TL;DR: On April 1, 2026, the Seventh Circuit Court of Appeals ruled that the 2024 amendment to Illinois’s Biometric Information Privacy Act (BIPA) applies retroactively to all pending lawsuits. That amendment capped damages at one recovery per person instead of one per biometric scan. Before this ruling, a single worker scanned 1,500 times could seek $7.5 million. Now the maximum is $5,000. The court reversed three federal district court decisions in Clay v. Union Pacific Railroad and consolidated cases. Hundreds of pending BIPA class actions just had their financial teeth pulled. Companies that spent years scanning fingerprints, faces, and voiceprints without consent got a massive retroactive discount.
What the Seventh Circuit Actually Did
Chief Judge Michael Brennan, writing for a unanimous three-judge panel, answered a question that had split lower courts for nearly two years: does the August 2024 amendment to BIPA Section 20 apply to lawsuits already filed before the amendment took effect?[1]
Yes, the court said. Retroactively. To every pending case.
The reasoning: the amendment is “remedial” because it changes the damages formula (Section 20) rather than the underlying conduct that’s illegal (Section 15). Under Illinois law, remedial changes apply retroactively. The amendment didn’t make fingerprint scanning without consent legal. It just made getting caught cheaper.[2]
Three cases were consolidated on appeal. Reginald Clay, a commercial truck driver, alleged Union Pacific Railroad required him to scan his fingerprints every time he entered and exited company facilities: roughly 1,500 scans over several years. John Gregg and Brandon Willis alleged their employers collected fingerprints and hand geometry through biometric time clocks without consent.[1]
Under the old per-scan reading of BIPA, Clay’s 1,500 scans at $5,000 per intentional violation meant potential damages of $7.5 million, for one person. Under the new ruling, that collapses to $5,000 maximum. A 99.93% reduction.
What Changed and Why It Matters
Before August 2024, BIPA’s damages provision was ambiguous about what counted as a “violation.” In 2023, the Illinois Supreme Court ruled in Cothron v. White Castle that each individual biometric scan constituted a separate violation.[3] That turned BIPA into the most feared privacy statute in America. A single employee scanned twice a day for three years racked up over 2,000 violations, potentially $10 million in damages for one plaintiff.
Companies panicked. Settlements surged. BIPA had real teeth, and companies paid:
- Meta/Facebook: $650 million to Illinois class in 2021 for facial recognition tagging[4]
- Meta/Texas: $1.4 billion in July 2024 for the same technology[5]
- Clearview AI: A 23% equity stake in the company (the first settlement of its kind) in March 2025[6]
- Google Photos: $100 million in 2022 for face grouping without consent
Then Illinois lawmakers intervened. On August 2, 2024, Governor Pritzker signed an amendment specifying that collecting “the same biometric identifier or biometric information from the same person using the same method of collection” counts as a single violation.[2] One recovery per person, not per scan.
The question was: does that apply to the hundreds of cases already in the pipeline?
Three federal district courts in Illinois said no. The Seventh Circuit just said yes.
The Financial Fallout, by the Numbers
BIPA filings have already cratered since the 2024 amendment. From 2019 through 2024, plaintiffs filed more than 300 class actions per year. In 2025, that dropped to roughly 150.[7]
The Seventh Circuit ruling will accelerate that collapse. Here’s why:
- Class action economics flip. A class of 10,000 employees scanned daily for three years previously meant billions in exposure. Now it means $50 million at the statutory maximum. Still significant, but the math that made BIPA a litigation bonanza no longer works.
- Settlement leverage vanishes. Companies settled BIPA cases because the per-scan exposure was existentially threatening. A $650 million settlement looks reasonable when the alternative is $10 billion in per-scan liability. At per-person rates, companies will fight harder and settle for less.
- Federal jurisdiction questions emerge. Many BIPA class actions land in federal court because damages exceed $5 million. With per-person caps, some classes may fall below that threshold, getting kicked back to state court.[8]
Who Wins, Who Loses
The U.S. Chamber of Commerce filed an amicus brief supporting Union Pacific.[9] They got what they wanted. Every company currently defending a BIPA class action (and there are hundreds) just saw their maximum exposure drop by orders of magnitude.
The losers are the people whose biometric data was taken without consent. BIPA was designed so that the cost of violating it exceeded the benefit of collecting biometric data without permission. A company that saves $50,000 by skipping consent procedures and faces a $50,000 penalty has no reason to comply. BIPA’s per-scan damages created a genuine deterrent. That deterrent is now gone for most cases.
The ACLU of Illinois, which helped draft BIPA in 2008, didn’t formally oppose the 2024 amendment but emphasized that the private right of action remains “a vital tool to hold companies accountable.”[10] That’s technically still true. But a vital tool with 99.93% less force behind it functions differently.
