December 17, 2021
Cybersecurity & Privacy Alert
Cybersecurity & Privacy Alert
The latest ruling addresses an important issue on the accrual of claims for statute of limitations purposes and should serve as a reminder for companies to review their policies and procedures regarding collection of biometric data.
On December 15, 2021, the Illinois Appellate Court issued a decision of significant importance to the many cases filed under the strictest biometric privacy law in the United States, Illinois’s Biometric Information Privacy Act (BIPA). In Watson v. Legacy Healthcare Financial Services, LLC, the plaintiff, a nursing assistant employed by multiple affiliated skilled nursing facilities, first used an alleged biometric scanner to clock in and out of work in 2012, more than five years before filing his complaint under BIPA. He alleged that the defendants collected his biometric information without complying with BIPA’s requirements to provide notice and obtain informed written consent and without having a publicly available policy governing the retention and destruction of biometric data. Relying on BIPA’s provision that an entity may not collect biometric information “without first” providing notice and obtaining consent, the trial court determined that plaintiff’s claims accrued when his information was first collected in 2012 and dismissed plaintiff’s claim under a five-year statute of limitations period.
The plaintiff appealed to the Illinois Appellate Court. After walking through the applicable tenets of statutory construction, including applying dictionary definitions to some of BIPA’s operative terms, the court held that BIPA claims accrue anew at each collection of biometric information, not merely upon the first collection. The court reasoned that “the plain language of the statute establishes that it applies to each and every capture and use of plaintiff’s fingerprint or hand scan.”
In so holding, the court refused to address the defendants’ argument that an accrual rule based on each collection would result in multiple violations per plaintiff and ruinous liability based on BIPA’s provision that allows statutory damages of $1,000 or $5,000 for “each violation.” Still, the court was clear that it was only deciding whether the complaint survived a motion to dismiss, not any questions regarding whether each instance involved a new “collection” or BIPA’s damages provisions. Nonetheless, in rejecting the defendants’ argument that all of the requirements for the suit were satisfied at the first collection of biometric information, such that the plaintiff’s BIPA claim accrued at that time, the court noted that the defendants’ argument “overlooks all the ensuing times defendants violated the statute by” collecting and using plaintiff’s biometric information, thereby suggesting that each collection constituted a separate violation.
While the plaintiff’s bar will likely cite this language as support for the notion that each collection of biometric information creates a separate claim for damages, the court included in a footnote an important point about BIPA’s statutory damages that has received little attention in current BIPA case decisions, which is that a prevailing BIPA plaintiff “may recover” monetary relief for each violation. Invoking this language, the court noted: “Although we do not address the issue of damages for the reasons already explained above, we observe that damages are discretionary, not mandatory. The Act introduces a list of possible damages with the statement that this list constitutes what a ‘prevailing party may recover.’” (emphasis in original). Thus, the defense bar will cite this language in support of the position that, no matter the number of alleged violations, the monetary liability imposed by BIPA is optional, not mandatory, and within the discretion of the court. This footnote adds even more uncertainty to the fate of BIPA cases moving forward and may further push existing BIPA litigants—plaintiffs and defendants alike—to settle their claims in the face of this additional uncertainty.
Based on the language in Watson indicating that BIPA compliance is required at each collection, this decision also warrants a further review by companies that may collect or receive biometric information to ensure that their policies and procedures are fully compliant with BIPA.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.
Financial Institutions & Banking Disputes Alert | 02.16.22
Data Privacy & Healthcare Alert | 02.14.22
Cybersecurity & Privacy Alert | 02.04.22
Cybersecurity & Privacy Alert | 01.07.22
Cybersecurity & Privacy Alert | 12.22.21
Cybersecurity & Privacy Alert | 09.24.21
Cybersecurity & Privacy Alert | 09.20.21