Category: BIPA

By Gerald L. Maatman, Jr., Hayley Ryan, and Tyler Zmick

Duane Morris Takeaways: On April 1, 2026, in Clay et al. v. Union Pacific Railroad Co. et al., Nos. 25-2185 et al., 2026 WL 891902 (7th Cir. Apr. 1, 2026),  a three-judge panel of the U.S. Court of Appeals for the Seventh Circuit reversed three federal district court decisions and held that the August 2, 2024, amendment to Section 20 of the Illinois Biometric Information Privacy Act (“BIPA”) applies retroactively to cases pending at the time of enactment. The Seventh Circuit concluded that the amendment is remedial because it governs damages rather than liability and, therefore, applies retroactively under Illinois law.

This decision is a watershed win for BIPA defendants in the class action space. It significantly curtails potential exposure by confirming that plaintiffs may recover, at most, $5,000 in statutory damages for intentional violations or $1,000 for negligent violations per person, rather than on a per-scan basis that previously threatened astronomical liability.

Background

As the Seventh Circuit observed, “BIPA has become a font of high-stakes litigation.” Id. at *1.  In response to the Illinois Supreme Court’s decision in Cothron v. White Castle Sys., Inc., 216 N.E.3d 918, 926 (Ill. 2023), which held that BIPA claims accrue “with every scan or transmission” of biometric information, the Illinois General Assembly amended Section 20 of the BIPA in August 2024 to clarify the scope of recoverable damages. The amendment provides, in relevant part, that a private entity that collects or discloses “the same biometric identifier or biometric information from the same person using the same method of collection…has committed a single violation…for which the aggrieved person is entitled to, at most, one recovery under this Section.” 740 ILCS 14/20(b) (emphasis added).

The consolidated appeals arose from three cases asserting typical BIPA theories. Plaintiff Reginald Clay alleged that Union Pacific violated Section 15(b) by requiring repeated fingerprint scans to access the company’s facilities. Plaintiffs John Gregg and Brandon Willis alleged that their employers used biometric timekeeping systems in violation of Sections 15(a), (b), and (d).

The Seventh Circuit emphasized the extraordinary financial stakes. Plaintiff Clay alleged approximately 1,500 fingerprint scans – translating to $7.5 million in potential damages for a single plaintiff if damages were calculated on a per-scan basis.  2026 WL 891902 at *2.  In contrast, the putative class claims in Plaintiff Willis’ case exposed the defendant to billions of dollars in potential liability. Id.  The three interlocutory appeals posed the same legal question: whether the 2024 amendment to BIPA Section 20 applies retroactively to limit such exposure.

The Seventh Circuit’s Decision

The Seventh Circuit answered that question with a definitive “yes.” It held that the amendment to Section 20 applies retroactively to pending cases. Id. at *3. 

Applying Illinois retroactivity principles, the Seventh Circuit explained that where the legislature is silent on the temporal reach of the amendment, as here, courts look to Section 4 of the Illinois Statute on Statutes, which, in turn, directs the court to determine whether the amendment is substantive or procedural. Id. (citing Perry v. Dep’t of Fin. & Pro. Regul., 106 N.E.3d 1016, 1026-27 (Ill. 2018)). 

The Seventh Circuit concluded that the amendment is remedial and, therefore, procedural, because it governs damages rather than underlying liability. Id. at *4.  Central to this determination was the statutory text and structure. The legislature amended Section 20, which addresses liquidated damages, rather than Section 15, which sets forth the substantive requirements governing the collection and disclosure of biometric data.  The Seventh Circuit emphasized that the amendment does not alter “the rights, duties, and obligations of persons to one another,” which are the defining characteristics of substantive changes. Id. (citing Perry, 106 N.E.3d at 1034). Instead, the amendment focuses exclusively on the remedies available once a violation has been established.