What BIPA Still Does
Before the obituary gets written: BIPA is not dead. The ruling changes damages, not liability. Companies still violate BIPA when they collect fingerprints, voiceprints, face scans, or other biometric identifiers without written notice and consent. The three requirements haven’t changed:[10]
- Tell people in writing that biometric data is being collected
- Explain why and for how long
- Get written consent
Companies that skip these steps still face lawsuits. The statutory damages ($1,000 per person for negligent violations, $5,000 for intentional ones, plus attorney’s fees) still add up in large classes.[10]
And BIPA continues to be the model for biometric privacy laws spreading to other states. Texas already enforced its biometric law for the $1.4 billion Meta settlement. Washington has a biometric privacy statute. Several other states are considering BIPA-style legislation.
But the fear factor is gone. BIPA was the only US privacy law where a single violation could bankrupt a company. That made compliance non-negotiable. Now it’s a cost-benefit calculation, and for large companies, the cost of violating BIPA may be lower than the cost of implementing consent systems.
How We Got Here
- 2008: Illinois passes BIPA, years before most people know what “biometric data” means
- 2015: First major BIPA lawsuit filed against Facebook for facial recognition
- 2019: Illinois Supreme Court rules in Rosenbach v. Six Flags that you don’t need to show actual harm to sue under BIPA
- 2021: Facebook settles for $650 million. BIPA class actions explode past 300 per year
- 2023: Illinois Supreme Court rules in Cothron v. White Castle that each scan is a separate violation[3]
- August 2, 2024: Illinois amends BIPA Section 20 to cap damages per person, not per scan
- 2024–2025: Federal courts split on retroactivity. Three judges say amendment is prospective only
- April 1, 2026: Seventh Circuit reverses all three, says amendment applies retroactively[1]
What You Can Do
Check If Your Employer Collects Biometrics
Fingerprint time clocks, badge scanners with palm readers, voice-activated meeting transcription: these all involve biometric data. Ask your HR department whether they have a written BIPA policy. If they don’t, that’s still a violation even after this ruling.
Don’t Assume You’ve Lost All Rights
BIPA’s consent requirements haven’t changed. If a company never told you they were collecting your biometric data and never got your consent, they still violated the law. Damages are lower, but the violation is real. Consult a privacy attorney if you’re in Illinois.
Watch Your State Legislature
Several states are considering biometric privacy bills. Contact your state representatives and point to Illinois as proof that strong enforcement mechanisms matter. Without per-scan damages, companies have less incentive to comply.
Support Federal Biometric Privacy Legislation
The patchwork of state laws leaves most Americans unprotected. A federal biometric privacy law with real enforcement teeth would prevent companies from treating fines as a cost of doing business. Organizations like the ACLU and EFF are pushing for stronger protections.
The Pattern You Should Recognize
BIPA’s story follows a script we’ve seen before. A state passes a privacy law with real consequences. Companies violate it. Billion-dollar settlements make headlines. Then industry lobbies to weaken the law. Legislators comply. Courts bless the weakening retroactively.
This is exactly what happened with BIPA. The per-scan damages were the feature, not the bug. They existed because biometric data (your fingerprint, your face, your voice) can’t be changed if it’s stolen. You can reset a password. You can’t reset your fingerprint. The law reflected that permanence with proportional consequences.
Illinois lawmakers decided those consequences were too severe. The Seventh Circuit just made sure that decision reaches backward to protect companies that violated the law before it was changed.
Reginald Clay scanned his fingerprint roughly 1,500 times for Union Pacific. Every single scan happened without BIPA-compliant notice or consent. Under the court’s ruling, all 1,500 of those unconsented scans are treated as a single violation worth at most $5,000.
Union Pacific got a 99.93% discount on the consequences of ignoring your biometric privacy for years. And that’s the new math for every company in America watching this ruling.
References
- Duane Morris Class Action Defense Blog: Seventh Circuit Holds BIPA Amendment Applies Retroactively, Reversing Three Illinois Federal Court Decisions (April 3, 2026)
- Fisher Phillips: Major Biometric Win for Business in Illinois: 3 Lessons as Federal Appeals Court Says BIPA Damages Limit Applies Retroactively (April 2026)
- Law360: Ill. Businesses Score Win In 7th Circ. BIPA Retroactivity Ruling (April 2026)
- TechCrunch: Facebook Settles Illinois Class Action for $650 Million (March 2021)
- Texas Attorney General: $1.4 Billion Settlement With Meta Over Unauthorized Biometric Capture (July 2024)
- Biometric Update: Clearview Settles BIPA Lawsuit, Plaintiffs Take 23% of Company (2025)
- Legal Newsline: Reforms Sliced BIPA Class Actions in 2025, New Report Says
- Michael Best: Seventh Circuit May Decide Whether BIPA Amendment Applies Retroactively
- U.S. Chamber of Commerce: Clay v. Union Pacific Railroad Co. (Amicus Brief)
- ACLU of Illinois: Biometric Information Privacy Act (BIPA)