UPDATE: Seventh Circuit Holds That BIPA Amendment Limiting Damages Applies Retroactively

04.17.26 Update: Since the publication of this post, the U.S. Court of Appeals for the Seventh Circuit has addressed a key open question surrounding the 2024 amendment to the Illinois Biometric Information Privacy Act (BIPA): whether the amendment applies retroactively to cases that were already pending when the legislation was enacted. In a consolidated appeal, the Seventh Circuit held that the amendment does apply retroactively, significantly clarifying the damages landscape for existing BIPA litigation.

As discussed in our original post below, the Illinois General Assembly enacted SB 2979 in August 2024 in response to concerns about the potentially enormous damages exposure created by prior interpretations of BIPA. Those concerns were heightened by the Illinois Supreme Court's decision in Cothron v. White Castle Systems, Inc., which held that a separate violation could accrue each time biometric data was collected or disclosed without the required notice and consent. Because BIPA authorizes statutory damages of $1,000 per negligent violation and $5,000 per reckless or intentional violation, the Cothron decision created the potential for statutory damages to multiply dramatically in situations involving routine biometric uses such as employee timekeeping systems.

The 2024 amendment addressed this issue by clarifying that when the same biometric identifier or biometric information of one individual is repeatedly collected or disclosed by the same defendant using the same method, those actions constitute a single violation for purposes of calculating statutory damages. In its recent decision, the Seventh Circuit concluded that the amendment should be applied retroactively because it represents a remedial change to the statute rather than a modification of substantive rights. Under Illinois law, amendments that address procedural or remedial aspects of a statute are generally applied to pending cases unless the legislature clearly provides otherwise.

This ruling has important implications for both single-plaintiff cases and class actions that were filed after Cothron but before the 2024 amendment. During that period, many complaints alleged extremely large damages based on the theory that each individual biometric scan or disclosure constituted a separate violation. The Seventh Circuit's decision forecloses that approach by confirming that plaintiffs may recover at most one statutory damages award per person for repeated collections or disclosures involving the same biometric data and method. The Seventh Circuit also emphasized that BIPA's damages provision gives courts discretion in awarding statutory damages and that it would not be appropriate to award the maximum amount in every case.

Although the amendment substantially reduces potential damages by eliminating per-scan multipliers, statutory damages of up to $1,000-$5,000 per individual can still produce significant exposure in cases involving large classes. As a result, BIPA litigation may continue to focus on class actions where the aggregation of many individual claims remains capable of producing substantial potential damages.

The Seventh Circuit's decision provides significant guidance for federal courts applying Illinois law; however, the issue could ultimately be revisited by Illinois state courts. Because the retroactivity question arises from interpretation of Illinois law, the Illinois Supreme Court would have the final word if the issue were presented in a state-court case. For now, however, the Seventh Circuit's ruling provides important clarity for the many BIPA actions currently pending in federal court.

While companies using biometric technologies must still comply with BIPA's notice, consent, and retention policy requirements, the combination of legislative and judicial developments has significantly reduced the risk of the "per-scan" damages theories that once threatened "ruinous" statutory damage awards.

The original post appears below.

Illinois Revises Biometrics Law To Reduce the Prospect of "Ruinous" Damage Awards

BIPA amendment will treat repeated collection of the same biometric information as a single violation, significantly limiting potential damages

Originally posted 08.15.24

In a major change to a law that produced extraordinarily high damages claims and settlements, the Illinois General Assembly amended the Biometric Information Privacy Act (BIPA) to substantially reduce potential liability for defendants. SB 2979, which was signed into law by Governor J.B. Pritzker on August 2, 2024, and is effective immediately, provides that a private entity that collects or discloses "the same biometric identifier or biometric information from the same person using the same method of collection" in violation of BIPA has only committed a single violation for which the aggrieved person is entitled to, at most, a single damage recovery.

Until now, courts awarded BIPA damages on a per individual, per instance basis for every violation, which led to astronomical damage calculations for businesses that violate the law over time. For example, a business using a biometric timekeeping system that collected and used fingerprint scans to clock employees in and out of work each day for years might be faced with damages for tens of thousands of "violations."

The new amendment reverses course from awards of potentially "ruinous" damages that were initially recoverable for violations of BIPA.[1] The amendment also clarifies that consent may be captured via an electronic signature, which is now a defined term under BIPA. Our previous posts on BIPA provide additional context and background.

BIPA Structure and Private Right of Action

Under BIPA, no private entity may "collect, capture, purchase, receive through trade, or otherwise obtain" a person's or a customer's biometric identifier[2] or biometric information,[3] unless it (1) provides notice that that a biometric identifier or biometric information is being collected or stored; (2) states the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) obtains a written release (i.e., "consent") from the data subject.[4] Similarly, no private entity in possession of biometrics may "disclose, redisclose, or otherwise disseminate" biometric data unless similar conditions are met. Finally, any entity in possession of biometric data must "develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information" under specified conditions.

