Illinois’s Biometric Information Privacy Act (BIPA) continues to drive a wave of privacy-related litigation across the United States, though a 2024 amendment to the act—the first since BIPA’s enactment in 2008—may slow the pace of cases in the years ahead.
As we explain below, the BIPA amendment drastically limits the potential for large damages awards under the act by redefining the repeated collection or transmission of the same biometric data by the same party as a single BIPA violation. However, courts are split over whether the amendment applies retroactively to violations that occurred prior to the amendment’s enactment, and resolution of that issue will have a significant impact on the volume of BIPA cases moving forward.
Other notable developments, including cases that clarified the definition of covered biometric data and narrowed the applicability of BIPA’s healthcare exemption, offer important guidance for entities that process biometric data pursuant to the law. In this blog post, we highlight key 2024 rulings and trends to inform entities’ BIPA compliance and defense strategies. Please subscribe to the WilmerHale Privacy and Cybersecurity Blog to stay up to date on all of our articles.
BIPA Background
BIPA is a privacy law that regulates the use of biometric data, including fingerprints, eye scans, voiceprints and facial geometry scans. Section 15 of BIPA imposes various obligations on entities that interact with or process biometric data. For example, the law requires that entities obtain an individual’s consent before collecting, obtaining or disclosing that individual’s biometric data. It also requires that entities develop, publicly disclose and comply with a written data retention and deletion policy.
BIPA includes a private right of action for parties that have been aggrieved by a BIPA violation. It also includes a statutory-damages provision stating that a prevailing party may recover $1,000 for each negligent BIPA violation, $5,000 for each intentional or reckless BIPA violation, or actual damages that exceed those amounts. The combination of a private right of action with a statutory-damages provision has led to widespread class action litigation under the law.
Illinois amended BIPA to prevent astronomical damages awards.
In 2024, the Illinois legislature amended BIPA for the first time since the act’s passage in 2008. The BIPA amendment, which became effective upon being signed into law on August 2, 2024, was a direct response to the Illinois Supreme Court’s consequential decision in Cothron v. White Castle System, Inc., decided in 2023.1
In Cothron, the Illinois Supreme Court held that a BIPA claim accrues each time there is a collection or transmission of biometric data constituting a potential violation of the act, even if the same biometric data of the same individual is repeatedly collected or transmitted by the same entity. Consequently, an entity using a fingerprint scanning system to track daily employee attendance, for example, could be liable for thousands of individual BIPA violations, with the potential for penalties up to $5,000 per violation. In its opinion, the Illinois Supreme Court acknowledged this potential for astronomical damages awards but stated that such concerns must be addressed by the state legislature.
The Illinois legislature quickly answered the court’s call. The BIPA amendment confirms that “a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of [the Act] has committed a single violation . . . for which the aggrieved person is entitled to, at most, one recovery.” The amendment also clarifies that an individual may consent to the collection or use of their biometric data via an electronic signature.
This amendment substantially limits plaintiffs’ maximum recovery by classifying repeated biometric collections or transmissions as a single violation, potentially enabling BIPA defendants to exercise more leverage during settlement negotiations. In response, the plaintiffs’ bar may also shift its BIPA litigation strategy to focus on cases with a large number of one-time violations rather than many repeated violations.
For more information about the BIPA amendment, see our prior blog post.
The retroactive application of the BIPA amendment is an open question with significant consequences.
The Illinois legislature did not specify whether the BIPA amendment applies retroactively to alleged violations that occurred prior to the amendment’s enactment, and two judges in the Northern District of Illinois have already issued conflicting opinions on that question.
In Gregg v. Central Transport LLC, decided in November 2024, Judge Elaine E. Bucklo held that the BIPA amendment applies retroactively because it merely clarifies the meaning of the original statute rather than substantively changes the law.2 Bucklo explained that because the issue of large damages awards was “unsettled,” as reflected in Cothron’s invitation to the legislature to clarify the law, the legislature’s “clarified intent enacted in [the BIPA amendment] must be applied as if it were clear from the date of the BIPA’s enactment.”
In Schwartz v. Supply Network, Inc., also decided in November 2024, Judge Georgia N. Alexakis reached the opposite conclusion, holding that the BIPA amendment applies only prospectively because it substantively changes—rather than merely clarifies—the original statute.3 Disagreeing with her colleague’s view that the state legislature amended BIPA to resolve ambiguity regarding the potential for large damages awards, Alexakis interpreted Cothron to suggest that the statute was in fact quite clear, even if it produced potentially unintended policy consequences. And in correcting those unintended policy consequences, Alexakis wrote, the amendment “redefines what constitutes a violation of the Act in the first place”—a plainly substantive change that precludes retroactive application of the amendment under Illinois law.
