Category: BIPA

By Gerald L. Maatman, Jr. and Tyler Zmick

Duane Morris Takeaways:  In Svoboda, et al. v. Amazon.com Inc., No. 25-1361, 2025 WL 3654053 (7th Cir. Dec. 17, 2025), a panel of the U.S. Court of Appeals for the Seventh Circuit affirmed an order granting class certification in a case alleging that Amazon’s “virtual try-on” technology violated the Illinois Biometric Information Privacy Act (“BIPA”). In doing so, the Seventh Circuit dealt Amazon a significant blow by allowing Plaintiffs to proceed on behalf of a class comprised of hundreds of thousands of people who used Amazon’s technology. The Svoboda decision is the most recent example of the plaintiffs’ bar successfully obtaining class certification in an Illinois privacy class action, and it shows that even the most sophisticated companies can face exposure arising out of their data collection and retention practices. 

Background

Plaintiffs alleged that Amazon sells makeup and eyeware products through its mobile shopping application and that the company’s “virtual try-on” (“VTO”) technology incorporates augmented reality to overlay the products on images of users, allowing shoppers to see how makeup and eyewear products look on their faces. To superimpose a product over an image of a user’s face, Plaintiffs claimed that the VTO software detects a person’s facial features to determine where to virtually overlay a given makeup or eyewear product.

Based on these allegations, Plaintiffs filed a class action in September 2021, claiming that Amazon violated the BIPA by collecting, capturing, storing, or otherwise obtaining the facial geometry and associated personal identifying information of thousands of Illinois residents who used Amazon’s VTO technology.

On March 30, 2024, Judge Jorge L. Alonso of the U.S. District Court for the Northern District of Illinois certified a class of individuals who used the VTO feature on Amazon’s mobile website or app while in Illinois on or after September 7, 2016 (our previous blog post on the district court’s order can be found here). Amazon subsequently appealed the class certification order to the Seventh Circuit.

The Seventh Circuit’s Opinion

On appeal, the Seventh Circuit affirmed the class certification order and held that the district court did not abuse its discretion in certifying a class of Amazon VTO users within Illinois.

The Seventh Circuit began by identifying Federal Rule of Civil Procedure 23(a)’s four class-certification requirements (i.e., numerosity, commonality, typicality, and adequacy) and by explaining that Plaintiffs must also satisfy Rule 23(b)(3), which requires that “questions of law or fact common to class members predominate” over individual questions and that “a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.” The Seventh Circuit further noted that Amazon’s appeal challenged the district court’s order only with respect to Rule 23(b)(3)’s predominance and superiority requirements.

In affirming the district court’s predominance ruling, the Seventh Circuit found that the same conduct (specifically, Amazon’s alleged use of the VTO application) unites Plaintiffs’ BIPA claims and that issues relating to the functionality of the VTO software, Amazon’s alleged use of class members’ biometric data, and legal questions about whether that use violated the BIPA were common to the class and could be resolved by the district court “in one stroke.”

The Seventh Circuit then turned to the individualized questions identified by Amazon, including the question of whether a class member was in Illinois at the time he or she used Amazon’s VTO tool. Regarding this “locational element,” the Seventh Circuit observed that class members must prove that they were in Illinois when they used the VTO tool to have viable BIPA claims and that the lack of such proof also raised questions relating to class member identification and manageability. The Seventh Circuit further acknowledged that common proof of location may only be available for a subset of claimants, while “individualized inquiries will be necessary for others.” Id. at *5 (“For example, where billing address and geolocation data point to different states, or are unavailable for an alleged VTO use, individual affidavits or other proof will be necessary to show that the claimant used the VTO in Illinois.”).

The Seventh Circuit ultimately ruled that the location of potential class members could generally be determined using (i) users’ billing addresses, (ii) users’ IP addresses and geolocation data, and (iii) personal affidavits from class members attesting that they used the VTO application while in Illinois, and that individualized questions connected to proof of location would not predominate over common questions. See also id. (“[I]t is not uncommon for class actions to have a ‘final phase’ for class members to submit individualized proof of a claim….A phase requiring individual presentations of proof on all (or part of) an element of a claim does not defeat predominance. Stated another way, an individual question does not predominate where common questions of law and fact relevant to liability otherwise generate significant efficiencies and the individual question is manageable.”) (citation omitted). The Seventh Circuit also rejected Amazon’s due process challenge to the district court’s predominance finding because the company would have the opportunity to challenge class members’ individual proof of location.