The main source of risk under BIPA is that it provides a private right of action to any person aggrieved by a violation. Prior to the amendment, the failure to develop a compliant policy, each and every collection of biometrics (perhaps even multiple collections in one day), and each and every disclosure (also possibly multiple disclosures in one day) could subject an entity to an award of actual or liquidated damages, whichever is greater, of up to $1,000 for each violation, or up to $5,000 for each intentional or reckless violation, as well as attorney's fees or other relief (such as an injunction). Illinois is the only state that that authorizes a private right of action with statutory damages for collection or disclosure of biometric information without valid written consent, which attracted substantial litigation to the state. 

Adding to the peril, an Illinois Supreme Court ruling in 2019 held that individuals were "aggrieved" and had standing to sue for damages under BIPA without any "actual injury or adverse effect, beyond violation of his or her rights under the Act."[5]

Concerns Over Undue Financial Burden on Businesses

Two noteworthy cases, Rogers v. BNSF Railway Co. and Cothron v. White Castle Sys. Inc., demonstrate the risks of multipliers to these damage awards that businesses previously faced under BIPA in class actions.

In Rogers, BNSF engaged a vendor to install and manage gate control systems that allowed automated entry after scanning a drivers' fingerprints and comparing them to the registered drivers' fingerprints in the database maintained by BNSF's security vendor. However, the system registration process did not provide notice of the purpose for which the fingerprint data was being kept, require written consent from the drivers, or inform the drivers where and for how long their fingerprint data would be stored.

The jury found that BNSF violated BIPA 45,600 times and that it did so intentionally or recklessly. Based on this jury finding, the judge multiplied the number of violations by $5,000 for each intentional or reckless violation and entered a $228 million judgment against BNSF. Both parties filed post-trial motions to alter or amend the judgment or for a new trial.

While the post-trial motions were pending, the Illinois Supreme Court rendered its decision in Cothron v. White Castle Systems, which resolved a certified question from the 7th Circuit specifically asking the Illinois Supreme Court to determine whether claims under BIPA "accrue each time a private entity scans a person's biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission[.]" The court resolved the certified question finding that a party violates Section 15(b) of BIPA each time it collects, captures, or otherwise obtains a person's biometric information without prior informed consent.

In dicta to the opinion, the court also stated that the plain language in BIPA's Section 20 that a party "may recover" damages for each violation meant that damages are not mandatory, did not require a calculation of the total number of violations times the amount of liquidated damages in all cases, but that damage calculations are instead left to the discretion of the jury.

Three justices (including the chief justice) dissented and noted that potentially "punitive, crippling … ruinous liability" was being imposed on businesses under BIPA and that the decision "will lead to consequences that the legislature could not have intended." The dissenters agreed with White Castle that a violation of the prohibition on collecting biometrics "occurred, if at all, the first time that her biometrics were collected by White Castle without her consent, not each subsequent time that her finger was rescanned," and that "subsequent scans did not collect any new information from plaintiff, and she suffered no additional loss of control over her biometric information."

White Castle argued potential damages may be as high as $17 billion if left unchecked, but the court dismissed those arguments as a matter best addressed by the Legislature. The dissenters opined that "for businesses facing this draconian exposure, it is cold comfort that this job destroying liability only 'may' be imposed—if the actual amount depends on the decisions of individual trial judges applying their own standards, formulated without any guidance from this court or the legislature."

Citing Cothron, the Rogers court then partially reversed course by granting a new trial because it found that BNSF was entitled to have a jury determine the appropriate amount of damages. After that ruling, BNSF ultimately agreed to pay $75 million to settle the case. The parties in Cothron also reached a settlement of $968 per class member, or roughly $10 million overall, a far cry from $17 billion in damages White Castle could have faced, but still substantial.

Impact of the Amendment and Next Steps for Business Subject to BIPA

Under the new SB 2979 amendment, BIPA now limits damage calculations to one violation per individual for the repeated collections or disclosures involving the same individuals or entities, no matter how many times a person's biometric data was collected or disclosed to the same entity. This change validates the dissenting justices' opinion that the Legislature intended BIPA damage awards to be discretionary and based on a single violation per person (rather than per instance of data collection) and did not want to impose punitive liability on businesses, which may have stymied innovation and technology investment within the state if left unchecked.

The amendment is not expressly retroactive, so it remains to be seen how the plaintiffs' bar will litigate BIPA claims that involve collection or disclosure of biometrics that occurred before the amendment. The Cothron[6] decision after remand suggests that the discretionary aspect of damage awards could lessen the specter of ruinous liability regardless of when the BIPA violations may have occurred. Going forward, while the amendments limit violations to one per individual, the potential for damages of $1,000-$5,000 per individual may still prove costly.

Businesses seeking to implement biometric technologies should continue to review their practices to ensure that they provide adequate notice to subjects of biometric information collection and that they collect written consent that complies with requirements of the law.

We will continue to monitor BIPA-related cases and amendments. If you have questions or need additional assistance, please contact the authors or the DWT attorney with whom you normally work.