Vault Door

BIPA Damages Limitation Applies Retroactively

By Scott Hall and Phillip Wiese

The Seventh Circuit recently confirmed that the 2024 amendment to the Illinois Biometric Information Privacy Act (“BIPA”) would apply retroactively, effectively limiting the available statutory damages under the statute. Going forward, damage awards under sections 15(b) or 15(d) will be limited for each plaintiff to “at most, one recovery” regardless of the number of violations, avoiding what at least one defendant described as “potentially crippling financial liability” for even simple BIPA violations.

BIPA Overview

BIPA prohibits companies from collecting, obtaining, or disclosing an individual’s biometric data, including biometric identifiers (e.g., eye or fingerprint scans, voice prints, face geometry, etc.) or biometric information (i.e., data derived from a biometric identifier) without first providing notice to and obtaining consent from the individual. Subsection 15(b) governs collection of biometric data and subsection 15(d) governs its disclosure. Plaintiffs could recover $1,000 for a negligent violation, or $5,000 for an intentional or reckless violation of the statute. Importantly, however, the law as originally written did not specify how to calculate damages or whether plaintiffs could recover for each time a company collected, obtained, or disclosed the biometric data. For example, BIPA was silent as to whether a plaintiff who clocked in using a fingerprint scanner twice a day for 30 days without providing consent could recover just once, up to $5,000, or for sixty separate violations, as much as $300,000. Plaintiffs have used this ambiguity to extract large settlements from companies.

In 2023, the Illinois Supreme Court confirmed that damages should be awarded on a “per-scan” basis.[1] In other words, each time a company collected, obtained, or disclosed an individual’s biometric data without consent, it could be liable for statutory damages. The Illinois Supreme Court also wrote, in dicta, that to the extent the decision would result in “excessive damage awards,” the Illinois legislature could amend the law.

The Illinois General Assembly took up the Supreme Court’s offer in 2024, amending the damages section of BIPA to clarify that each person could recover for “one recovery” under subsections (b) and (d) so long as the company used “the same method of collection” for each.[2] The legislature also confirmed the discretionary nature of any damages award by noting that an individual is entitled to “at most,” recovery based on a single violation.[3]

Retroactive Application of Amendment

After Cothron, the question remained as to whether the amendment would have retroactive effect. The Seventh Circuit recently held in the affirmative, that the damages cap would have retroactive effect.[4] The Seventh Circuit analyzed whether the amendment was substantive or procedural. Only procedural amendments could be retroactive under Illinois law.

The BIPA amendment was procedural because it involved the “rules that prescribe[d] the steps for having a right or duty judicially enforced.”[5] The text of the amendment and the Illinois Supreme Court’s discussion of Section 20 in Cothron indicated that it addressed the availability of damages, not proscribed conduct. Additionally, the amendment exclusively was contained in the damages section of BIPA, not in the liability section. Each of these points demonstrated that the amendment was remedial and therefore procedural, so it could have retroactive effect.

The appellees argued that the panel’s interpretation would wipe away millions of dollars of liability, and also that whether someone has been injured once or a thousand times is a matter of substance,[6] but the Court was not persuaded and pointed to language in Cothron noting that damages were discretionary, so plaintiffs were not guaranteed any specific recovery in the first place.[7]

Key Takeaways 

  • Going forward, there will be upper limits the amount of damages available to plaintiffs. Each plaintiff can seek up to $5,000 for violations of BIPA sections (b) or (d). No longer can a plaintiff seek damages for every BIPA violation over the course of multiple years, which may lower a company’s exposure exponentially.
  • Courts still have discretion over the amount of damages, up to the statutory maximum, or even whether to award damages at all.
  • Businesses that collect biometric data should continue to maintain a privacy policy that discloses the specific data collected and collect data only from those consumers who expressly consent.
  • The Texas biometric privacy law allows the Texas Attorney General to levy fines based on each individual violation, now putting that law at odds with BIPA. The Texas law does not have a private right of action.

The Coblentz Data Privacy & Cybersecurity team is experienced at litigating BIPA matters and can help you navigate the changing legal landscape. Please reach out to Scott Hall or Phillip Wiese for further information or assistance.

 

[1] Cothron v. White Castle Sys., Inc., 216 N.E.3d 918, 927 (Ill. 2023).

[2] 740 ILCS 14/20(b), (c).

[3] Id.

[4] Clay v. Union Pacific Railroad Co., 2026 WL 891902 (7th Cir. Apr. 1, 2026).

[5] Id. at *3.

[6] Id. at *4

[7] Id. at *6.