The appellees argued that the Illinois Supreme Court’s decision in Cothron established that each biometric scan constitutes a separate “violation,” and that the amendment therefore effected a substantive change by transforming thousands of violations into a single recoverable event, thus “terminating millions of dollars of liability.” Id. at *4. The Seventh Circuit rejected this position, reasoning that it both misinterprets the statute and overstates Cothron’s holding. Id. at *5. The Court clarified that Cothron addressed only when claims accrue under Section 15 and did not consider the meaning of “violation” for purposes of damages under Section 20. Id.  According to the Seventh Circuit, that distinction was dispositive. Id.

Ultimately, the Seventh Circuit determined that the amendment does not alter the number of violations or the injuries alleged by plaintiffs but instead limits the damages that may be awarded for those violations.  As the Seventh Circuit explained, the amendment “simply changed the statutory award of damages available to plaintiffs, cabining the discretion of trial court judges when they fashion the remedy.” Id. at *6.  Accordingly, the Court held that the amendment is remedial in nature and applies retroactively. Id. at *7. It therefore reversed the district court decisions that had concluded otherwise. Id.

Implications for Companies

Clay is one of the most consequential BIPA defense rulings in years. It materially reshapes the litigation landscape in several key respects:

• Caps on exposure: The decision eliminates the “per-scan” damages theory asserted by plaintiffs that drove outsized settlement pressure and bet-the-company risk.
• Immediate impact on pending cases: Defendants in ongoing litigation now have strong grounds to limit damages and revisit class certification, settlement posture, and jurisdictional arguments.
• Strategic leverage: The ruling provides powerful leverage in motion practice and settlement negotiations, particularly where plaintiffs previously relied on inflated damages models.
• Deterrence of new filings: By significantly reducing potential recoveries, Clay may dampen the volume of new BIPA filings and recalibrate plaintiffs’ bar incentives.

In sum, Clay delivers a decisive, defense-friendly interpretation of BIPA’s damages framework. Companies facing biometric privacy claims should promptly assess how this ruling affects their litigation strategy and potential exposure.

By Gerald L. Maatman, Jr., Hayley Ryan, and Tyler Zmick

Duane Morris Takeaways:  In Zaluda et al. v. Apple, Inc., Case No. 2019 CH 11771, (Cir. Ct. Cook Cnty., Ill. Jan. 29, 2026), Judge Michael T. Mullen of the Circuit Court of Cook County, Illinois granted class certification to a class of plaintiffs alleging that Apple’s Siri function violated the Illinois Biometric Information Privacy Act (“BIPA”).  In doing so, Judge Mullen delivered a significant setback to Apple’s efforts to block the certification of a purported class that could number in the millions.  Pre-certification discovery established that there were approximately 2.6 to 3.9 million Siri users in Illinois during the relevant class period.

This decision represents the latest success for the plaintiffs’ bar in a string of victories in Illinois privacy class actions (as we previously blogged about here and here) and underscores that even the largest and most sophisticated companies in the world face substantial legal exposure arising from their biometric data collection, retention, and use practices.

Background

Apple’s voice-activated digital assistant, “Siri,” uses speech recognition technology to understand and respond to user inquiries and to perform user-requested tasks. Siri comes pre-loaded on a wide range of Apple devices, including iPhones, iPads, HomePods, Apple Watches, Macbooks, iMacs, and AirPods.

Siri relies on an automatic speech recognition (“ASR”) process that “automatically and uniformly computes biometric feature vectors [] from every user utterance for every Siri user,” and that process functions uniformly across all Apple devices. Id. at 4. These “feature vectors” are capable of being used to identify a speaker. Id. at 3. During the relevant class period, Apple’s privacy policies and disclosures applicable to Siri users were uniform and did not include the notice, consent, or retention policy disclosures required by the BIPA. Id. at 4.

Apple sorts its records to identify device users based on their state of residence or telephone number area code. Id. at 5. Apple’s former Senior Director of Siri testified at his deposition that Apple tracks the percentage of device owners who enable Siri and that approximately 20% to 30% of all device owners do so. Based on those figures, Apple estimated that there were approximately 2.6 to 3.9 million Siri users in Illinois during the relevant period at issue in the lawsuit. Id. at 3, 5.

