June 19, 2026
illinois-court-ruling-on-bipa-retroactivity-limits-liability-for-employers-collecting-biometric-data

The landscape of biometric privacy litigation in Illinois has undergone a seismic shift following a landmark decision by the Seventh Circuit Court of Appeals, which confirmed that recent legislative amendments to the Illinois Biometric Information Privacy Act (BIPA) apply retroactively to pending cases. This ruling, delivered in the case of Clay v. Union Pacific on April 1, 2026, solidifies a significant victory for employers who have faced the prospect of "annihilative liability" under the state’s stringent privacy regulations. By affirming that damages should be calculated on a per-person basis rather than a per-violation basis, the court has effectively neutralized a multi-billion dollar threat that has loomed over the Illinois business community for nearly a decade.

The Genesis of BIPA and the Rise of Biometric Litigation

Enacted in 2008, the Illinois Biometric Information Privacy Act was the first state law of its kind in the United States. At the time of its inception, the Illinois General Assembly recognized that biometrics—unlike Social Security numbers or passwords—cannot be changed if compromised. Once a fingerprint, iris scan, or voiceprint is stolen, the individual has no recourse to replace that unique biological identifier. Consequently, BIPA was designed to regulate the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.

The act covers a wide array of biological data, including retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, and DNA. For years, the law remained relatively dormant, with few lawsuits filed. However, the legal landscape shifted dramatically in 2019 when the Illinois Supreme Court ruled in Rosenbach v. Six Flags Entertainment Corp. that a plaintiff does not need to prove actual financial or physical harm to bring a lawsuit. The court held that the "mere violation" of the statute’s notice and consent requirements was sufficient to establish "aggrieved" status under the law.

This decision opened the floodgates for class-action litigation. Thousands of Illinois employers—ranging from small family businesses to Fortune 500 corporations—found themselves targeted for using biometric time clocks or security systems without having secured the specific, written informed consent required by the statute.

The Per-Scan Controversy: Cothron v. White Castle System, Inc.

The most contentious aspect of BIPA litigation centered on how damages were calculated. The statute provides for liquidated damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation. For years, plaintiffs’ attorneys argued that a "violation" occurred every single time an employee scanned their finger or face.

In the 2023 case of Cothron v. White Castle System, Inc., the Illinois Supreme Court addressed this specific question. The case involved a class of employees who alleged they were required to scan their fingerprints to access pay stubs and work computers. White Castle had utilized a third-party vendor to verify these scans but had failed to obtain written consent for nearly 14 years.

The court’s ruling was a shock to the business community: it determined that, based on the plain language of the statute, a separate claim accrues every time a private entity scans or transmits an individual’s biometric data. For an employee scanning in and out of work four times a day, this meant an employer could technically be liable for $4,000 in damages per employee, per day. In the White Castle case, this interpretation led to a potential liability of over $17 billion for a company with only a few thousand employees. While the court acknowledged that this "annihilative liability" could potentially bankrupt companies, it maintained that it was the role of the legislature, not the judiciary, to fix the statute.

Legislative Intervention: The Passage of SB 2979

Following the White Castle decision, the Illinois General Assembly faced intense pressure from business groups, including the Illinois Chamber of Commerce and various retail and manufacturing associations. These groups argued that the per-scan interpretation was never the original intent of the law and that it threatened the economic stability of the state.

In response, the legislature passed Senate Bill 2979 (SB 2979), which was signed into law and became effective on August 2, 2024. The amendment fundamentally altered the damages provision of BIPA. It established that for purposes of calculating statutory damages, a repeated collection of the same biometric identifier from the same person using the same method constitutes only a single violation.

Seventh Circuit Addresses Biometric Information Privacy Act (BIPA) Damage Accrual (US)

Under this new framework, if an employer fails to get consent from an employee who subsequently scans their finger 1,000 times over three years, the employer is liable for one $1,000 or $5,000 penalty, rather than 1,000 separate penalties. This change drastically reduced the potential exposure for companies, shifting the focus from "per-scan" to "per-person."

The Retroactivity Milestone: Clay v. Union Pacific

While SB 2979 provided relief for future violations, a critical question remained: did the amendment apply to the thousands of cases already moving through the court system? Plaintiffs’ attorneys argued that the amendment was a substantive change in the law that should only apply moving forward. Employers argued that the amendment was "remedial" and "procedural," intended to clarify the original intent of the law and prevent absurd results.

On April 1, 2026, the Seventh Circuit Court of Appeals resolved this dispute in Clay v. Union Pacific. The court ruled that the per-person damage accrual amendment is indeed remedial and procedural. Under Illinois law, procedural and remedial changes to statutes apply retroactively to pending cases unless such application would interfere with a vested right. The court found that plaintiffs do not have a "vested right" to a specific calculation of statutory liquidated damages before a final judgment is entered.

