July 12, 2026
illinois-court-rulings-and-legislative-amendments-reshape-the-landscape-of-biometric-privacy-liability-for-employers

The legal framework surrounding biometric data in Illinois has undergone a seismic shift following a series of high-stakes court battles and a pivotal legislative intervention. For nearly two decades, the Illinois Biometric Information Privacy Act (BIPA) has stood as one of the most stringent privacy laws in the United States, placing significant burdens on private entities that collect, store, or use biometric identifiers. However, recent developments, culminating in the Seventh Circuit Court of Appeals’ decision in Clay v. Union Pacific, have provided a measure of relief to employers facing potentially "annihilative" financial liabilities. By clarifying that legislative amendments limiting damages to a "per-person" rather than "per-scan" basis apply retroactively, the judiciary has fundamentally altered the risk profile for businesses operating within the state.

The Genesis of BIPA and the Protection of Biometric Identifiers

Enacted in 2008, the Illinois Biometric Information Privacy Act was a pioneering piece of legislation designed to address the unique risks associated with biometric data. Unlike social security numbers or credit card information, which can be changed if compromised, biometric identifiers—such as fingerprints, retina scans, voiceprints, and facial geometry—are biologically unique and immutable. If a person’s biometric data is leaked or stolen, the individual has no recourse to "reset" their identity, leading to a permanent risk of identity theft and unauthorized access.

Under BIPA, private entities are prohibited from collecting, capturing, or otherwise obtaining an individual’s biometric identifier or information unless they first:

  1. Inform the individual in writing that biometric data is being collected or stored.
  2. Inform the individual in writing of the specific purpose and length of term for which the data is being collected, stored, and used.
  3. Receive a written release executed by the subject of the biometric data.
  4. Provide a publicly available written policy establishing a retention schedule and guidelines for permanently destroying the data.

For years, many Illinois employers integrated biometric technology into their daily operations—using fingerprint scanners for time clocks or facial recognition for secure facility access—without fully realizing the stringent procedural requirements mandated by the 2008 law. This oversight created a massive legal vulnerability that began to materialize in 2019, when the Illinois Supreme Court ruled that individuals do not need to prove actual "harm" or "adverse effects" to sue for liquidated damages; a mere procedural violation of the act is sufficient to trigger a private right of action.

The Era of Annihilative Liability: Cothron v. White Castle

The financial stakes of BIPA compliance reached a boiling point with the 2023 Illinois Supreme Court decision in Cothron v. White Castle System, Inc. In this case, a class of employees alleged that the fast-food giant had required them to scan their fingerprints to access pay stubs and company computers without obtaining the necessary prior consent. White Castle argued that a BIPA violation occurs only the first time a fingerprint is scanned without consent. The plaintiffs, conversely, argued that every single scan—potentially multiple times per shift—constituted a separate violation.

The court sided with the plaintiffs, ruling that based on the plain language of the statute, a separate claim accrues each time a private entity scans or transmits an individual’s biometric data. The mathematical implications of this ruling were staggering. For an employee scanning their finger four times a day over several years, the potential statutory damages—$1,000 for each negligent violation or $5,000 for each intentional or reckless violation—could reach hundreds of thousands of dollars per person.

In the White Castle case, the potential liability was estimated at $17 billion for a class of approximately 9,500 employees. While the court acknowledged that this "annihilative liability" could bankrupt even large corporations, it maintained that it was the role of the legislature, not the judiciary, to fix the statute if the results were deemed too harsh. This decision prompted a wave of massive class-action settlements, including the eventual $9 million settlement in the White Castle case itself, as companies sought to avoid the risk of astronomical trial judgments.

Legislative Intervention: The Passage of SB 2979

Responding to the concerns raised by the business community and the "invitation" from the Illinois Supreme Court, the Illinois General Assembly moved to amend BIPA to prevent the "per-scan" compounding of damages. On August 2, 2024, Senate Bill 2979 was signed into law, introducing a critical limitation on how damages are calculated.

The amendment clarified that for purposes of statutory damages, an entity that collects or communicates the same biometric identifier from the same person using the same method in violation of the act has committed only a single violation. Effectively, this shifted the penalty structure from "per-violation" (per-scan) to "per-person." Under this new regime, if an employer fails to get consent from an employee who then scans their finger 1,000 times over a three-year period, the employer is liable for one instance of damages ($1,000 or $5,000) rather than 1,000 instances.

This amendment was hailed by industry groups as a necessary correction that preserved the privacy protections of the original act while removing the threat of corporate insolvency for technical paperwork errors. However, a significant question remained: did this amendment apply to the thousands of BIPA lawsuits already pending in the court system, or did it only apply to new violations occurring after August 2024?

