Many employers collect biometric data like retina or iris scans, voiceprints, hand scans, fingerprints, facial scans and DNA from their employees to track working hours, allow employee admittance to secure areas or provide access to pay stubs, among other reasons. The Illinois Biometric Information Privacy Act (BIPA) was enacted in 2008 to regulate and safeguard how private entities in Illinois handle biometric information, and imposes notice and consent requirements for the collection and storage of such data.

Since 2019, if a covered employer mishandles an individual’s data, BIPA grants the individual a private right of action to sue the company. Importantly, the individual does not need to prove actual financial or physical harm to sue under BIPA. This serves as an important reminder to Illinois employers of their obligations when collecting biometric data from any individual, including potential or current employees. These include:

  • Written Informed Consent: Companies must inform individuals in writing about the collection, purpose and duration of the biometric data storage, and must obtain a signed written release.
  • Prohibition on Selling or Profiting: Companies may not sell, lease or profit in any way from an individual’s biometric data.
  • Data Policies: Companies must develop and publish a written policy regarding retention and data destruction. This policy must be publicly available.

BIPA violations carry steep penalties. Individuals may recover up to $1,000 per negligent violation and up to $5,000 per intentional or reckless violation. For many years, courts counted each individual biometric scan as a separate BIPA violation, leading to very substantial aggregate penalties. For example, in Cothron v. White Castle System, Inc., a class of employees alleged that they scanned their fingerprints to access pay stubs and computers. White Castle used a third-party vendor to verify each scan and authorize the employee’s access. White Castle did not seek the plaintiff’s consent to acquire her fingerprint until 2018, 14 years after her employment with the company commenced. In 2023, despite recognizing the risk of “annihilative liability” resulting from its analysis, the Illinois Supreme Court ruled that, based on the plain language of the statute, a separate claim accrues under BIPA each time a private entity scans or transmits an individual’s biometric data, which contributed to the parties settling the class action for more than $9 million. Nonetheless, the court encouraged the state legislature to revisit the statute in light of the result.

The Illinois General Assembly took notice of these massive penalties and passed an amendment, effective August 2, 2024, limiting potential damages to accrue per-person rather than per-violation (SB 2979). In other words, if a company repeatedly violates BIPA collection requirements from the same person, it constitutes only a single violation for purposes of calculating statutory damages. In a welcome relief to employers, the Seventh Circuit Court of Appeals decided on April 1, 2026 that the per-person damage accrual amendment was remedial and procedural, rather than substantive, and it therefore applies retroactively to any cases that were pending on August 2, 2024 when the amendment came into effect. (Clay v. Union Pacific). Thus, regardless of when a BIPA claim accrued or how many times data was wrongfully collected or stored, an employer may be liable only for a single per-person penalty.

Although the BIPA amendment and Clay decision are good news for employers, Illinois employers should nonetheless continue to scrutinize their biometric data collection procedures and ensure they are obtaining advance written informed consent, outlining the purpose of collecting the data and explaining to employees and consumers the duration of data storage before they obtain any biometric data. Even if damages are calculated on a per-person rather than per-violation basis, the consequences for BIPA missteps on an aggregate basis would nonetheless be substantial.