Against this backdrop, plaintiffs filed a class action lawsuit alleging that Apple violated the BIPA by collecting, capturing, storing and/or disseminating “biometric feature vectors” and/or “voiceprints” of millions of Illinois residents who used Siri on any Apple device without first providing the required disclosures, obtaining informed written consent, or maintaining publicly available written data retention and destruction guidelines. Id. at 2. Plaintiffs sought certification of a class consisting of all Illinois residents who used Siri on any Apple device on or after September 19, 2014. Id. at 5. Notably, pre-certification discovery revealed that there were more than 13 million unique Apple IDs associated with a billing address in Illinois and an Apple device capable of running Siri. Id. at 5 n.20.

The Court’s Ruling

In ruling in favor of the plaintiffs, Judge Mullen systematically rejected Apple’s arguments that plaintiffs failed to satisfy the requirements for class certification under 735 ILCS 5/2-801. Given the size of the purported class, Apple stipulated to numerosity for purposes of class certification. Id. at 8.

With respect to the adequacy requirement, Apple argued that the named plaintiffs were inadequate representatives because they lacked sufficient knowledge about the case and because three of them no longer reside in Illinois. Id. at 18. The Court rejected those arguments. After reviewing the named plaintiffs’ deposition testimony, the Court found that each plaintiff demonstrated a basic understanding of the claims and emphasized that class representatives are not “required to be experts.”  Id. The Court further concluded that each named plaintiff was an Illinois resident at some point during the proposed class period and that there was no evidence of any conflict between the interests of any named plaintiff and the interests of absent class members. Id.

The Court also found that common questions of law and fact predominated over any questions affecting individual members, and that a class action was an appropriate method for adjudicating the claims.  Id. at 17, 22. Apple argued that commonality and predominance were lacking because: (1) Siri is optional and not all Apple device users enable it; (2) Siri users do not all activate Siri in precisely the same manner; and (3) Siri’s speech recognition functions changed during the class period. Id. The Court rejected each contention.

First, the Court explained that users who never enabled Siri are not members of the proposed class, rendering that argument irrelevant. Id. Second, the Court concluded that regardless of how Siri is activated, Plaintiffs plausibly alleged that Siri’s ASR process uniformly generates feature vectors that are capable of identifying a speaker from all user utterances. Id. The Court further reasoned that the optional Siri features cited by Apple do not undermine plaintiffs’ claims based on Siri’s ASR process and, at most, could give rise to additional BIPA claims for users who opted in to those features. Id. at 11-12. Third, the Court found that alleged changes to Siri’s speech recognition functions during the class period did not alter the uniform operation of the ASR process and therefore did not defeat commonality or predominance. Id. at 12.

Apple also contended that class membership could only be established through “individualized” proof, which it argued defeated certification. Id. at 14. The Court disagreed. Citing Svoboda v. Amazon.com, Inc., 2024 WL 1363718, *10 (N.D. Ill. Mar. 30, 2024) (which we previously blogged about here), the Court held that issues concerning how class members are identified are matters of class management, not class certification. Id. at 16. The Court explained that, if liability is established, class members could submit affidavits attesting to their Siri use in Illinois, which could then be cross-checked against Apple IDs, home addresses, IP addresses, and geolocation data. Id.

Finally, the Court concluded that proceeding on a class basis was the most efficient and fair method of adjudication. Id. at 22. The Court noted that Apple’s implicit alternative (i.e., requiring millions of individual BIPA lawsuits by Illinois Siri users) would impose a severe burden the judicial system. Id. at 21.

Implications for Companies

This decision serves as a reminder of the significant risks associated with collecting or retaining biometric information without BIPA-compliant policies and practices. As Zaluda illustrates, the larger the company, the larger the potential class size (and the greater exposure to statutory damages). Although the ultimate size of the certified class remains to be determined, it is likely to number in the millions. Companies of all sizes should view this ruling as a wake-up call regarding the substantial liability that can result from noncompliance with Illinois’ biometric privacy laws.