The Question of Retroactivity: Clay v. Union Pacific

The resolution of the retroactivity question came in April 2026, when the Seventh Circuit Court of Appeals issued its ruling in Clay v. Union Pacific. The case involved a dispute over whether the per-person damage limitation should apply to claims that had accrued before the 2024 amendment was enacted.

Seventh Circuit Addresses Biometric Information Privacy Act (BIPA) Damage Accrual (US)

In a landmark decision, the court determined that SB 2979 was remedial and procedural in nature rather than a substantive change to the underlying law. Under Illinois legal principles, procedural or remedial changes to statutes are generally applied retroactively to pending cases. The court reasoned that the amendment did not take away a person’s right to sue or change what constitutes a violation; it merely clarified the method for calculating the remedy.

As a result of the Clay decision, employers currently embroiled in BIPA litigation can breathe a sigh of relief. Regardless of when the data collection began or how many thousands of scans were recorded, their maximum statutory liability is now capped at a single penalty per affected individual. This ruling is expected to lead to the swift resolution of many long-standing class actions and will likely decrease the settlement values that had previously been inflated by the threat of per-scan damages.

Chronology of Key BIPA Developments

  • 2008: The Illinois Biometric Information Privacy Act is signed into law, establishing strict notice and consent requirements.
  • 2019: The Illinois Supreme Court rules in Rosenbach v. Six Flags that plaintiffs do not need to prove actual injury to recover damages.
  • February 2023: The Illinois Supreme Court rules in Cothron v. White Castle that claims accrue with every individual scan, creating the risk of "annihilative liability."
  • August 2, 2024: SB 2979 becomes effective, amending BIPA to limit damages to a "per-person" basis.
  • April 1, 2026: The Seventh Circuit Court of Appeals rules in Clay v. Union Pacific that the SB 2979 amendment applies retroactively to all pending cases.

Current Compliance Obligations for Employers

While the threat of multi-billion dollar judgments has been mitigated, BIPA remains a potent tool for litigation, and the requirements for compliance are as strict as ever. A single negligent violation still carries a $1,000 penalty, which, when multiplied by a workforce of several thousand employees, can still result in multi-million dollar liabilities.

To navigate the current landscape, Illinois employers must adhere to the following protocols:

1. Formal Written Policies

Employers must maintain a publicly available written policy that outlines the retention schedule for biometric data and the guidelines for its permanent destruction. Data must generally be destroyed when the initial purpose for collecting it has been satisfied or within three years of the individual’s last interaction with the company, whichever occurs first.

2. Informed Written Consent

Before any biometric data is captured, the employer must provide a clear written notice to the employee or consumer. This notice must specify that biometric information is being collected, the purpose of the collection, and the duration of the storage. The individual must then sign a "written release" (which can be an electronic signature) authorizing the collection.

3. Third-Party Vendor Management

Many employers use third-party vendors for payroll or security systems that utilize biometrics. Under BIPA, the "disclosure" or "dissemination" of biometric data to these third parties also requires specific consent. Employers must ensure their contracts with vendors mandate BIPA compliance and that the vendors do not profit from the data.

4. Proactive Audits

Companies should conduct regular audits of their technology stacks to identify any "hidden" biometric collection. Modern software, ranging from video conferencing tools with "touch up" filters to advanced security cameras, may inadvertently collect data that falls under BIPA’s broad definitions.

Broader Implications and Industry Impact

The stabilization of BIPA through the 2024 amendment and the Clay decision has broader implications for the national privacy debate. Other states, including Texas and Washington, have enacted biometric privacy laws, but neither currently includes a private right of action as expansive as Illinois’. The "Illinois experiment" with per-scan damages served as a cautionary tale for legislators nationwide, leading many to favor "per-person" or "per-incident" damage models in emerging privacy frameworks like the California Consumer Privacy Act (CCPA).

For the insurance industry, these developments are particularly significant. The "annihilative" risk of BIPA had previously made it difficult or prohibitively expensive for Illinois companies to obtain Employment Practices Liability Insurance (EPLI) or Cyber Liability coverage. With the capping of damages, the insurance market is expected to stabilize, though premiums will likely remain higher for companies that utilize biometric technology.

Ultimately, the shift from "per-scan" to "per-person" liability represents a return to a more traditional understanding of statutory damages. While the Illinois General Assembly and the courts have protected businesses from existential financial threats, they have not weakened the core principle of the law: that biometric data belongs to the individual, and its collection requires transparency, consent, and a commitment to security. For Illinois employers, the message is clear—the "gold rush" of massive BIPA settlements may be slowing, but the era of biometric accountability is here to stay.