The legal landscape surrounding the Illinois Biometric Information Privacy Act (BIPA) has undergone a seismic shift, transitioning from an era of potentially "annihilative" liability for corporations to a more moderated, per-person damages framework. This evolution, culminated by the Seventh Circuit Court of Appeals’ April 2026 decision in Clay v. Union Pacific, provides a definitive resolution to years of judicial uncertainty regarding how damages should be calculated and whether legislative reforms apply to existing litigation. As Illinois remains the vanguard of biometric privacy regulation in the United States, the interplay between the 2008 statute, the landmark Cothron v. White Castle System, Inc. ruling, and the subsequent 2024 legislative amendments offers a critical case study in balancing individual privacy rights with the economic viability of the business community.
The Genesis and Architecture of BIPA
Enacted in 2008, the Illinois Biometric Information Privacy Act was the first of its kind in the nation. It was designed to address the unique risks associated with the collection of biometric identifiers—such as fingerprints, retina scans, voiceprints, and facial geometry—noting that unlike social security numbers or passwords, biometric data is biologically immutable. Once compromised, an individual has no recourse to change their biometric markers, leaving them at permanent risk of identity theft or unauthorized tracking.
To mitigate these risks, BIPA imposed stringent procedural requirements on private entities. Under Section 15 of the Act, companies are required to:
- Develop a Written Policy: Establish a publicly available written policy setting forth a retention schedule and guidelines for the permanent destruction of biometric data.
- Provide Informed Notice: Inform the subject in writing that biometric identifiers are being collected or stored.
- Specify Purpose and Duration: Disclose the specific purpose of the collection and the length of time for which the data will be retained.
- Obtain Written Release: Secure a legally binding written consent (a "release") from the individual before any data is captured.
- Prohibit Profiting: Refrain from selling, leasing, or otherwise profiting from an individual’s biometric information.
For over a decade, the law remained relatively obscure until the Illinois Supreme Court’s 2019 decision in Rosenbach v. Six Flags Entertainment Corp., which clarified that a plaintiff does not need to prove an "actual injury" (such as financial loss or identity theft) to sue. The mere procedural violation of the statute was deemed sufficient to grant a "person aggrieved" the right to seek statutory damages. This ruling opened the floodgates for class-action litigation, particularly against employers using biometric timekeeping systems.
The Cothron v. White Castle Decision and the Threat of "Annihilative Liability"
The tension between BIPA’s strict requirements and industrial reality reached a boiling point in the case of Cothron v. White Castle System, Inc. In this matter, a class of employees alleged that the fast-food giant had required them to scan their fingerprints to access pay stubs and computer systems for over a decade without obtaining the requisite statutory consent.
The central legal question was whether a violation occurred only the first time a fingerprint was scanned without consent, or whether every subsequent scan constituted a fresh violation. In February 2023, the Illinois Supreme Court ruled in a 4-3 decision that a separate claim accrues under BIPA each and every time a private entity scans or transmits an individual’s biometric data.
The implications of this "per-scan" interpretation were staggering. For a single employee scanning their finger four times a day (clocking in, for lunch, returning from lunch, and clocking out), a company could theoretically face $4,000 in negligent statutory damages per day, per employee. In the White Castle case, estimates suggested the company could be liable for upwards of $17 billion. While the court acknowledged that this could result in "annihilative liability" that could bankrupt even the largest corporations, it maintained that the plain language of the statute dictated the result. However, the majority opinion explicitly invited the Illinois General Assembly to review the statute if it felt the policy outcomes were too severe.
Legislative Intervention: The Passage of SB 2979
Responding to the judiciary’s invitation and heavy lobbying from the business sector, the Illinois General Assembly moved to amend BIPA to prevent the "stacking" of fines. On August 2, 2024, Senate Bill 2979 (SB 2979) was signed into law, effectively overturning the "per-scan" accrual method established in Cothron.
The amendment modified the language of Sections 15(b) and 15(d) to clarify that an entity that collects or transmits the same biometric identifier from the same person using the same method has committed, at most, a single violation. Under the revised law:
- An individual can recover statutory damages only once, regardless of how many hundreds or thousands of times their fingerprint or face was scanned by the same entity.
- Statutory damages remain at $1,000 for negligent violations and $5,000 for intentional or reckless violations.
- The amendment also expanded the definition of "written release" to include electronic signatures, modernizing the consent process.
While the amendment was a victory for employers, it left a massive question mark over the thousands of BIPA cases already working their way through the court system: Did the new "per-person" rule apply to lawsuits filed before August 2, 2024?

