June 27, 2026
illinois-biometric-information-privacy-act-reform-gains-retroactive-power-following-landmark-seventh-circuit-ruling-in-clay-v-union-pacific

In a pivotal development for the Illinois business community and the national landscape of privacy litigation, the Seventh Circuit Court of Appeals has delivered a definitive ruling regarding the retroactive application of recent amendments to the Illinois Biometric Information Privacy Act (BIPA). The decision in Clay v. Union Pacific, handed down on April 1, 2026, confirms that the 2024 legislative reforms—which transitioned the calculation of statutory damages from a "per-scan" basis to a "per-person" basis—apply to all pending litigation. This ruling provides a massive sigh of relief for thousands of employers who had been facing potentially "annihilative" financial liabilities totaling billions of dollars.

The Illinois Biometric Information Privacy Act, originally enacted in 2008, was designed to protect the unique biological identifiers of individuals, such as fingerprints, retina scans, voiceprints, and facial geometry. Unlike passwords or social security numbers, biometric data cannot be changed if compromised, making its protection a matter of high public interest. However, for nearly two decades, the law’s stringent requirements and the subsequent judicial interpretations of its penalty structure created a volatile environment for any entity operating within the state.

The Evolution of BIPA and the Crisis of Annihilative Liability

To understand the weight of the Clay v. Union Pacific decision, one must look back at the trajectory of BIPA litigation over the last five years. While the law existed since 2008, it remained relatively dormant until the Illinois Supreme Court’s 2019 ruling in Rosenbach v. Six Flags Entertainment Corp. That decision established that a plaintiff does not need to prove an actual injury—such as identity theft or financial loss—to sue. The mere "technical" violation of the statute’s notice and consent requirements was sufficient to grant an individual a private right of action.

This opened the floodgates for class-action lawsuits. The situation reached a boiling point in 2023 with the case of Cothron v. White Castle System, Inc. In that instance, the Illinois Supreme Court ruled that a separate claim accrued under BIPA every single time a private entity scanned or transmitted an individual’s biometric data without meeting the statutory requirements. Under the original interpretation, a single employee scanning their thumbprint four times a day to clock in and out could generate 1,000 violations in a single work year. With statutory damages set at $1,000 for negligent violations and $5,000 for intentional or reckless ones, the potential liability for a mid-sized company was mathematically astronomical.

In the White Castle case, the court acknowledged that its ruling could lead to "annihilative liability" that could bankrupt even the largest corporations. However, the justices maintained that the plain language of the 2008 statute required such a result, and they pointedly invited the Illinois General Assembly to intervene and clarify the legislative intent regarding damages.

Legislative Intervention: The Passage of SB 2979

The Illinois General Assembly responded to the judicial invitation by passing Senate Bill 2979 (SB 2979). Signed into law and effective as of August 2, 2024, the amendment fundamentally altered the stakes of BIPA litigation. The core of the amendment stipulated that an entity that repeatedly collects or transmits the same biometric identifier from the same person in violation of the law has committed only a single violation.

This shift from "per-scan" to "per-person" damages effectively capped the potential exposure for employers. Instead of a single employee representing millions of dollars in potential damages over a multi-year period, that employee’s claim would now be capped at a single $1,000 or $5,000 penalty. While this was a victory for the defense bar, a massive question remained: did this new limit apply to the thousands of cases already winding their way through the court system, or only to new violations occurring after August 2024?

The 7th Circuit Weighs In: Clay v. Union Pacific

The uncertainty regarding the retroactivity of SB 2979 created a bifurcated legal environment where plaintiffs’ attorneys argued that the amendment was "substantive" and therefore only forward-looking, while defense attorneys argued it was "procedural" or "remedial" and should apply to all current cases.

In Clay v. Union Pacific, the Seventh Circuit Court of Appeals sided firmly with the latter. The court determined that the amendment was remedial in nature because it addressed the unintended consequences of the original statute’s language as interpreted by the courts. By classifying the amendment as procedural regarding the calculation of damages rather than a change in the underlying legality of the conduct, the court cleared the way for its retroactive application.

Seventh Circuit Addresses Biometric Information Privacy Act (BIPA) Damage Accrual (US)

The court noted that the 2024 amendment did not take away a vested right but rather clarified the remedy available for a statutory violation. Consequently, any BIPA lawsuit that was pending on August 2, 2024, is now subject to the per-person damage cap. This decision effectively defangs many of the largest pending class actions that were seeking settlements in the hundreds of millions.

Chronology of Key BIPA Milestones

The legal journey of biometric privacy in Illinois can be summarized through several transformative moments:

  • October 2008: BIPA is enacted, requiring written notice, a public retention schedule, and written consent before collecting biometric data.
  • January 2019: The Illinois Supreme Court rules in Rosenbach v. Six Flags that "aggrieved" persons do not need to show actual harm to sue.
  • February 2023: The court rules in Cothron v. White Castle that claims accrue on a per-scan basis, creating the risk of multi-billion dollar judgments.
  • August 2, 2024: Governor J.B. Pritzker signs SB 2979, amending BIPA to limit damages to a per-person basis.
  • April 1, 2026: The Seventh Circuit in Clay v. Union Pacific confirms the 2024 amendments apply retroactively to all pending cases.