By Gerald L. Maatman, Jr. and Tyler Zmick

Duane Morris Takeaways:  In Svoboda, et al. v. Amazon.com Inc., No. 25-1361, 2025 WL 3654053 (7th Cir. Dec. 17, 2025), a panel of the U.S. Court of Appeals for the Seventh Circuit affirmed an order granting class certification in a case alleging that Amazon’s “virtual try-on” technology violated the Illinois Biometric Information Privacy Act (“BIPA”). In doing so, the Seventh Circuit dealt Amazon a significant blow by allowing Plaintiffs to proceed on behalf of a class comprised of hundreds of thousands of people who used Amazon’s technology. The Svoboda decision is the most recent example of the plaintiffs’ bar successfully obtaining class certification in an Illinois privacy class action, and it shows that even the most sophisticated companies can face exposure arising out of their data collection and retention practices. 

Background

Plaintiffs alleged that Amazon sells makeup and eyeware products through its mobile shopping application and that the company’s “virtual try-on” (“VTO”) technology incorporates augmented reality to overlay the products on images of users, allowing shoppers to see how makeup and eyewear products look on their faces. To superimpose a product over an image of a user’s face, Plaintiffs claimed that the VTO software detects a person’s facial features to determine where to virtually overlay a given makeup or eyewear product.

Based on these allegations, Plaintiffs filed a class action in September 2021, claiming that Amazon violated the BIPA by collecting, capturing, storing, or otherwise obtaining the facial geometry and associated personal identifying information of thousands of Illinois residents who used Amazon’s VTO technology.

On March 30, 2024, Judge Jorge L. Alonso of the U.S. District Court for the Northern District of Illinois certified a class of individuals who used the VTO feature on Amazon’s mobile website or app while in Illinois on or after September 7, 2016 (our previous blog post on the district court’s order can be found here). Amazon subsequently appealed the class certification order to the Seventh Circuit.

The Seventh Circuit’s Opinion

On appeal, the Seventh Circuit affirmed the class certification order and held that the district court did not abuse its discretion in certifying a class of Amazon VTO users within Illinois.

The Seventh Circuit began by identifying Federal Rule of Civil Procedure 23(a)’s four class-certification requirements (i.e., numerosity, commonality, typicality, and adequacy) and by explaining that Plaintiffs must also satisfy Rule 23(b)(3), which requires that “questions of law or fact common to class members predominate” over individual questions and that “a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.” The Seventh Circuit further noted that Amazon’s appeal challenged the district court’s order only with respect to Rule 23(b)(3)’s predominance and superiority requirements.

In affirming the district court’s predominance ruling, the Seventh Circuit found that the same conduct (specifically, Amazon’s alleged use of the VTO application) unites Plaintiffs’ BIPA claims and that issues relating to the functionality of the VTO software, Amazon’s alleged use of class members’ biometric data, and legal questions about whether that use violated the BIPA were common to the class and could be resolved by the district court “in one stroke.”

The Seventh Circuit then turned to the individualized questions identified by Amazon, including the question of whether a class member was in Illinois at the time he or she used Amazon’s VTO tool. Regarding this “locational element,” the Seventh Circuit observed that class members must prove that they were in Illinois when they used the VTO tool to have viable BIPA claims and that the lack of such proof also raised questions relating to class member identification and manageability. The Seventh Circuit further acknowledged that common proof of location may only be available for a subset of claimants, while “individualized inquiries will be necessary for others.” Id. at *5 (“For example, where billing address and geolocation data point to different states, or are unavailable for an alleged VTO use, individual affidavits or other proof will be necessary to show that the claimant used the VTO in Illinois.”).

The Seventh Circuit ultimately ruled that the location of potential class members could generally be determined using (i) users’ billing addresses, (ii) users’ IP addresses and geolocation data, and (iii) personal affidavits from class members attesting that they used the VTO application while in Illinois, and that individualized questions connected to proof of location would not predominate over common questions. See also id. (“[I]t is not uncommon for class actions to have a ‘final phase’ for class members to submit individualized proof of a claim….A phase requiring individual presentations of proof on all (or part of) an element of a claim does not defeat predominance. Stated another way, an individual question does not predominate where common questions of law and fact relevant to liability otherwise generate significant efficiencies and the individual question is manageable.”) (citation omitted). The Seventh Circuit also rejected Amazon’s due process challenge to the district court’s predominance finding because the company would have the opportunity to challenge class members’ individual proof of location.

