A Major Court Win for Businesses — But BIPA Compliance Still Matters

A federal appeals court just handed businesses a significant victory in Illinois biometric privacy litigation, but companies still face important obligations under Illinois’ Biometric Information Privacy Act (BIPA).

On April 1, 2026, the U.S. Court of Appeals for the Seventh Circuit ruled in Clay v. Union Pacific Railroad Co. that a 2024 amendment to BIPA applies retroactively to all cases pending at the time the amendment took effect. The ruling resolves a heated legal debate about whether companies facing lawsuits for pre-2024 conduct could benefit from the amendment’s more favorable damages framework. The short answer, according to the Seventh Circuit: yes.

Before diving into what this means for businesses, it helps to understand how the law works, and how the stakes became so high in the first place.

What Is BIPA, and Does It Apply to You?

BIPA applies to any private entity that collects, captures, purchases, receives, or otherwise obtains biometric identifiers or biometric information from Illinois residents. If your company does business in Illinois and handles any biometric data, BIPA likely applies to you. BIPA was enacted in 2008 but litigation regarding biometric information has exploded in recent years.

Biometric identifiers under the law include fingerprints, retinal and iris scans, voiceprints, and scans of face or hand geometry. Biometric information is broader still; it encompasses any data derived from those identifiers that is used to identify a person, including templates, mathematical representations, or other digital data created by processing a biometric identifier.

In practice, this covers a wide range of common business tools: fingerprint data used for employee timekeeping or building access control systems, facial recognition data used for identity verification or security, and voiceprint data used for call authentication or fraud prevention.

To comply with BIPA, companies must provide advance written notice of any biometric data collection, obtain written consent from the individual before collecting that data, and maintain a publicly available policy governing retention and destruction of biometric information. Failure to comply with any of these requirements exposes companies to statutory damages.

How Damages Worked, and How They Changed

BIPA provides statutory damages of $1,000 for every negligent violation and $5,000 for every reckless one. Prior to August 2024, each noncompliant scan counted as a separate violation. A single employee whose fingerprint was scanned at a timeclock each day could generate thousands of individual violations over the course of their employment. The Seventh Circuit noted in its recent ruling that the lead plaintiff, Reginald Clay, alleged his fingerprint had been scanned by his employer 1,500 times, which could have resulted in as much as $7.5 million in damages for him alone.

In August 2024, the Illinois legislature amended BIPA to state that noncompliant duplicate scans of the same biometric information (such as multiple scans of the same fingerprint on a timeclock) count as a single violation. This change dramatically reduced the potential financial exposure for companies that had failed to provide the requisite notice and obtain consent.

A major remaining question was whether that amendment would apply to cases already in the court system based on conduct that predated August 2024. The Seventh Circuit answered that question with a clear yes, holding that because the amendment affects only the damages available to plaintiffs, not the underlying standards for liability, it is remedial in nature and applies retroactively.

What This Means for Businesses, and What It Doesn’t

The ruling is meaningful good news for companies currently defending BIPA litigation. It takes away the most alarming damages scenarios that had been driving high-pressure settlement negotiations and, in some cases, existential financial risk.

But there are two important caveats that every business owner should understand.

First, the Seventh Circuit’s opinion, while persuasive, is not the final word. Because retroactivity of a state law amendment is ultimately a matter of Illinois law interpretation, the Illinois Supreme Court will have final say. If a pending state court case reaches that court, it could theoretically rule differently. The legal picture may continue to evolve.

Second, and more importantly, companies are still on the hook for BIPA violations. The amendment and the Seventh Circuit’s ruling reduced the magnitude of damages, not the existence of liability. Businesses that are not compliant with BIPA’s notice, consent, and retention policy requirements remain exposed to claims.

An Emerging Risk: AI Tools and Biometric Data

Perhaps the most pressing compliance concern for businesses going forward involves artificial intelligence. Companies should be aware that facial recognition technology and voice recognition technology, increasingly embedded in off-the-shelf AI tools, may be capturing biometric information from employees and customers without anyone at the company realizing it.

AI-powered cameras that use facial recognition for security or analytics, and AI recording or transcription software that processes voiceprints, are examples of tools that could potentially be collecting biometric information as a byproduct of their primary function. For example, a recent complaint filed against AI notetaker Fireflies.AI alleges the Fireflies tool records, transcribes, and stores voices of meeting participants, including voices of those who are not Fireflies users, without the requisite notice, consent, and retention safeguards required by BIPA. Without a robust BIPA compliance program in place, use of these tools in connection with Illinois residents may constitute a BIPA violation.

The bottom line: The Seventh Circuit’s ruling is a genuine legal victory for businesses facing BIPA litigation, and it brings a measure of predictability back to the damages landscape. But for companies that have not yet taken BIPA compliance seriously, this is a moment of clarity. The law is still in effect, the obligations are still real, and the exposure, while reduced, has not disappeared.

Questions about what this ruling may mean for your data practices? Reach out to Kathryn Nadro, Elizabeth (Lisa) Vandesteeg.