Impact Analysis: A New Reality for Employers

While the Clay decision significantly reduces the "bet-the-company" nature of BIPA litigation, it does not render the law toothless. Employers must still navigate a complex set of requirements to remain compliant. The financial impact of a class action involving thousands of employees, even at $1,000 per person, remains a multi-million dollar risk.

For example, a company with 5,000 employees that failed to obtain proper written consent would still face a baseline statutory damage claim of $5 million. While this is a far cry from the hundreds of millions possible under the "per-scan" model, it remains a significant enough penalty to incentivize strict compliance and fuel a continued, albeit smaller, wave of litigation.

Furthermore, the "per-person" cap only applies if the same biometric identifier is collected repeatedly. If a company collects multiple different types of biometric data—such as a fingerprint for a time clock and facial recognition for building security—without consent, they could potentially face multiple per-person penalties for the distinct categories of data.

Reactions from the Legal and Business Communities

Legal analysts suggest that the Seventh Circuit’s ruling will likely lead to a surge in settlements for pending cases, as plaintiffs’ attorneys recalibrate their expectations. "The era of the ‘lottery ticket’ BIPA settlement is largely over," said one Chicago-based employment defense attorney. "We are moving into a phase where the damages are more proportional to the technical nature of the violation, which is what the legislature originally intended."

Privacy advocates, however, expressed concern that the reduction in penalties might weaken the deterrent effect of the law. Groups like the American Civil Liberties Union (ACLU) have historically argued that strong financial penalties are the only way to ensure that large corporations take data privacy seriously. They argue that for massive tech firms, a $1,000-per-person fine might simply be viewed as a "cost of doing business."

Compliance Requirements Moving Forward

In light of the Clay v. Union Pacific ruling, Illinois employers are advised to conduct a thorough audit of their biometric data practices. To avoid liability, an entity must:

  1. Develop a Written Policy: Establish a publicly available written policy that includes a retention schedule and guidelines for permanently destroying biometric identifiers.
  2. Provide Informed Notice: Inform the subject in writing that biometric data is being collected or stored, the specific purpose for doing so, and the length of time it will be kept.
  3. Secure Written Consent: Obtain a "written release" or consent from the individual before any data is captured.
  4. Prohibit Profiling and Sale: Ensure that biometric data is never sold, leased, or traded for profit.

The retroactive protection provided by the Seventh Circuit offers a reprieve for past mistakes, but it does not grant immunity for future negligence. As biometric technology becomes more integrated into the modern workplace—from AI-driven sentiment analysis in video calls to advanced security protocols—the scope of BIPA continues to expand. The Clay v. Union Pacific decision marks the end of an era of "annihilative" uncertainty, but the era of biometric privacy regulation is only just beginning.

Tags:

Related News

detroit-club-hit-with-nearly-6-3m-in-race-retaliation-verdict

Detroit Club Hit With Nearly $6.3M In Race Retaliation Verdict

June 26, 2026 0
the-data-use-and-access-act-2025-and-the-new-statutory-framework-for-data-protection-complaints-in-the-united-kingdom

The Data Use and Access Act 2025 and the New Statutory Framework for Data Protection Complaints in the United Kingdom

June 26, 2026 0

You may have missed

everything-you-wanted-to-know-about-immersive-gamified-learning

Everything You Wanted To Know About Immersive, Gamified Learning

June 27, 2026 0
the-top-employee-recognition-platforms-for-2026-driving-engagement-and-retention-in-the-modern-workplace

The Top Employee Recognition Platforms for 2026: Driving Engagement and Retention in the Modern Workplace

June 27, 2026 0
metas-ai-talent-strategy-prioritizing-density-over-headcount-for-competitive-advantage

Meta’s AI Talent Strategy: Prioritizing Density Over Headcount for Competitive Advantage

June 27, 2026 0
navigating-the-ai-revolution-avoiding-the-pitfalls-of-bottom-up-and-top-down-implementation

Navigating the AI Revolution: Avoiding the Pitfalls of Bottom-Up and Top-Down Implementation

June 27, 2026 0
navigating-the-mid-market-hiring-hurdle-ai-interviewers-emerge-as-a-critical-solution-for-organizations-facing-volume-strain

Navigating the Mid-Market Hiring Hurdle: AI Interviewers Emerge as a Critical Solution for Organizations Facing Volume Strain

June 27, 2026 0
cisco-systems-initiates-significant-workforce-reduction-with-471-jobs-cut-across-california-campuses

Cisco Systems Initiates Significant Workforce Reduction with 471 Jobs Cut Across California Campuses

June 27, 2026 0