Implications For Corporate Counsel

Svoboda is one of many cases demonstrating the dangers associated with collecting or retaining biometric information without implementing BIPA-compliant policies. The opinion is also a reminder that the larger the company, the larger the potential class size (and accompanying statutory damages award). The class in Svoboda contained over one hundred thousand individuals, illustrating the potentially significant exposure associated with running afoul of Illinois privacy laws.

Corporate counsel should also remember that the Seventh Circuit’s discussion in Svoboda applies to all class actions (not just those alleging BIPA violations) in which it may not be possible to identify a class member’s location at the time of the alleged privacy violation. As noted above, due process does not require that class counsel be able to uncover such information for all class members at the certification stage. See also, e.g., Mullins v. Direct Digital, LLC, 795 F.3d 654, 672 (7th Cir. 2015) (“[C]ourts should not decline certification merely because the plaintiff’s proposed method for identifying class members relies on affidavits.”).

By Gerald L. Maatman, Jr., George J. Schaller, and Ryan T. Garippo

Duane Morris Takeaways: On June 10, 2025,inClay v. Union Pac. R.R. Co, No. 24-CV-4194, 2025 U.S. Dist. LEXIS 108672 (N.D. Ill. June 10, 2025), Judge Georgia N. Alexakis of the U.S. District Court for the Northern District of Illinois certified for interlocutory appeal her decision denying Union Pacific’s motion for partial summary judgment after concluding the 2024 amendment to the Illinois Biometric Information Privacy Act (the “BIPA”) was not retroactive.  In 10 days from entry of Judge Alexakis’ Order, Union Pacific may request the Seventh Circuit’s review of the certified question of whether the 2024 amendment to the BIPA applies retroactively. This would be a key issue of significant importance to all companies facing BIPA class actions.

Case Background

Plaintiff Reginald Clay is a truck driver that visited Union Pacific’s facilities. He alleges Union Pacific required him to register his fingerprint information and scan his fingerprints upon entering and exiting those facilities.  Id. at *2-3.  Clay also alleges Union Pacific did not “disclose what was done with his [fingerprint] information or how it would be stored.”  Id. at *3.  On April 16, 2024, Clay sued Union Pacific under the BIPA. 

In August 2024, the Illinois legislature amended the BIPA to “clarify that when an entity subject to the [BIPA] ‘in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection,’ in violation of the [BIPA], the entity ‘has committed a single violation … for which the aggrieved person is entitled to, at most, one recovery.’”  Id. (quoting 740 ILCS 14/20(b), (c), as amended by SB 2979, Public Act 103-0769.)

On November 4, 2024, Union Pacific moved for partial summary judgment and argued “under the 2024 BIPA amendment Clay was now entitled to recover for at most a single BIPA violation rather than the ‘per-scan’” violation under Cothron v. White Castle Sys., Inc., 2023 IL 128004, ¶ 24.  Id. at *3-4.  On April 10, 2025, the Court concluded that “the BIPA amendment was substantive rather than procedural” and therefore the BIPA amendment “was not retroactive under Illinois law, and thus did not apply to Clay’s claim.”  Id. at *4. 

Union Pacific requested certification of the Court’s order for interlocutory appeal.  Clay opposed the request.

The Court’s Order

On June 10, 2025, the Court certified Union Pacific’s request for an interlocutory appeal of the order denying Union Pacific’s partial motion for summary judgment.  Id. at *7.

The Court determined Union Pacific satisfied the four statutory criteria under 28 U.S.C. § 1292 (b)that: “there must be a question of law, it must be controlling, it must be contestable, and its resolution must promise to speed up the litigation.”  Id. at *1-2.  In addition, the Court found Union Pacific satisfied the Seventh Circuit’s fifth “non-statutory requirement: [that] the petition must be filed in the district court within a reasonable time after the order sought to be appealed.”  Id. at *2.

