Client Alerts

Time After Time: Illinois Supreme Court Asked To Decide When Statute of Limitations Accrues for BIPA Violations

By: Frances Floriano Goins

About: Cybersecurity & Privacy

December 22, 2021 – The Illinois Biometric Information Privacy Act (BIPA 740 ILCS 14/1 et seq.) requires businesses to notify individuals before collecting their biometric identifiers such as fingerprints (click here to read our previous client alert). If the business fails to first provide notice and obtain a waiver, the affected person may bring a lawsuit.

But when does a cause of action start to accrue for purposes of the statute of limitations under BIPA? Is it each time a business collects a person’s biometric identifier or just the first time the business collects such information?

This question has flummoxed the Seventh Circuit Court of Appeals, which on Monday certified this question to the Illinois Supreme Court. In Cothron v. White Castle System, Inc., 2021 WL 5998537 (7th Cir. 2021), the federal appeals court asked the Illinois Supreme Court whether BIPA “claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?” In that case, the plaintiff, who works as a manager at an Illinois White Castle restaurant, clocks in and out by scanning her fingerprint. White Castle moved to dismiss the case arguing that the plaintiff, who began working with this system in 2004, waited too long to file a lawsuit. The district court denied the motion, but the Seventh Circuit, instead of reversing or affirming, decided to certify the issue as one of first impression to the Illinois Supreme Court.

The Seventh Circuit’s opinion comes on the heels of an Illinois appellate court case addressing the same issue. Last week, in Watson v. Legacy Healthcare Financial Services, LLC, 2021 WL 5917935 (Ill. App. 1 Dist., 2021), the Illinois appellate court held that a claim under BIPA begins to accrue each time a company collects biometric information. The plaintiff in that case was a certified nursing assistant who worked at the defendants’ nursing homes. And, like the White Castle employee, the plaintiff clocked in and out of work by pressing his hand on a scanner. The nursing homes moved to dismiss the lawsuit arguing that the plaintiff’s claim was time-barred because his action had accrued on the first day they collected his biometric information. The trial court agreed with the nursing homes and dismissed the lawsuit. But the appellate court reversed and held that BIPA’s obligations to provide notice and obtain waivers applied each and every time the plaintiff scanned his hand.

Ulmer’s Cybersecurity & Privacy Practice Group continues to follow this developing issue and will provide an update if and when the Illinois Supreme Court issues a decision. If you have any additional questions, please reach out to our experienced data privacy attorneys.

The information provided in this client alert speaks only to the information and guidance we have available as of the date of publication and is subject to change. We will continue to follow further issued guidance and regulations and endeavor to post those updates via our website. Please continue to follow these updates at This legal update was created by Ulmer & Berne LLP, and is not intended as a substitute for professional legal advice. Receipt of this client alert, by itself, does not create an attorney client relationship. For any questions, or for further information, please contact Frances Floriano Goins at