The Clay decision means that any BIPA lawsuit that was pending as of August 2, 2024, or filed thereafter, is subject to the per-person damages cap. This ruling has effectively deflated the settlement value of hundreds of pending class actions, saving Illinois employers billions of dollars in potential payouts.

Chronology of Key BIPA Developments

  • 2008: The Illinois Biometric Information Privacy Act (BIPA) is signed into law.
  • 2019: Rosenbach v. Six Flags establishes that plaintiffs do not need to show actual harm to sue.
  • February 2023: Cothron v. White Castle rules that damages accrue "per-scan," leading to astronomical liability projections.
  • August 2, 2024: SB 2979 takes effect, amending BIPA to limit damages to a "per-person" basis.
  • April 1, 2026: The Seventh Circuit in Clay v. Union Pacific rules that the 2024 amendment applies retroactively to all pending cases.

Current Compliance Requirements for Illinois Employers

Despite the reduction in potential damages, BIPA remains one of the strictest privacy laws in the country. The Clay decision limits the "per-person" damage, but for a company with 10,000 employees, a single negligent slip-up still carries a $10 million price tag ($1,000 x 10,000). To avoid litigation, employers must adhere to a strict compliance checklist:

  1. Written Policy: Employers must have a publicly available written policy establishing a retention schedule and guidelines for permanently destroying biometric data.
  2. Informed Consent: Before collecting any data, the employer must inform the individual in writing that biometric data is being collected and stored.
  3. Purpose and Duration: The notice must specify the exact purpose of the collection and the length of time the data will be retained.
  4. Written Release: The employer must receive a written release (consent) signed by the employee or individual before the data is captured.
  5. Prohibition on Profit: Under no circumstances can a company sell, lease, or trade an individual’s biometric data.
  6. Security Standards: Employers must store and protect biometric data using the same or a higher standard of care than they use for other sensitive information, such as account numbers or PINs.

Broader Impact and Implications for the Future

The retroactive application of the BIPA amendment marks a turning point in the "privacy wars" of the 21st century. For years, Illinois was viewed as a laboratory for aggressive privacy litigation, with the "per-scan" model serving as a warning to other states considering similar legislation.

The 2026 ruling brings Illinois more in line with other states like Texas and Washington, which have biometric privacy laws but do not allow for the same level of private right of action or aggregate damages. This shift is expected to encourage businesses that were previously hesitant to expand in Illinois due to the litigation climate to reconsider the state for investment.

However, privacy advocates warn that the reduction in damages may weaken the deterrent effect of the law. Organizations like the ACLU have expressed concern that if the cost of non-compliance is seen merely as a "cost of doing business," companies may become lax in their data protection efforts. They argue that the uniqueness of biometric data requires the highest possible stakes to ensure corporate accountability.

For legal practitioners, the Clay decision likely signals the end of the "gold rush" era of BIPA litigation. While lawsuits will continue, the era of billion-dollar settlements for technical paperwork errors is likely over. Moving forward, the focus of BIPA litigation is expected to shift toward actual data breaches and the unauthorized sharing of biometric data with third parties, rather than simple procedural failures in time-clock management.

In conclusion, while the Seventh Circuit’s decision provides much-needed clarity and financial relief to the Illinois business community, it does not absolve them of their privacy obligations. The fundamental requirements of BIPA remain in full force, and the cost of ignoring them, while no longer "annihilative," remains substantial enough to demand rigorous compliance and constant vigilance.

Tags:

Related News

split-9th-circ-to-rehear-ministrys-anti-lgbtq-hiring-case

Split 9th Circ. To Rehear Ministry’s Anti-LGBTQ+ Hiring Case

June 19, 2026 0
asbestos-spinoff-battles-bid-for-trustee-takeover-in-ch-11

Asbestos Spinoff Battles Bid For Trustee Takeover In Ch. 11

June 19, 2026 0

You may have missed

A Businesswoman or Human resources HR is searching for a right person for a job position. Concept of hiring, selection, interview, recruitment, soft skill and hard skill. Company employee match.

Navigating the Modern Hiring Landscape: The Imperative of Holistic Candidate Evaluation

June 19, 2026 0
mike-perry-finding-the-peloton-in-professional-and-personal-challenges

Mike Perry: Finding the Peloton in Professional and Personal Challenges

June 19, 2026 0
split-9th-circ-to-rehear-ministrys-anti-lgbtq-hiring-case

Split 9th Circ. To Rehear Ministry’s Anti-LGBTQ+ Hiring Case

June 19, 2026 0
unlocking-organizational-potential-the-strategic-imperative-of-a-network-perspective

Unlocking Organizational Potential: The Strategic Imperative of a Network Perspective

June 19, 2026 0
the-ai-booms-paradox-economic-strength-meets-workforce-unease

The AI Boom’s Paradox: Economic Strength Meets Workforce Unease

June 19, 2026 0
the-definitive-guide-to-corporate-learning-reinvention-in-the-age-of-ai

The Definitive Guide to Corporate Learning: Reinvention in the Age of AI

June 19, 2026 0