Implications For Corporate Counsel

Svoboda is one of many cases demonstrating the dangers associated with collecting or retaining biometric information without implementing BIPA-compliant policies. The opinion is also a reminder that the larger the company, the larger the potential class size (and accompanying statutory damages award). The class in Svoboda contained over one hundred thousand individuals, illustrating the potentially significant exposure associated with running afoul of Illinois privacy laws.

Corporate counsel should also remember that the Seventh Circuit’s discussion in Svoboda applies to all class actions (not just those alleging BIPA violations) in which it may not be possible to identify a class member’s location at the time of the alleged privacy violation. As noted above, due process does not require that class counsel be able to uncover such information for all class members at the certification stage. See also, e.g., Mullins v. Direct Digital, LLC, 795 F.3d 654, 672 (7th Cir. 2015) (“[C]ourts should not decline certification merely because the plaintiff’s proposed method for identifying class members relies on affidavits.”).

By Gerald L. Maatman, Jr., George J. Schaller, and Ryan T. Garippo

Duane Morris Takeaways: On June 10, 2025,inClay v. Union Pac. R.R. Co, No. 24-CV-4194, 2025 U.S. Dist. LEXIS 108672 (N.D. Ill. June 10, 2025), Judge Georgia N. Alexakis of the U.S. District Court for the Northern District of Illinois certified for interlocutory appeal her decision denying Union Pacific’s motion for partial summary judgment after concluding the 2024 amendment to the Illinois Biometric Information Privacy Act (the “BIPA”) was not retroactive.  In 10 days from entry of Judge Alexakis’ Order, Union Pacific may request the Seventh Circuit’s review of the certified question of whether the 2024 amendment to the BIPA applies retroactively. This would be a key issue of significant importance to all companies facing BIPA class actions.

Case Background

Plaintiff Reginald Clay is a truck driver that visited Union Pacific’s facilities. He alleges Union Pacific required him to register his fingerprint information and scan his fingerprints upon entering and exiting those facilities.  Id. at *2-3.  Clay also alleges Union Pacific did not “disclose what was done with his [fingerprint] information or how it would be stored.”  Id. at *3.  On April 16, 2024, Clay sued Union Pacific under the BIPA. 

In August 2024, the Illinois legislature amended the BIPA to “clarify that when an entity subject to the [BIPA] ‘in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection,’ in violation of the [BIPA], the entity ‘has committed a single violation … for which the aggrieved person is entitled to, at most, one recovery.’”  Id. (quoting 740 ILCS 14/20(b), (c), as amended by SB 2979, Public Act 103-0769.)

On November 4, 2024, Union Pacific moved for partial summary judgment and argued “under the 2024 BIPA amendment Clay was now entitled to recover for at most a single BIPA violation rather than the ‘per-scan’” violation under Cothron v. White Castle Sys., Inc., 2023 IL 128004, ¶ 24.  Id. at *3-4.  On April 10, 2025, the Court concluded that “the BIPA amendment was substantive rather than procedural” and therefore the BIPA amendment “was not retroactive under Illinois law, and thus did not apply to Clay’s claim.”  Id. at *4. 

Union Pacific requested certification of the Court’s order for interlocutory appeal.  Clay opposed the request.

The Court’s Order

On June 10, 2025, the Court certified Union Pacific’s request for an interlocutory appeal of the order denying Union Pacific’s partial motion for summary judgment.  Id. at *7.

The Court determined Union Pacific satisfied the four statutory criteria under 28 U.S.C. § 1292 (b)that: “there must be a question of law, it must be controlling, it must be contestable, and its resolution must promise to speed up the litigation.”  Id. at *1-2.  In addition, the Court found Union Pacific satisfied the Seventh Circuit’s fifth “non-statutory requirement: [that] the petition must be filed in the district court within a reasonable time after the order sought to be appealed.”  Id. at *2.

