January 31, 2023
Time Is of the Essence: Hidden Time Limits in Statutory Requirements
If a law requires you to do something, it's a good idea to assume that you don't have an unlimited amount of time to do it—after all, an obligation without a time limit isn't really an obligation. A well-written law will specify any time limit expressly but, as we all know, not every law is well-written. As a result, if a law that requires an affirmative act does not specify a time limit for that act, you should look at the law to see how a court might interpret the law, rather than interpreting the law in the way that's most convenient to you or not interpreting the law at all. An Illinois company that collected its employees' fingerprint data failed to consider the timing of a requirement under a state law governing collection of biometric information, and the company lost a key ruling in court as a result.
Trinidad Mora began working for J&M Plating, Inc., in May 2014. In September 2014, J&M began to require Mora to clock into work via fingerprint scan. In May 2018, J&M established a written policy for retention and destruction of its employees' biometric data. The policy provided that J&M would destroy an employee's biometric data when the employment relationship ended or when retention of the data was no longer necessary, whichever occurred first. Mora signed the policy and agreed to the collection and use of his biometric data. Mora's employment with J&M ended on January 7, 2021, and J&M destroyed his biometric data about two weeks later. Mora sued J&M in Illinois state court. Mora alleged that J&M violated the Illinois Biometric Information Privacy Act ("BIPA") by failing to establish a schedule for retention and destruction of employees' biometric data when it first possessed the data. J&M moved for summary judgment. The trial court granted the motion. Mora appealed to the Appellate Court of Illinois.
The appellate court reversed the grant of summary judgment and remanded the case to the trial court. The appellate court found that J&M had created its data retention and destruction schedule too late to comply with the BIPA. As the appellate court explained, the BIPA requires an entity that possesses biometric data to develop a written policy for retention and destruction of the data and to make that policy available to the public. J&M argued that because the BIPA does not specify when the entity must develop and publish this policy, it did not need to develop or publish the policy before the parties' relationship ended or the data became unnecessary, whichever occurred first. The appellate court disagreed. The appellate court explained that the requirement to develop and publish the policy applies to an entity "in possession of" biometric data. As a result, possession of the data triggers the requirement, and J&M violated the requirement by waiting almost four years after it collected Mora's biometric data to develop and publish the retention and destruction policy.
The court's interpretation of the BIPA was not inevitable, but it was foreseeable. If counsel for J&M had examined the BIPA when the BIPA was new law, J&M would have realized that, because the BIPA did not establish an express time limit for development and publication of a data retention and destruction policy, a court might impose a time limit unfavorable to J&M. J&M might then have developed and published a data retention and destruction policy sooner and earned a different ruling or avoided Mora's lawsuit altogether.
Mora v. J&M Plating, Inc., 2022 Ill. App. LEXIS 507 (Ill. App. November 30, 2022).