Biometric technologies—such as fingerprint scanners, facial recognition systems, and retina scans—are now commonplace in modern business operations.
From employee timekeeping systems to facility security and customer-facing applications, these tools offer efficiency and convenience for many businesses. But these same conveniences have sparked backlash in the form of privacy litigation. In Illinois especially, companies are facing a surge of class-action lawsuits under the state’s Biometric Information Privacy Act (“BIPA”), a pioneering law that imposes strict requirements on the use of biometric data and hefty penalties for companies failing to adhere to the law. This trend is not confined to Illinois: a growing patchwork of similar laws in other states means that using biometrics without proper safeguards can expose companies nationwide to significant statutory damages and legal risks.
Illinois BIPA: A Trailblazer with Teeth
Illinois’ BIPA, enacted in 2008, was the first U.S. law to regulate private-sector use of biometric identifiers. BIPA requires companies to inform individuals in writing and obtain their written consent before collecting or storing their biometric data, among other obligations like data retention policies and security standards. Crucially, BIPA also provides a private right of action; individuals can sue for violations and recover $1,000 in liquidated damages per negligent violation, or $5,000 per intentional/reckless violation.
For nearly a decade after BIPA’s passage, litigation was sparse. That changed dramatically in 2019 when the Illinois Supreme Court decided Rosenbach v. Six Flags, holding that a person is “aggrieved” under BIPA and can sue without needing to prove any actual injury. In other words, companies can be liable for mere technical violations (such as failing to get written consent or to post a retention policy) even if no identity theft or other harm occurred. Since Rosenbach, more than 1,500 BIPA lawsuits have been filed in Illinois state and federal courts, transforming BIPA into a potent tool for class action attorneys.
A Wave of Class Actions and Soaring Damages
No-Injury Lawsuits Lead to Big Payouts
Once courts confirmed that no actual harm is required to sue under BIPA, class action filings surged. Companies large and small have been hit with lawsuits alleging they collected or used biometrics without following BIPA’s procedures. Many of these cases have resulted in massive settlements. In a landmark 2020 settlement, Facebook paid $650 million to resolve a BIPA class action alleging its facial-recognition photo tagging feature scanned Illinois users’ faces without consent. In 2021, the parent company of TikTok agreed to a $92 million settlement to end litigation over alleged unlawful collection of face and voice data through the TikTok app.[1] In 2022, Google settled an Illinois class action for $100 million over its Google Photos tool, which had used face-recognition to group similar faces without the explicit consent required by BIPA.
Employers in the Crosshairs
It’s not just tech giants facing scrutiny—routine workplace practices have also triggered a wave of BIPA class actions. A striking example was a case against the sandwich chain Pret A Manger, where the company’s fingerprint-based timeclock system for employees allegedly failed to meet BIPA’s notice and consent requirements. Pret A Manger settled the case for $677,000 to compensate about 800 workers. And Pret is far from alone. Employers across Illinois—from hospitals to trucking and logistics companies—have faced similar class actions for using biometric timeclocks or access control systems without implementing BIPA-compliant policies and procedures. In fact, collecting employee fingerprints for timekeeping has become one of the most common BIPA pitfalls for businesses.
“Per Scan” Violations Multiply Exposure
The cost of BIPA non-compliance became truly eye-popping after courts clarified that each instance of biometric collection or use can count as a separate violation. In early 2023, the Illinois Supreme Court held in Cothron v. White Castle that every time the fast-food chain scanned an employee’s fingerprint (to clock in or access pay stubs), it counted as a new violation of BIPA. White Castle warned the court that under this interpretation, it faced an astronomical $17 billion in liability for about 9,500 employees’ repeated fingerprint scans. Similarly, in the first BIPA jury trial, a class of truck drivers prevailed against BNSF Railway by proving that the company had “recklessly or intentionally” violated the statute 45,600 times by requiring fingerprint scans for yard access—exposing BNSF to $228 million in damages at the statutory rate of $5,000 per violation. Although the jury initially awarded the full amount, the court later ordered a new trial on damages, emphasizing that BIPA’s statutory damages are discretionary and not automatically awarded in full.
Recent Developments: Courts and Legislature Respond
Several recent rulings have further defined, and in some cases tempered, the scope of BIPA litigation. In 2022 and 2023, the Illinois Supreme Court issued a series of decisions addressing defenses and damages under BIPA. In Tims v. Black Horse Carriers (2023), the court held that a five-year statute of limitations applies to all BIPA claims.[2] In McDonald v. Symphony Bronze (2022), the court ruled that BIPA claims by employees are not barred by workers’ compensation exclusivity, meaning an employee can sue under BIPA even if the issue arose at work. And in another ruling, this time a win for businesses, the Illinois Supreme Court affirmed the appellate court’s decision in Walton v. Roosevelt University ruling that BIPA claims by unionized employees are preempted by the Labor Management Relations Act, 1947 (“LMRA”) (if biometric data was subject to collective bargaining). This “union preemption” defense has led to dismissal of some BIPA suits involving unionized workplaces.
Perhaps most significantly, Illinois lawmakers stepped-in to recalibrate BIPA’s exposure. In August 2024, Illinois amended BIPA to limit damages in the most common type of claim. For violations of the notice-and-consent requirement, and the data disclosure requirement, a defendant will now be liable for only one violation per person no matter how many times that person’s data was collected or disclosed. In effect, this caps the statutory damages at $5,000 per person for such claims, rather than $5,000 per scan. The amendment (Public Act 103-0769) took effect immediately in 2024, and by its terms applies retroactively, though plaintiffs’ attorneys are likely to contest retroactive application in pending cases. Importantly, this change reduces the devastating exposure of BIPA suits, but a company can still face $1,000 or $5,000 in damages per person and potentially per each BIPA provision violated. Therefore, for a class of thousands of people, BIPA class actions remain a serious financial threat.