The Court reasoned whether the 2024 amendment to the BIPA is retroactive is “undoubtedly ‘a question of the meaning of a statutory or constitutional provision,” the Amended BIPA “presents ‘an abstract issue of law . . . suitable for determination by an appellate court without a trial record,” and that the question of BIPA retroactivity “is quite likely to affect the further course of litigation.”  Id. at *4.  As Union Pacific argued, and as the District Court agreed, if the “Seventh Circuit were to conclude that Clay was entitled to only one recovery… [that] certainty about the retroactivity of the 2024 amendment would ‘materially advance the ultimate termination of the litigation.”  Id. at *5.

The Court reasoned Union Pacific’s motion was timely because the Court “did not consider 28 days to be unreasonable in preparing a motion to certify for interlocutory appeal a novel question of state law, especially when Clay points to no prejudice he suffers as a result.”  Id. at *6.

The Court also opined that while “the Court shares Clay’s view that its April 10 order was ‘correctly reasoned,’[], its confidence does not mean that BIPA retroactivity is not ‘contestable’ within the meaning of § 1292.”  Id.  In addition, the Court relied on the overwhelming decisions of judges within the Northern District of Illinois and Illinois state court finding the “BIPA amendment does not apply retroactively to pending cases, [], so no current dispute exists among the courts.”  Id. at *6-7.  But that the consensus of these decisions “does not mean there is ‘no substantial ground for difference of opinion’ about retroactivity.”  Id. at *7.

The Court concluded that though its “confidence in its earlier decision” in Schwartz v. Supply, Inc., 23-CV-14319, (N.D. Ill. Nov. 22, 2024) (finding 2024 BIPA amendment not retroactive to pending cases) is not changed that it acknowledges “the novelty and complexity of the legal issue” of retroactivity.  Accordingly, the Court found Union Pacific meet all four statutory requirements and the Seventh Circuits’ timeliness requirement and certified Union Pacific’s interlocutory appeal.

Implications For Companies

The ruling in Clay sparks newfound hope on the hotly contested issue of retroactivity of the 2024 amendment to the BIPA.  Judge Alexakis’ well-reasoned decision allows Union Pacific 10 days from the Court’s order to request the Seventh Circuit’s interlocutory review of the certified question. 

Should the Seventh Circuit grant Union Pacific’s pending request, then the BIPA’s “per-scan” damages for pre-amendment BIPA litigation will receive further consideration.  However, even if the Seventh Circuit grants the request, there is always a possibility the Seventh Circuit certifies the question to the Illinois Supreme Court.

Until then, the deluge of decisions referenced in Clay denying retroactivity remain in effect.  Companies met with BIPA litigation must monitor Clay as it progresses through interlocutory review.

By Gerald L. Maatman, Jr., Ryan T. Garippo, and George J. Schaller

Duane Morris Takeaways:  On August 2, 2024, Illinois Governor J.B. Pritzker signed Senate Bill 2979, which amends the draconian penalties under Sections 15(b) and 15(d) of the Illinois Biometric Information Privacy Act (the “BIPA”).  Senate Bill 2979 and its reformed language can be accessed here.  For Companies caught in the BIPA’s crosshairs, this reform ushers in a welcome reprieve to the former statute’s harsh regime of penalties.

Background On The BIPA’s Former Construction

The BIPA statute codifies restrictions against companies that collect biometric information and identifiers.  See 740 ILCS 14/1.  The rationale for this legislation was that “[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information” and as such, “[t]he full ramifications of biometric technology are not fully known.”  Id. § 14/5(c)-(f).  Consequently, the BIPA prohibited companies from “collect[ing], captur[ing], purchas[ing], receiv[ing]” or “disclos[ing], redisclos[ing], or otherwise disseminat[ing]” an individual’s biometric data.  Id. § 14/15(b)-(d).  The BIPA further imposed statutory damages in the amount of $1,000 for each negligent violation of the statute, and $5,000 for each intentional violation.  Id. § 14/20.