The Court reasoned whether the 2024 amendment to the BIPA is retroactive is “undoubtedly ‘a question of the meaning of a statutory or constitutional provision,” the Amended BIPA “presents ‘an abstract issue of law . . . suitable for determination by an appellate court without a trial record,” and that the question of BIPA retroactivity “is quite likely to affect the further course of litigation.”  Id. at *4.  As Union Pacific argued, and as the District Court agreed, if the “Seventh Circuit were to conclude that Clay was entitled to only one recovery… [that] certainty about the retroactivity of the 2024 amendment would ‘materially advance the ultimate termination of the litigation.”  Id. at *5.

The Court reasoned Union Pacific’s motion was timely because the Court “did not consider 28 days to be unreasonable in preparing a motion to certify for interlocutory appeal a novel question of state law, especially when Clay points to no prejudice he suffers as a result.”  Id. at *6.

The Court also opined that while “the Court shares Clay’s view that its April 10 order was ‘correctly reasoned,’[], its confidence does not mean that BIPA retroactivity is not ‘contestable’ within the meaning of § 1292.”  Id.  In addition, the Court relied on the overwhelming decisions of judges within the Northern District of Illinois and Illinois state court finding the “BIPA amendment does not apply retroactively to pending cases, [], so no current dispute exists among the courts.”  Id. at *6-7.  But that the consensus of these decisions “does not mean there is ‘no substantial ground for difference of opinion’ about retroactivity.”  Id. at *7.

The Court concluded that though its “confidence in its earlier decision” in Schwartz v. Supply, Inc., 23-CV-14319, (N.D. Ill. Nov. 22, 2024) (finding 2024 BIPA amendment not retroactive to pending cases) is not changed that it acknowledges “the novelty and complexity of the legal issue” of retroactivity.  Accordingly, the Court found Union Pacific meet all four statutory requirements and the Seventh Circuits’ timeliness requirement and certified Union Pacific’s interlocutory appeal.

Implications For Companies

The ruling in Clay sparks newfound hope on the hotly contested issue of retroactivity of the 2024 amendment to the BIPA.  Judge Alexakis’ well-reasoned decision allows Union Pacific 10 days from the Court’s order to request the Seventh Circuit’s interlocutory review of the certified question. 

Should the Seventh Circuit grant Union Pacific’s pending request, then the BIPA’s “per-scan” damages for pre-amendment BIPA litigation will receive further consideration.  However, even if the Seventh Circuit grants the request, there is always a possibility the Seventh Circuit certifies the question to the Illinois Supreme Court.

Until then, the deluge of decisions referenced in Clay denying retroactivity remain in effect.  Companies met with BIPA litigation must monitor Clay as it progresses through interlocutory review.

By Gerald L. Maatman, Jr., Ryan T. Garippo, and George J. Schaller

Duane Morris Takeaways:  On August 2, 2024, Illinois Governor J.B. Pritzker signed Senate Bill 2979, which amends the draconian penalties under Sections 15(b) and 15(d) of the Illinois Biometric Information Privacy Act (the “BIPA”).  Senate Bill 2979 and its reformed language can be accessed here.  For Companies caught in the BIPA’s crosshairs, this reform ushers in a welcome reprieve to the former statute’s harsh regime of penalties.

Background On The BIPA’s Former Construction

The BIPA statute codifies restrictions against companies that collect biometric information and identifiers.  See 740 ILCS 14/1.  The rationale for this legislation was that “[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information” and as such, “[t]he full ramifications of biometric technology are not fully known.”  Id. § 14/5(c)-(f).  Consequently, the BIPA prohibited companies from “collect[ing], captur[ing], purchas[ing], receiv[ing]” or “disclos[ing], redisclos[ing], or otherwise disseminat[ing]” an individual’s biometric data.  Id. § 14/15(b)-(d).  The BIPA further imposed statutory damages in the amount of $1,000 for each negligent violation of the statute, and $5,000 for each intentional violation.  Id. § 14/20.

