In brief
For nearly a decade, the Illinois Biometric Information Privacy Act (BIPA) has served as both a compliance warning and a litigation accelerant. The Seventh Circuit’s recent decision holding that a 2024 amendment to BIPA applies retroactively to limit damages has now reset the playing field — again — forcing plaintiffs, defendants, and insurers to rethink exposure, strategy, and settlement posture in real time.
A brief history of BIPA’s rise
BIPA was enacted in 2008, long before biometric authentication became a default feature of everyday commerce and employment. Its core idea was straightforward: companies that collect biometric identifiers such as fingerprints or facial geometry must provide notice, obtain informed consent, and safeguard the data. But what made BIPA distinctive — and later explosive — was its private right of action coupled with statutory damages.
For years, BIPA litigation simmered. That changed dramatically with the Illinois Supreme Court’s decision in Cothron v. White Castle System, Inc., which held that a separate BIPA claim accrues with each biometric scan or transmission. While the Court openly acknowledged that its interpretation could lead to “astronomical” damages, it emphasized that courts must enforce the statute as written and left any recalibration to the General Assembly.
That recalibration came in August 2024, when the legislature amended Section 20 of BIPA to clarify that multiple collections or disclosures of the same biometric identifier using the same method constitute a single violation — and therefore permit only one recovery. What the legislature did not do, however, was include an express retroactivity provision. That silence set off the next wave of litigation.
The Seventh Circuit speaks: Section 20 applies retroactively
In Clay v. Union Pacific Railroad Co., the Seventh Circuit resolved a split among Illinois federal courts by holding that the Section 20 amendment applies retroactively to pending cases. The panel characterized the amendment as remedial rather than substantive, emphasizing that it did not alter the conduct required by BIPA or redefine what constitutes a violation under Section 15. Instead, it limited the amount of damages recoverable for conduct that was already regulated. Critically, the court also distinguished Cothron, explaining that its “per scan” reading was tied to statute-of-limitations accrual, not the meaning of “violation” for damages purposes. On that view, the amendment did not strip plaintiffs of vested rights but merely adjusted the remedy available — placing it squarely within the category of procedural changes that Illinois law treats as retroactive.
Practical litigation consequences: What changes immediately
The immediate practical effect of the decision is to compress theoretical exposure. Where a single employee’s biometric timeclock use once presented six- or even seven-figure damages risk, exposure is now far more finite and predictable.
Defendants should promptly revisit damages analyses in all pending BIPA matters. Legacy exposure models based on per-scan multipliers are now obsolete in federal court and increasingly difficult to defend in state court. Settlement positions should be reset accordingly, particularly in cases negotiated under the shadow of Cothron.
Lower aggregate exposure does not eliminate litigation risk, but it changes leverage. Plaintiffs will need to reassess case valuation and class strategy, while defendants can press for resolution grounded in a more defensible damages framework.
Compliance and mitigation: Why this is not a green light
The decision does not weaken BIPA’s substantive obligations. Notice, consent, and data-retention requirements remain fully enforceable. Companies should resist any temptation to treat the damages amendment as a compliance reprieve.
Prudent mitigation steps include auditing biometric practices, confirming that written policies and consent forms remain compliant, and documenting compliance wherever possible. Companies should also re-examine vendor relationships and data flows, particularly where third parties collect or process biometric data.
The next chapter: Illinois Supreme Court review
Although the Seventh Circuit’s reasoning is thorough, it is not the final word on Illinois law. Given the volume of pending BIPA cases and the stakes involved, the Illinois Supreme Court may be asked to decide whether Section 20 applies retroactively.
When it does, the Court will weigh legislative intent, reliance interests, and the systemic consequences of reinstating per-scan damages. The Court’s prior acknowledgment in Cothron of potentially ruinous outcomes suggests an awareness that BIPA’s remedial scheme must remain tethered to proportionality. Whether that concern carries the day remains to be seen.
Where this leaves litigants now
The history of BIPA reflects a continuing dialogue among courts, the legislature, and the business community. The Seventh Circuit’s decision brings welcome clarity but not closure.
For defendants, this is an opportunity to recalibrate litigation and settlement strategy based on a dramatically altered damages landscape. For plaintiffs, it is a reminder that statutory remedies are not immutable. And for businesses operating in Illinois, the message remains clear: biometric data is treated as uniquely sensitive, and compliance failures will continue to be litigated aggressively, even as the outer limits of liability come back into focus.