Last week an Illinois Appellate Court split the difference, finding that a one-year statute of limitations applies to claims arising under the state's Biometric Information Privacy Act that involve the publication of protected data to third parties, while a five-year statute applies to those that do not.
The statute contains five subsections that create potential claims related to the collection, retention, transmission and use of information or data. Two of those subsection - (c) and (d) - include the disclosure of the regulated information to a third party and therefore are governed by the one-year statute for privacy claims. The other three - (a), (b), and (e) - can be violated even if the defendant does not disclose the information to a third party and are therefore are covered by the five-year "catch all" limitations period.
There's probably a little something for everyone in this decision, with defendants pleased to have a shorter limitations period applied to at least some of the claims recognized under BIPA. Plaintiffs meanwhile will welcome the affirmation of a five-year statute for the majority of claims and likely will argue that this distinction buttresses an argument that statutory damages are available for violations of each of the statute's subsections rather than a single award for all violations.
While all these duties concern privacy, at least three of them have absolutely no element of publication or dissemination.