As a result, what constituted a single “violation” of the BIPA had significant consequences for companies.  If violations occurred on a “per person” basis, the highest amount of damages that a company could owe an individual was $1,000 or $5,000 respectively.  However, if violations occurred on a “per scan” or “per incident” basis, companies would owe damages for each time that they collected or disseminated that data.  Under the latter, companies could be required to sometimes pay “class-wide damages [that] . . . exceed $17 billion” dollars.  Cothron v. White Castle System, Inc., 2023 IL 128004, ¶ 76 (Feb 17, 2023) (Overstreet, J., dissenting).  Despite the legislature’s concerns with collecting biometric information, many companies argued that this outcome cannot be what the Illinois General Assembly intended.

Regardless, on February 17, 2023, the Illinois Supreme Court issued a landmark decision on this statutory question.  The Supreme Court held that “the plain language of section 15(b) and 15(d) demonstrates that such violations occur with every scan or transmission.”  Id. at ¶ 31.  However, the opinion was not unanimous.  Justice Overstreet objected to this interpretation of the statute and criticized the majority for adopting an interpretation that caused “Illinois businesses to be subject to cataclysmic, jobs-killing damages, potentially up to billions of dollars, for violations of the Act.”  Id. at ¶ 73 (Overstreet, J., dissenting).  But Justice Overstreets’ dissents were only dissents, and his interpretation of the law was not adopted.

Legislative Revisions To The BIPA Under SB 2979

On August 2, 2024, and over a year later, Governor Pritzker and the Illinois General Assembly vindicated Justice Overstreet’s dissents. They explained that “it does not withstand reason to believe the legislature intended this absurd result.”  Id.  SB 2979 makes two major corrections to the BIPA’s draconian reach.  First, the reform removes “per scan” violations from the statute.  Now, damages under Sections 15(b) and 15(d) of the BIPA accrue on a “per person” basis.  Specifically, the statute now states:

(b) For purposes of subsection (b) of Section 15, a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subsection (b) of Section 15 has committed a single violation of subsection (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section.

(c) For purposes of subsection (d) of Section 15, a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of subsection (d) of Section 15 has committed a single violation of subsection (d) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient.

740 ILCS 14/20 (b)-(c) (emphasis added).

Second, the statute now also allows for companies to obtain a “electronic signature” in order to secure a release from BIPA liability.  740 ILCS 14/10.

Impact Of SB 2979 On Class Action Litigation Under The BIPA

The importance of this reform cannot be understated.  For example, before SB 2979, at a company like the one in Cothron, where each employee “scans his finger (or hand, face, retina, etc.) on a timeclock four times per day — once at the beginning and end of each day and again to clock in and clock out for one meal break — over the course of a year,” that company would have collected a single employee’s “biometric identifiers or information more than 1000 times.”  Cothron, 2023 IL 128004, ¶ 78 (Overstreet, J., dissenting).  Over the course of five years, that same employee may have scanned over 5,000 times.  Tims v. Black Horse Carriers, Inc., 2023 IL 127801, ¶ 32 (Feb. 2, 2023) (holding 5-year statute of limitations applies for violations of the BIPA).

Under those circumstances, at a rate of $1,000 per violation, a company may owe $5,000,000 to that employee alone.  And, at a rate of $5,000 per violation, a company may owe $25,000,000 to that employee.  After SB 2979’s passing, this exact same company would only owe $1,000 or $5,000 to each employee respectively.  A such, this reform ushers in a new era of damages limits surrounding BIPA litigation, and peace of mind to corporate counsel charged with defending their companies from such massive liability.

Implications for Employers

As to companies currently engaged in BIPA litigation, there is reason to believe that such legislation may not be viewed as retroactive.  However, even if this legislation is not retroactive, damages under the BIPA are discretionary and are not required to be imposed.  See, e.g., Rogers v. BNSF Railway Company, 680 F. Supp. 3d 1027, 1041-42 (N.D. Ill. 2023).  Companies can expect the retroactive-effect of SB 2979, or lack thereof, to be the next battleground for BIPA litigation.

Consequently, SB 2979 now places companies in the best position possible to avoid “this job-destroying liability” until the remaining BIPA cases work themselves through the judicial system.  Cothron, 2023 IL 128004, ¶ 86 (Overstreet, J., dissenting).  As those cases progress, companies should revisit to ensure continued compliance with the BIPA and monitor SB 2979’s impact in on-going BIPA cases.