing of biometric data that impacts Illinois residents," said Natalie Prescott, practice group associate at law firm Mintz.

"This clarification by the Illinois Appellate Court provides more certainty with respect to when potential claims can be deemed untimely."

Commenting on the ruling, Tim Wade, technical director, CTO team at California-based AI cybersecurity company Vectra, emphasized the unique importance of biometric data.

"The loss of biometric data is concerning for the same reasons biometric-based authentication systems are weak – an individual can’t go out and get a new set of fingerprints, a new retinal pattern, or a new face. 

"For this reason, companies that collect and store such information must be held to the highest standards of stewardship, and failure to maintain such stewardship is a non-trivial matter. Any erosion in our legal system’s position with respect to that seriousness is a net-loss for individual privacy."

What’s hot on Infosecurity Magazine?