What the BIPA Ruling Means for Springfield Businesses

On April 1, 2026, the Seventh Circuit Court of Appeals closed out a question that had been open since the summer of 2024: whether Illinois' cap on biometric privacy damages applies to lawsuits that were already filed when the cap became law. In Clay v. Union Pacific Railroad Company, the court said it does. If your business uses a fingerprint time clock, a hand scanner at a warehouse door, or any kind of biometric login, that answer is the difference between a manageable legal exposure and a business-ending one.

The Illinois Biometric Information Privacy Act, known as BIPA, has been on the books since 2008. It requires any private entity that collects fingerprints, retina scans, voiceprints, or facial geometry to get written consent first, explain what the data is for and how long it's kept, and never sell or profit from it. It applies to a two-person accounting office with a fingerprint punch clock the same way it applies to a Fortune 500 company, and it gives individuals the right to sue directly rather than waiting on a regulator to act.

Most of the Sangamon County business owners I talk to installed biometric time clocks or door locks because punch cards and shared PIN codes were getting abused, not because anyone walked them through Illinois privacy law first. That gap between why the technology went in and what it requires under Illinois law is exactly where BIPA risk lives, and it's the kind of gap that gets caught early or gets caught in a demand letter.

What the Seventh Circuit Just Decided

The story starts with Cothron v. White Castle System, a 2023 Illinois Supreme Court decision. The court held that a BIPA claim accrues every single time a company scans or transmits someone's biometric data without consent, not just the first time. For a company that scanned an employee's fingerprint twice a day for years, that reading turned one employment relationship into thousands of separate violations, each carrying its own damages figure. The Illinois Supreme Court flagged the problem itself, noting there was no sign the legislature intended damages that could financially destroy a business, and it invited lawmakers to fix it.

Lawmakers did. In August 2024, Governor JB Pritzker signed Senate Bill 2979, which became Public Act 103-0769. The amendment clarified that collecting or disclosing the same biometric identifier from the same person using the same method counts as a single violation, capped at one recovery, not one recovery per scan. What the amendment didn't say was whether it applied to the cases already sitting in court when it passed. That silence is what kept businesses and their insurers guessing for almost two years, until the Seventh Circuit ruled in Clay v. Union Pacific that the amendment is a remedial, procedural change and applies retroactively to pending cases.

Why "Per Scan" vs. "Per Person" Is a Big Deal

BIPA's underlying damages haven't moved. Under the statute maintained by the Illinois General Assembly, a negligent violation carries liquidated damages of $1,000 or actual damages, whichever is greater, and an intentional or reckless violation carries $5,000 or actual damages, plus attorneys' fees. Those numbers look manageable until you multiply them. Under the per-scan reading from Cothron, a business with 50 employees clocking in and out with a fingerprint scanner for three years could theoretically rack up tens of thousands of separate violations. Under the amendment now confirmed retroactive by the Seventh Circuit, that same business faces damages tied to violations per person, not per scan, which brings the math back down to something closer to the number of people affected.

As Covington's Inside Privacy blog put it, the ruling "significantly reduces potential damages in existing BIPA class actions" by cutting off the per-scan liability theory for cases already in the pipeline. That's real relief if your business is currently facing a claim. It is not the same as saying BIPA stopped mattering.

What Hasn't Changed

None of this touches the actual compliance requirements. You still need written, signed consent before you collect anyone's fingerprint or facial scan, whether that's an employee badge system or a client-facing check-in kiosk. You still need a published policy on how long you keep biometric data and when you destroy it. And you still can't sell or lease that data to anyone, under any circumstance. As Employment Law Worldview points out, even with the damages cap confirmed, the aggregate exposure for a company with a large workforce or client base can still run into real money, so the incentive to get consent and documentation right hasn't gone anywhere.

What This Looks Like for a Sangamon County Business

Locally, this shows up in two places most often: trades and retail businesses that installed fingerprint time clocks to stop buddy punching, and the legal practices I work with that use biometric locks on file rooms holding client records. Neither group set out to become a BIPA compliance operation. Both are exactly the kind of business the law was written to cover, and both are exactly the kind of business a plaintiff's attorney can find with a basic public records search or a disgruntled former employee's tip.

If you fall into either category, the practical next step isn't panic. It's an honest inventory: what device is collecting what data, whether you have signed consent on file for every person whose data you collect, and whether you have a written retention and destruction policy anyone could read. That's a two-hour conversation, not a project, and it's the kind of thing our support and consulting work covers when a client asks us to look at a specific system rather than the whole IT picture.

One more thing worth saying plainly: this post is general information, not legal advice. If you're facing an actual BIPA claim, or you're not sure whether your consent and retention practices meet the law's requirements, talk to an attorney who handles Illinois privacy litigation.


Frequently Asked Questions (FAQs)

Q: Now that the retroactivity question is settled, is my business safe from a BIPA claim?
A: Not automatically. The Seventh Circuit's ruling caps how damages are calculated in pending cases, but it doesn't remove BIPA's underlying requirements around consent, disclosure, and data retention. A business that never got signed consent for its fingerprint time clock is still out of compliance, regardless of how damages get calculated if a claim is filed.

Q: What should I check first if my business uses a fingerprint time clock or biometric door lock?
A: Start with three things: whether you have signed, written consent on file for every person whose biometric data you collect, whether you have a published policy on how long you keep that data, and who else, if anyone, has access to it. If you can't answer all three without digging, that's your starting point.

Q: How is BIPA different from Illinois' other privacy law, PIPA?
A: BIPA covers biometric identifiers specifically, like fingerprints and facial scans, and lets individuals sue directly. PIPA is Illinois' broader breach-notification law, covering things like Social Security numbers and financial account information, and it's enforced by the Illinois Attorney General rather than through private lawsuits. A business can be subject to both, depending on what data it collects.

Q: Is this article legal advice I can rely on instead of talking to an attorney?
A: No. This is general information meant to help you understand what changed and why it matters. If you're facing a BIPA claim or aren't sure whether your consent and retention practices meet the law's requirements, talk to an attorney who handles Illinois privacy litigation.


About the author. Justin White is the founder of TechGents, an owner-operated IT consulting firm in Springfield, IL. He has nearly two decades of experience across Apple, Windows, and mixed-platform environments, helping small businesses and professionals across Sangamon County and Central Illinois run their technology without an internal IT department.


The damages math around BIPA is more predictable now, but the underlying rules on consent, disclosure, and data retention haven't changed at all.

If you don't know whether your business is even collecting biometric data in the first place, let alone whether you have consent on file, that blind spot is exactly what a vCIO engagement is built to find before it turns into a legal problem.

Reach out through our contact page if you want a second set of eyes on how your business handles biometric data.

Previous
Previous

The Microsoft 365 Phishing Scam That Skips the Fake Page

Next
Next

The Memory Shortage Isn't Just an Apple Story