A Federal Court Just Changed the Rules on Illinois Biometric Privacy Claims
Mason & Perry LLP | June 8, 2026
Every morning, millions of workers clock in using a fingerprint scanner or a facial recognition camera. Most of them never signed a form explaining what happened to that data, who stored it, how long it was kept, or whether it was shared with third parties. Under Illinois law, that silence is illegal — and for years, it has been extremely expensive for employers caught ignoring the rules. But on April 1, 2026, a federal appeals court issued a ruling that significantly changes what those claims are worth. If you are one of the workers affected, you need to understand what just happened.
What Illinois Law Requires
The Illinois Biometric Information Privacy Act, enacted in 2008, is the most powerful biometric privacy statute in the United States. Before any company can collect a fingerprint, retinal scan, facial geometry, or voiceprint, it must: provide written notice that it is collecting the data; explain the specific purpose and the length of time the data will be retained; and obtain a written release from the individual. Companies are also prohibited from selling, trading, or otherwise profiting from biometric data, and must protect it with reasonable security measures.
The statute’s teeth come from its private right of action. Unlike most privacy laws, BIPA allows individuals — not just regulators — to sue when their biometric data is collected without compliance. The damages are statutory: $1,000 per negligent violation and $5,000 per intentional or reckless one. No proof of identity theft or financial harm is required.
How the Numbers Used to Work
For years, the central question in BIPA litigation was whether those per-violation damages applied every single time a biometric scan occurred — or just once per person, regardless of how many times they were scanned. In 2023, the Illinois Supreme Court answered that question in Cothron v. White Castle: each individual scan was its own violation. A worker who clocked in and out with a fingerprint scanner twice a day for two years had potentially accumulated over 1,000 separate BIPA violations. At $5,000 each, that worker’s claims could be worth millions — and the class action exposure for a large employer could run into the billions.
The White Castle decision sent shockwaves through Illinois courts and corporate boardrooms alike. Employers scrambled to retroactively obtain consents, revise timekeeping systems, and settle pending cases before juries could apply the per-scan math.
The 2024 Amendment — and the April 2026 Court Decision
The Illinois legislature responded in August 2024 by amending BIPA. The amendment stated that collecting the same person’s biometric data using the same method counts as a single violation — not one per scan. The maximum recovery is now $5,000 per person, regardless of how many times they were scanned.
The immediate question was whether this change applied to lawsuits that were already pending when the amendment passed. On April 1, 2026, the U.S. Court of Appeals for the Seventh Circuit answered: yes. In Clay v. Union Pacific Railroad Company, the court held that the 2024 amendment applies retroactively. Because the amendment was “remedial” in nature — focused on the available remedy rather than the underlying right — it reaches back to cases filed before it was enacted.
The practical impact is dramatic. A worker who was scanned 1,500 times now has a claim worth a maximum of $5,000, not $7.5 million.
What This Means for Workers
The retroactivity ruling is a significant loss for some plaintiffs whose cases were pending with per-scan valuations. But it does not eliminate BIPA claims. Several important points remain.
First, the right to sue still exists. If your employer collected your fingerprint or face scan without written notice and consent, that is still a BIPA violation. The $5,000 cap per person is meaningful relief — particularly in class actions, where large numbers of affected workers can still generate substantial total settlements.
Second, not every theory of recovery was addressed by the amendment. BIPA also prohibits the sale or disclosure of biometric data to third parties. Claims based on those provisions are governed by different rules and may not be affected by the per-scan limitation in the same way.
Third, BIPA is not the only law in play. Texas, Washington, and several other states have enacted their own biometric privacy statutes. The Seventh Circuit’s ruling applies to Illinois law — it has no direct effect on claims brought under other states’ frameworks, some of which have their own per-violation structures.
Fourth, the amendment was not a pardon. Employers who have already settled BIPA cases or paid judgments based on per-scan calculations do not get refunds. And employers who are collecting biometric data today without compliance are still violating BIPA — the only change is how damages are calculated.
What You Can Do
Find out if your employer collected your biometric data. If you used a fingerprint scanner, a facial recognition camera, or any device that identified you by a physical characteristic, your employer was likely collecting biometric data within the meaning of BIPA.
Ask whether you received a written disclosure and signed a consent form. Many employers, particularly smaller businesses and franchise operations, never implemented compliant BIPA policies. If you clocked in with your fingerprint and never signed anything, that is worth investigating.
Act before your claim expires. BIPA has a five-year statute of limitations. If your employer’s non-compliant biometric collection happened more than five years ago, your window may have closed. If it happened more recently, it has not.
Understand that damages are lower but claims are still viable. The April 2026 ruling changed the math. It did not eliminate the law. Class actions under BIPA continue to be filed and settled, and workers who were never given the disclosures the law requires retain meaningful rights.
Mason & Perry LLP represents individuals and groups in privacy and consumer-protection class action litigation, including claims under the Illinois Biometric Information Privacy Act. If you believe your biometric data was collected without proper consent, contact us to discuss your options.