As a result, what constituted a single “violation” of the BIPA had significant consequences for companies.  If violations occurred on a “per person” basis, the highest amount of damages that a company could owe an individual was $1,000 or $5,000 respectively.  However, if violations occurred on a “per scan” or “per incident” basis, companies would owe damages for each time that they collected or disseminated that data.  Under the latter, companies could be required to sometimes pay “class-wide damages [that] . . . exceed $17 billion” dollars.  Cothron v. White Castle System, Inc., 2023 IL 128004, ¶ 76 (Feb 17, 2023) (Overstreet, J., dissenting).  Despite the legislature’s concerns with collecting biometric information, many companies argued that this outcome cannot be what the Illinois General Assembly intended.

Regardless, on February 17, 2023, the Illinois Supreme Court issued a landmark decision on this statutory question.  The Supreme Court held that “the plain language of section 15(b) and 15(d) demonstrates that such violations occur with every scan or transmission.”  Id. at ¶ 31.  However, the opinion was not unanimous.  Justice Overstreet objected to this interpretation of the statute and criticized the majority for adopting an interpretation that caused “Illinois businesses to be subject to cataclysmic, jobs-killing damages, potentially up to billions of dollars, for violations of the Act.”  Id. at ¶ 73 (Overstreet, J., dissenting).  But Justice Overstreets’ dissents were only dissents, and his interpretation of the law was not adopted.

Legislative Revisions To The BIPA Under SB 2979

On August 2, 2024, and over a year later, Governor Pritzker and the Illinois General Assembly vindicated Justice Overstreet’s dissents. They explained that “it does not withstand reason to believe the legislature intended this absurd result.”  Id.  SB 2979 makes two major corrections to the BIPA’s draconian reach.  First, the reform removes “per scan” violations from the statute.  Now, damages under Sections 15(b) and 15(d) of the BIPA accrue on a “per person” basis.  Specifically, the statute now states:

(b) For purposes of subsection (b) of Section 15, a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subsection (b) of Section 15 has committed a single violation of subsection (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section.

(c) For purposes of subsection (d) of Section 15, a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of subsection (d) of Section 15 has committed a single violation of subsection (d) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient.

740 ILCS 14/20 (b)-(c) (emphasis added).

Second, the statute now also allows for companies to obtain a “electronic signature” in order to secure a release from BIPA liability.  740 ILCS 14/10.

Impact Of SB 2979 On Class Action Litigation Under The BIPA

The importance of this reform cannot be understated.  For example, before SB 2979, at a company like the one in Cothron, where each employee “scans his finger (or hand, face, retina, etc.) on a timeclock four times per day — once at the beginning and end of each day and again to clock in and clock out for one meal break — over the course of a year,” that company would have collected a single employee’s “biometric identifiers or information more than 1000 times.”  Cothron, 2023 IL 128004, ¶ 78 (Overstreet, J., dissenting).  Over the course of five years, that same employee may have scanned over 5,000 times.  Tims v. Black Horse Carriers, Inc., 2023 IL 127801, ¶ 32 (Feb. 2, 2023) (holding 5-year statute of limitations applies for violations of the BIPA).

Under those circumstances, at a rate of $1,000 per violation, a company may owe $5,000,000 to that employee alone.  And, at a rate of $5,000 per violation, a company may owe $25,000,000 to that employee.  After SB 2979’s passing, this exact same company would only owe $1,000 or $5,000 to each employee respectively.  A such, this reform ushers in a new era of damages limits surrounding BIPA litigation, and peace of mind to corporate counsel charged with defending their companies from such massive liability.

Implications for Employers

As to companies currently engaged in BIPA litigation, there is reason to believe that such legislation may not be viewed as retroactive.  However, even if this legislation is not retroactive, damages under the BIPA are discretionary and are not required to be imposed.  See, e.g., Rogers v. BNSF Railway Company, 680 F. Supp. 3d 1027, 1041-42 (N.D. Ill. 2023).  Companies can expect the retroactive-effect of SB 2979, or lack thereof, to be the next battleground for BIPA litigation.

Consequently, SB 2979 now places companies in the best position possible to avoid “this job-destroying liability” until the remaining BIPA cases work themselves through the judicial system.  Cothron, 2023 IL 128004, ¶ 86 (Overstreet, J., dissenting).  As those cases progress, companies should revisit to ensure continued compliance with the BIPA and monitor SB 2979’s impact in on-going BIPA cases.