Beyond Illinois: Other States Jump on the Biometric Bandwagon
Other states are increasingly enacting laws to regulate biometric data. However, the scope and enforcement mechanisms of these laws vary, and none (so far) has unleashed litigation quite like Illinois’ BIPA. Key developments include:
- Texas and Washington: Texas (2009) and Washington (2017) both passed biometric privacy statutes shortly after Illinois. Texas’s Capture or Use of Biometric Identifier Act (“CUBI”) requires notice and consent to collect biometrics and mandates companies to protect the data and destroy it within a reasonable time. Washington’s law similarly forbids enrolling biometric identifiers for a commercial purpose without notice and consent or a mechanism to prevent unauthorized use. Enforcement in both states, however, is left to the state attorney general, not private lawsuits. This means no BIPA-style class actions.
- California’s Privacy Laws: While California does not have a biometric-specific statute like BIPA, it has incorporated biometric data into its broader consumer privacy regime. The California Consumer Privacy Act (“CCPA”) and its successor, the California Privacy Rights Act (“CPRA”), include biometric information in the definition of personal information protected by law. Businesses that collect Californians’ biometrics must disclose it in privacy notices and honor consumer rights (like deletion requests) and are subject to enforcement by California’s new dedicated privacy regulator. Further, a major breach of biometric data can trigger private lawsuits under the CCPA’s data-breach provision.
- New Biometric Privacy Acts on the Horizon: Lawmakers in several states have introduced BIPA-like bills in recent years. For example, New York’s legislature has repeatedly considered a “Biometric Privacy Act” modeled on Illinois’ BIPA, and bills are pending in states like Massachusetts and Missouri that would create BIPA-style frameworks. As of mid-2025, these bills have not yet become law but the legislative momentum is notable.
- Local Ordinances: Some city and local governments have also taken action on biometrics. New York City implemented a biometric identifier law in 2021 requiring that any business (like retail stores, bars, or restaurants) that collects biometric info from customers post a conspicuous notice at the entrance. NYC’s law also bans selling or profiting from biometric data and allows aggrieved customers to sue for damages if a business fails to comply. Portland, Oregon went even further by enacting a first-of-its-kind ban on private use of facial recognition technology in places of public accommodation (like stores, hotels, and restaurants) within city limits. Businesses in Portland can be fined $1,000 per day for using facial recognition in violation of that ordinance.
Companies that operate in multiple states should be mindful that a patchwork of biometric laws is emerging and what passes muster in one state might be illegal in another. Even in states without a specific biometric law, collecting biometrics could still trigger general privacy statutes or consumer protection laws. In short, the legal landscape is quickly evolving beyond Illinois.
Safeguarding Your Business: Compliance and Caution
In light of this biometric backlash, companies are well advised to be proactive and meticulous in how they handle biometric data. Some best practices to avoid becoming the next litigation target include:
- Know and Follow the Law: First and foremost, understand which biometric privacy laws apply to your operations; not only Illinois BIPA, but also any similar state laws (or general privacy laws) in the states where you operate. If you have employees or customers in Illinois, BIPA’s requirements (written notice, written release, retention policy, etc.) are essentially mandatory for any biometric program. Other states may impose different rules (e.g. requiring reasonable data security for biometrics, specific retention timeframes, or simply banning certain uses), so consult counsel to ensure compliance. Keep an eye on new legislation; the landscape is evolving, and laws in states like New York or Massachusetts could become reality in the near future.
- Implement Biometric Data Policies (Retention and Security): Nearly all biometric laws require a written retention and deletion policy. BIPA, for example, says you should publicly post a schedule for destroying biometric data when the initial purpose has been satisfied or within a set time (no longer than 3 years in Illinois). Follow these policies strictly. Additionally, treat biometric data as sensitive information: use appropriate safeguards to prevent breaches or improper sharing. BIPA explicitly requires protecting biometrics using the “reasonable standard of care” in your industry and at least as securely as you protect other confidential data. Robust encryption, access controls, and limiting which personnel or third parties can access the data are all essential.
- Train Staff and Monitor Compliance: Often, privacy compliance falters not from malice but from lack of awareness. Be sure to train managers and IT personnel about the requirements of biometric privacy law. Anyone involved in implementing biometric systems (from HR setting up a fingerprint timeclock to marketing deploying a facial-recognition kiosk) should know the do’s and don’ts. Implement internal checks, auditing your systems to ensure that no biometric is being collected without the proper notice in place, and confirm that data is being purged according to schedule.
Conclusion
The rise of BIPA and the ensuing wave of class actions serve as a cautionary tale for companies nationwide. Illinois has shown that plaintiffs’ attorneys are eager to enforce these rights, and other states are following suit with new laws and enforcement efforts. A fingerprint timeclock or facial recognition feature that isn’t compliant with the patchwork of privacy requirements can become a multimillion-dollar liability.
ENDNOTES
[1] The claims against TikTok included BIPA violations among other privacy law violations.
[2] Defendants argued for a shorter one-year period for certain claims, but the court ruled the broader five-year “catch-all” limitation governs, allowing plaintiffs to reach back several years in their lawsuits.
[View source.]