In light of these conflicting decisions, it is likely that the Seventh Circuit or Illinois courts will take up the issue of the BIPA amendment’s retroactivity in the coming months, and its resolution will have significant consequences on the scope of BIPA plaintiffs’ maximum potential recovery for years to come. If the amendment is found to apply only prospectively, any alleged BIPA violation that occurred prior to August 2, 2024, will be analyzed under the original statute, potentially exposing entities to enormous “per-scan” damages awards as contemplated in Cothron. And given the five-year statute of limitations for bringing such claims, a party could seek to recover under this expansive damages framework as late as August 2029.4 In contrast, if the amendment is found to apply retroactively, all BIPA claims, including those currently pending, will be analyzed under the amended statute. This result would likely produce a notable decrease in new BIPA claims and potentially even dismissals of pending lawsuits, particularly in federal court, where jurisdiction over state law claims often requires more than $75,000 in controversy.5
The definitions of “biometric identifier” and “biometric information” continue to generate litigation.
In 2024, courts continued to grapple with the BIPA definitions of “biometric identifier” and “biometric information,” the two categories of biometric data protected from unauthorized collection or transmission under the act. In doing so, several courts somewhat narrowly construed the terms to the benefit of BIPA defendants, finding that the act covers only biometric identifiers and information that enable defendants to determine an individual’s identity.
For example, in a case concerning photos uploaded to a social media platform,6 the Northern District of Illinois held that biometric identifiers and information must be capable of identifying an individual to be subject to BIPA. Fatal to the plaintiffs’ claim was the complaint’s failure to allege “that any details of an individual’s face are measured or recorded during the [platform’s photo] scan or that those records were used to identify individuals.”
This case and others highlight two important variables at play in many BIPA cases.7 First, the outcome of a motion to dismiss often turns on the specificity of allegations in the complaint, with plaintiffs prevailing only when adequately alleging that the defendant is capable of using the biometric data at issue to identify an individual. Second, when defending against a BIPA claim, entities may benefit by carefully explaining whether specific components of their technology analyze, measure or record biometric data in a manner that cannot connect such data to an individual. Entities should note, however, that the benchmark of this analysis is capability of identification—an entity that can use collected data to identify an individual is subject to BIPA liability regardless of whether it actually uses such data to make identifications. Thus, entities can generally mitigate BIPA exposure by fine-tuning their technology to better bifurcate data collection and identification elements.
BIPA’s healthcare exemption may be narrower than expected.
A 2024 Illinois state court decision indicates that courts may begin to impose stricter limits on the application of BIPA’s healthcare exemption, which excludes from the act’s coverage “information captured from a patient in a health care setting” and “information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.”8
In a departure from three federal courts that have ruled on the issue in recent years,9 the Appellate Court of Illinois decided in Marino v. Gunnar Optiks LLC that an entity collecting biometric data via a virtual try-on tool for sunglasses can rely on BIPA’s healthcare exemption only when the tool is used for prescription sunglasses.10 The court specified that BIPA’s healthcare exemption applies only to biometric data “taken from an individual who is presently awaiting or receiving medical care in a time, place, or circumstance where efforts are being made to maintain, restore, or promote that individual’s well-being, especially as performed by trained and licensed professionals.”
Several of the federal court decisions applying the healthcare exemption in this context had relied on the US Food and Drug Administration’s classification of nonprescription sunglasses as a Class I medical device, but the Illinois court was not persuaded, noting that Class I medical devices include a broad range of commonly used products such as bandages and toothbrushes.
Instead, applying its own definition of data subject to the exemption, the Illinois court ruled that a customer who uses a virtual try-on tool for nonprescription sunglasses “is not a patient in a health care setting because they are not presently awaiting or receiving medical care.”
Moving forward, Marino’s definition will control in decisions over the application of BIPA’s healthcare exemption. Entities hoping to rely on the exemption should review the circumstances of their biometric data collection accordingly and ensure BIPA compliance as to any data for which application of the exemption is unclear.
Conflict-of-laws defenses produce mixed results.
Several 2024 cases highlighted the mixed success of raising contractual choice-of-law provisions and the extraterritoriality doctrine as defenses against BIPA claims.
The viability of using a contractual choice-of-law provision to secure dismissal of a BIPA claim typically turns on the choice-of-law rules of the forum state. However, in 2024, courts in California and Texas—both of which apply Restatement (Second) Conflict of Laws § 187 to determine the governing law of a case—reached opposite conclusions regarding whether to apply Illinois or forum law to a BIPA dispute.11 Key to the Texas court’s application of Texas law was the court’s finding that Texas’s biometric data protection statute provides a level of protection against unauthorized collection or transmission similar to that of BIPA.