Judicial Confirmation of Retroactivity: Clay v. Union Pacific
The final piece of the current BIPA puzzle was placed on April 1, 2026, when the Seventh Circuit Court of Appeals issued its ruling in Clay v. Union Pacific. The defendant, a major railroad company, argued that the SB 2979 amendment should apply to the plaintiff’s pending claims, which originated before the amendment’s effective date.
The court engaged in a complex analysis of Illinois law regarding the retroactivity of statutes. Under the Landgraf framework used in Illinois, a court must determine if the legislature clearly indicated the temporal reach of a statute. If not, the court must determine if the amendment is "substantive" (creating new rights or obligations) or "procedural/remedial" (addressing the methods of enforcing those rights).
The Seventh Circuit concluded that the SB 2979 amendment was remedial and procedural in nature. It did not take away the underlying right of an individual to sue for privacy violations; rather, it clarified the mechanism for calculating the remedy. Consequently, the court ruled that the per-person damage cap applies retroactively to all pending cases that had not reached a final judgment by August 2, 2024.
This decision effectively defused the "ticking time bomb" of multi-billion dollar class-action settlements. For an employer with 1,000 employees, the maximum exposure for a negligent failure to obtain consent is now capped at $1 million (1,000 employees x $1,000), rather than the astronomical figures seen in the White Castle era.
Timeline of Key BIPA Milestones
- October 2008: BIPA is enacted by the Illinois General Assembly.
- January 2019: Rosenbach v. Six Flags establishes that no actual harm is required to sue.
- February 2023: Cothron v. White Castle rules that claims accrue per-scan, leading to massive potential liability.
- August 2, 2024: Governor signs SB 2979, amending BIPA to a per-person damages model.
- April 1, 2026: Clay v. Union Pacific confirms that the 2024 amendments apply retroactively to pending litigation.
Economic Implications and Industry Reactions
The shift from "per-scan" to "per-person" liability has fundamentally altered the economics of privacy litigation in Illinois. Before the amendment, BIPA was often criticized as a "shakedown" statute by business groups like the Illinois Manufacturers’ Association and the U.S. Chamber of Commerce. They argued that the threat of bankruptcy-inducing settlements forced companies to settle even meritless claims.
Data from the Illinois court system shows that following the Cothron decision in 2023, BIPA filings surged by nearly 40% in Cook County alone. However, since the passage of SB 2979 and the Clay decision, legal analysts expect a stabilization in the volume of filings. While class actions remain viable, the "lottery ticket" aspect of these lawsuits has been significantly diminished.
Privacy advocates, such as the ACLU of Illinois, have expressed more tempered views. While they acknowledge that "annihilative" damages might have been excessive, they argue that the per-person cap may reduce the incentive for large corporations to prioritize strict compliance. They maintain that the primary goal of BIPA—ensuring individuals have control over their biological data—remains as vital as ever in the age of AI and advanced surveillance.
Compliance Roadmap for Illinois Employers
Despite the reduction in potential damages, BIPA remains a "strict liability" minefield. A single $1,000 or $5,000 penalty multiplied by a large workforce still represents a significant financial and reputational risk. Legal experts recommend that all entities operating in Illinois perform a "biometric audit" consisting of the following steps:
- Inventory All Data Collection: Identify every point where biometric data is collected, including physical security scanners, time clocks, and software logins.
- Audit Third-Party Vendors: Many employers use third-party payroll or security providers. Under BIPA, the employer can be held liable for the vendor’s failure to provide notice or secure consent.
- Update Consent Forms: Ensure that consent is "informed." This means the form must explicitly state what is being collected, why, and for how long.
- Publish Retention Schedules: Companies often forget the requirement to have a publicly available retention policy. This is frequently a standalone ground for litigation.
- Establish Destruction Protocols: Create a verifiable process to destroy biometric data once the "initial purpose" for collection has been satisfied (e.g., when an employee leaves the company).
Conclusion: A New Era of Biometric Regulation
The Clay v. Union Pacific decision marks the end of the most volatile chapter in Illinois privacy law. By confirming that the 2024 legislative reforms apply retroactively, the Seventh Circuit has provided the business community with much-needed predictability. However, the core of BIPA remains intact. Illinois continues to have the most robust biometric protections in the country, and the requirement for "informed consent" is non-negotiable.
As other states—including Texas, Washington, and California—look to Illinois as a blueprint for their own biometric regulations, the lessons of the last decade are clear: procedural compliance is not a mere technicality. While the threat of "annihilative" damages has receded, the mandate for corporate transparency and individual digital autonomy is here to stay. Employers who fail to adapt to this "new normal" of privacy-first operations do so at their own peril, as even a "capped" penalty can lead to substantial losses in an increasingly regulated digital economy.
