The complaint usually arrives with a number attached, and the number is designed to take your breath away. A former employee, now a class representative, says your company scanned her fingerprint every time she punched the clock. Multiply one finger scan by every shift, by every worker, across several years, and the demand letter floats an exposure figure that looks less like a lawsuit and more like a going-out-of-business sale. The message is not subtle. Settle now, settle big, and do not ask too many questions.
That message is a negotiating tactic. It is not a legal conclusion. The Illinois Biometric Information Privacy Act, 740 ILCS 14/1 and following, is a real statute with real teeth, and we do not pretend otherwise to our clients. But the law in this area has moved hard over the last three years, and a meaningful share of that movement has favored the defense. The Illinois business that understands the current landscape negotiates from a much stronger position than the business that reaches for the checkbook the day it is served.
Start with what the statute actually requires, because most demand letters blur it. BIPA regulates biometric identifiers and biometric information, which the Act defines to include fingerprints, retina and iris scans, voiceprints, and scans of hand or face geometry. Section 15(b) is the heart of most cases. Before a private entity collects that data, it must tell the person in writing that the data is being collected, state the specific purpose and the length of term for which it will be collected and stored, and obtain a written release. Section 15(a) requires the entity to publish a written retention and destruction policy and to destroy the data when the purpose is satisfied or within three years of the person’s last interaction, whichever comes first. Section 15(c) bars selling or profiting from the data. Section 15(d) restricts disclosure. Section 15(e) requires a reasonable standard of care in storage. Section 20 supplies the damages that make these cases attractive to the plaintiffs’ bar: liquidated damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, or actual damages if greater, plus attorney fees and an injunction.
For several years the Illinois Supreme Court read those provisions in ways that steadily raised the stakes. In Rosenbach v. Six Flags Entertainment Corp., the Court held that a person is aggrieved, and may sue, on the bare violation of the statute, with no need to plead an actual injury. In Tims v. Black Horse Carriers, Inc., the Court held that the generous five-year catch-all limitations period governs every BIPA claim. And in Cothron v. White Castle System, Inc., a divided Court held that a separate claim accrues with every scan and every transmission, not just the first one. Cothron is the decision that produces the eye-watering numbers, because it lets a plaintiff multiply a single fingerprint by years of daily punches.
Here is what the demand letters tend to leave out. The legislature answered Cothron. Effective August 2, 2024, Public Act 103-0769 amended Section 20 so that a private entity that collects or discloses the same biometric identifier from the same person using the same method commits a single violation, for which the aggrieved person is entitled to, at most, one recovery. The same amendment confirmed that an electronic signature satisfies BIPA’s written-release requirement. In plain terms, the per-scan multiplication that drove the catastrophic exposure figures was cut off at the knees for conduct going forward, and the recovery is now anchored to the person, not the punch.
The defense news did not stop there. In Clay v. Union Pacific Railroad Co., one of a set of consolidated appeals the United States Court of Appeals for the Seventh Circuit decided in April 2026, the court held that the 2024 damages amendment applies retroactively to cases that were already pending when it took effect. The court reasoned that the change was remedial rather than substantive, because it altered only the damages available and not the underlying standard of liability, and that Illinois courts apply remedial changes retroactively. For Illinois businesses defending claims premised on years of historical scans, that holding can transform the math the plaintiff has been counting on.
The amendment limits the size of the case. Several established defenses can dispose of it altogether or push it out of the forum the plaintiff wants. Three are worth understanding.
The first is the health care exemption. Section 10 excludes information collected, used, or stored for health care treatment, payment, or operations under HIPAA. In Mosby v. Ingalls Memorial Hospital, the Illinois Supreme Court read that exemption in the disjunctive and applied it to the fingerprints health care workers used to access medication dispensing systems for patient care. A hospital, clinic, or other provider sued over biometrics tied to patient care should look hard at Section 10 before conceding the statute even applies.
The second is federal labor preemption. In Walton v. Roosevelt University, the Illinois Supreme Court held that Section 301 of the Labor Management Relations Act preempts BIPA claims brought by union employees when the collective bargaining agreement contains a broad management-rights clause, because the dispute belongs in the grievance and arbitration process, not in court. For employers with a unionized workforce, and a management-rights clause is common, Walton can move the entire fight to a different arena.
The third is Article III standing, which is really a venue weapon. In Bryant v. Compass Group USA, Inc., the Seventh Circuit held that a Section 15(b) violation is a concrete injury sufficient for federal standing, but that a bare Section 15(a) retention-policy violation is a duty owed to the public at large and does not confer standing. That asymmetry creates real strategic leverage. A defendant sued in state court on a standalone Section 15(a) theory cannot be forced into federal court on it, and a plaintiff who pleads only that kind of claim after removal may find the federal case sent back rather than dismissed. Knowing which claims live where is often the difference between controlling the litigation and reacting to it.
Two practical points round out the picture. Consent is a defense, and it is the cheapest one to have in hand before a lawsuit ever arrives, so the written notice and release under Section 15(b) should be in place, dated, and retained for every person whose data is collected. And coverage is worth a hard look, because in West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., the Illinois Supreme Court found a duty to defend a BIPA suit under a general liability policy, which means the carrier may owe defense costs the business assumes it must bear alone.
None of this makes BIPA a paper tiger. The statutory damages are real, the five-year window is long, and a noncompliant biometric program is a genuine liability. The point is that the case that looks existential on day one is frequently smaller, more defensible, and more jurisdictionally complicated than the demand letter admits. The businesses that do well are the ones that treat the complaint as the opening of a contest to be analyzed, not a verdict to be paid.
At DiTommaso Lubin, P.C., we defend Illinois employers and businesses against biometric privacy class actions, from the first demand letter through dispositive motions, removal and remand fights, and resolution. If your company uses fingerprint timeclocks, facial or voice recognition, or any biometric system, the time to assess your exposure and your defenses is before the next filing, not after. Call DiTommaso Lubin, P.C. at 630-333-0333 for a free consultation, or contact us online. We can help you measure the real size of a BIPA claim and the defenses that cut it down. This post is for general information and is not legal advice.