Parties have also relied on Illinois’s extraterritoriality doctrine to limit recovery under BIPA to violations occurring primarily and substantially in Illinois. For example, in a BIPA case involving a company’s use of a biometric dataset prepared by a third party, the Northern District of California ruled in March 2024 that the plaintiffs’ failure to directly connect any of the company’s alleged conduct to Illinois necessitated dismissal under the extraterritoriality doctrine.12 However, the same court then reversed its ruling in December 2024 after finding that the plaintiffs’ amended complaint sufficiently alleged that the company’s Illinois-based employees used the dataset to improve the company’s smartphones.13
As these cases demonstrate, the loosely defined elements of many states’ choice-of-law rules and the fact-intensive nature of Illinois’s extraterritoriality doctrine give judges wide latitude to determine whether BIPA applies in a given case. In light of this uncertainty, these tools should never be the primary component of a BIPA defense strategy, though they may prove successful under certain circumstances.
1 Cothron v. White Castle Sys., Inc., 2023 IL 128004.
2 Gregg v. Cent. Transp. LLC, No. 24 C 1925, 2024 WL 4766297 (N.D. Ill. Nov. 13, 2024).
3 Schwartz v. Supply Network, Inc., No. 23 CV 14319, 2024 WL 4871408 (N.D. Ill. Nov. 22, 2024).
4 See Tims v. Black Horse Carriers, Inc., 2023 IL 127801 (finding that claims under BIPA are governed by a five-year limitation period).
5 The opinions in both Gregg and Schwartz were rulings on motions to dismiss for lack of subject matter jurisdiction, with the defendant in each case arguing that the BIPA amendment reduced the plaintiff’s potential recovery to below the $75,000 threshold for proceeding in federal court.
6 Martell v. X Corp., No. 23 C 5449, 2024 WL 3011353 (N.D. Ill. June 13, 2024).
7 See, e.g., G.T. v. Samsung Elecs. Am. Inc., No. 21 CV 4976, 2024 WL 3520026 (N.D. Ill. July 24, 2024) (concluding that “BIPA only covers those [biometric identifiers] that are capable of identifying an individual”); Tibbs v. Arlo Techs., Inc., No. 23-CV-05096-EJD, 2024 WL 3218650 (N.D. Cal. June 27, 2024) (denying motion to dismiss because plaintiffs adequately alleged that defendant could use captured data to identify plaintiff); Delgado v. Meta Platforms, Inc., 718 F. Supp. 3d 1146, 1158 (N.D. Cal. 2024) (same); Castelaz v. Estee Lauder Companies, Inc., No. 22 CV 5713, 2024 WL 136872 (N.D. Ill. Jan. 10, 2024) (dismissing case because “Plaintiffs fall short of providing any specific factual allegations that [Defendant] is capable of determining Plaintiffs and members of the Illinois class members’ identities by using the collected facial scans, whether alone or in conjunction with other methods or sources of information available to [Defendant]”). But see Konow v. Brink’s, Inc., 721 F. Supp. 3d 752 (N.D. Ill. 2024) (expressing, in dicta, uncertainty over whether the individual identification requirement “is supported by BIPA’s plain language”).
8 740 Ill. Comp. Stat. 14/10 (2008).
9 See Warmack-Stillwell v. Christian Dior, Inc., 655 F. Supp. 3d 742 (N.D. Ill. 2023); Svoboda v. Frames for Am., Inc., No. 21 C 5509, 2022 WL 4109719 (N.D. Ill. Sept. 8, 2022); Vo v. VSP Retail Dev. Holding, Inc., No. 19 C 7187, 2020 WL 1445605 (N.D. Ill. Mar. 25, 2020).
10 Marino v. Gunnar Optiks LLC, 2024 IL App (1st) 231826.
11 Compare Delgado v. Meta Platforms, Inc., 718 F. Supp. 3d 1146 (N.D. Cal. 2024) (applying Illinois law because “California law conflicts with a fundamental policy of Illinois law, as embodied in BIPA; and Illinois has a materially greater interest in the outcome of this BIPA dispute”), with Baker v. Match Grp., Inc., No. 3:23-CV-02761-N, 2024 WL 4626079 (N.D. Tex. Oct. 30, 2024) (applying Texas law because “[w]hile Illinois may have a materially greater interest than Texas, Plaintiffs have failed to demonstrate that Illinois has a more significant relationship to the parties and the transaction than Texas or that the application of Texas law would be contrary to Illinois fundamental policy”).
12 Vance v. Google LLC, No. 20-CV-04696-BLF, 2024 WL 1141007 (N.D. Cal. Mar. 15, 2024).
13 Vance v. Google LLC, No. 20-CV-04696-BLF, 2024 WL 5011611 (N.D. Cal. Dec. 5, 2024).
