Privacy compliance obligations continue to evolve quickly, as lawmakers and regulators refine rules governing data collection and security. As biometric technologies become more common in workplace and consumer-facing settings, Illinois’s Biometric Information Privacy Act (“BIPA”) remains a standout risk area. However, an April 2026 ruling from the U.S. Court of Appeals for the Seventh Circuit provided some clarity on a longstanding question regarding risk exposure under the law.
In Clay v. Union Pacific Railroad Co.,[1] a consolidated appeal involving three separate cases, the court held that Illinois’s August 2024 amendment to BIPA’s damages provision (the “2024 Amendment”) was a procedural change to the law’s remedies provision. And under Illinois law, procedural amendments apply retroactively to all cases that were pending when the amendment was enacted. Going forward, BIPA plaintiffs in federal court can no longer rely on a “per-scan” statutory damages theory to multiply exposure based on repeated capture or disclosure of the same biometric identifier collected in the same manner.
Background on BIPA
BIPA regulates the collection, retention, and disclosure of biometric identifiers, such as fingerprints, hand and facial geometry, and retina or iris scans. Private entities that handle biometric data must obtain individuals’ informed consent and develop a written data retention and deletion policy, among other obligations. BIPA also provides a private right of action and authorizes statutory damages for violations. Together, these provisions have driven extensive class action litigation.
BIPA litigation accelerated in 2023 when the Illinois Supreme Court, in Cothron v. White Castle System, Inc., interpreted BIPA to allow a new claim to “accrue” each time biometric data is collected or transmitted without compliant notice and consent. Because BIPA allows recovery of up to $1,000 for negligent violations and up to $5,000 for reckless or intentional violations, the “per-scan” model translated quickly into significant financial liability. The Cothron court recognized the potential for “annihilative liability” in its interpretation of the law, but noted that the policy concern would be best addressed by the legislature.
The 2024 Amendment and the Seventh Circuit’s Holding
Amid a groundswell in the wake of Cothron, Illinois lawmakers amended Section 20 of BIPA in August 2024 to clarify that when an entity repeatedly collects or discloses the same biometric identifier or information from the same person using the same method, that conduct amounts to one violation for which the plaintiff may obtain only one statutory recovery. Notably, the legislature did not add explicit language addressing whether this damages limitation applies to cases already filed.
In Clay, the Seventh Circuit held the 2024 Amendment applies to cases that were pending when the amendment became effective on August 2, 2024. The court relied on the Illinois retroactivity doctrine, which distinguishes substantive changes – affecting litigants’ rights – from procedural (or remedial) changes to statutes. Procedural amendments generally apply to pending cases unless the legislature clearly indicates otherwise. The court deemed the 2024 Amendment remedial because it limits recoverable damages in Section 20 of BIPA without changing the underlying compliance duties specified in Section 15.
What the Decision Does and Does Not Do
The decision effectively applies the damages cap to all new and pending federal cases in the Seventh Circuit: plaintiffs alleging repeated scans or disclosures of the same biometric data, collected via the same method, are limited to a single statutory recovery under Sections 15(b) and 15(d). The decision does not, however, erase BIPA exposure. The core compliance duties – notice, written consent, and retention/destruction requirements – remain intact.
The decision also reflects an Erie-based prediction of how the Illinois Supreme Court would rule on the retroactivity question. In other words, “[w]hen no decision from the state supreme court squarely controls, federal courts predict how the relevant state court would rule.”[2] While the Seventh Circuit expressed strong confidence in its interpretation of Illinois retroactivity principles, Illinois state courts could ultimately take a different approach.
Implications for Healthcare Providers
BIPA issues are increasingly relevant for healthcare organizations as biometric collection becomes more common across clinical and operational settings. For example, organizations are experimenting with fingerprint and hand geometry scans to aid in workforce timekeeping and attendance systems. Certain security and authentication tools also rely on staff members’ voiceprints or facial geometry for access to systems or restricted areas.
These use cases may not always fall under BIPA’s healthcare exemption, which excludes from the definition of “biometric identifier” any (i) information captured from a patient in a healthcare setting, or (ii) information collected, used, or stored for healthcare treatment, payment, or operations under HIPAA. The exemption has been narrowly construed. The Illinois Supreme Court, for example, has held that collection of employees’ biometrics fits within the exemption only when tied directly to HIPAA-defined treatment, payment, and healthcare operations – such as to access medications and medical supplies.[3] By contrast, employee biometrics collected for general workplace administration (e.g., timekeeping or facility access) may present a less clear fit with the healthcare exemption and should be evaluated carefully based on the specific purpose and use of the biometric data.
Accordingly, healthcare entities should view the Clay decision as meaningful damages relief, but by no means as a broad shield from BIPA risk. Given continued uncertainty around the exact scope of the healthcare exemption, the safest course for employee biometrics collection involves BIPA-style notice, written consent, and a compliant data retention and destruction policy.
Immediate Practical Implications
Organizations operating in Illinois should promptly reassess their litigation strategy and risk exposure, with particular attention to how the ruling reshapes damages calculations, the evolving legal landscape, and jurisdictional considerations.
- Recalculate exposure and revisit settlement positions. The decision meaningfully lowers statutory damages in cases built around frequent scanning. For example, a claim that previously could have supported a multi-million-dollar demand under a per-scan model may now be limited to a single statutory award (depending on negligence vs. recklessness/intent and other claim specifics).
- Watch for Illinois Supreme Court developments. Plaintiffs may pursue Illinois Supreme Court consideration of retroactivity. Until the state’s high court resolves the question, litigants should consider the risk that federal and state courts may apply different standards.
- Continue to comply with core BIPA requirements. As a baseline, entities should ensure they:
- Provide written notice describing what biometric data is collected, the purpose for collection and use, and the length of time it will be retained;
- Obtain written consent before collecting or otherwise obtaining biometric data;
- Maintain a publicly available data retention and destruction policy (including a schedule and guidelines for permanent destruction);
- Refrain from selling, leasing, or otherwise profiting from biometric data; and
- Prohibit disclosure or dissemination of biometric data except as permitted by BIPA, and apply reasonable safeguards to protect biometric data.
Looking Ahead
The Seventh Circuit’s ruling provides organizations under its jurisdiction some relief from the most extreme damages scenarios tied to repeated biometric scans. However, it is not an invitation to relax compliance efforts. BIPA claims remain active, and plaintiffs continue to test biometric-adjacent technologies, including tools involving voice, facial features, and emerging workplace surveillance tech. Companies should be aware of the continued expectation and importance of robust biometric governance practices.
Footnotes
[1] Clay v. Union Pac. R.R. Co., No. 25-2185, 2026 WL 891902 (7th Cir. Apr. 1, 2026).
[2] Montana v. Wyoming, 563 U.S. 368, 377 n.5 (2011) (quoting West v. Am. Tel. & Tel. Co., 311 U.S. 223, 236 (1940)).
[3] Mosby v. Ingalls Mem’l Hosp., 234 N.E.3d 110 (Ill. 2023).
