Ruling applies 2024 amendment retroactively, slashing billions in potential exposure
The Seventh Circuit just rewrote the math on biometric privacy damages – and employers across Illinois are breathing easier.
On April 1, 2026, the US Court of Appeals for the Seventh Circuit ruled that Illinois's 2024 amendment to the Biometric Information Privacy Act applies retroactively to cases that were already pending when the law took effect. The decision consolidates three appeals – Clay v. Union Pacific Railroad Company, Willis v. Universal Intermodal Services, and Gregg v. Central Transport LLC – and lands squarely on a question that has haunted employers since the Illinois Supreme Court's Cothron v. White Castle decision in 2023: how much can a single employee actually recover when their fingerprint gets scanned hundreds or thousands of times without proper consent?
The answer, according to the Seventh Circuit, is far less than plaintiffs had hoped.
BIPA requires private entities to obtain informed written consent before collecting biometric data such as fingerprints or hand geometry. When employers skip that step – often through biometric time clocks or facility access scanners – they expose themselves to statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless one. The Cothron decision made things worse for employers by holding that a new claim accrues every single time an employee scans a fingerprint. That turned routine workplace timekeeping into a potential financial catastrophe. One of the plaintiffs in this case, a commercial truck driver named Reginald Clay, alleged that Union Pacific Railroad collected his fingerprints roughly 1,500 times. If found liable for intentional violations, that could have netted him $7.5 million alone. Another plaintiff filed a putative class action that carried a risk running into the billions.
The Illinois Supreme Court saw this coming. In Cothron, the court acknowledged the risk of what it described as potentially annihilative liability and invited the legislature to step in and clarify how damages should be assessed. The General Assembly responded in August 2024 with an amendment to BIPA Section 20 providing that repeated collection of the same biometric data from the same person using the same method counts as a single violation, entitling the aggrieved person to at most one recovery.
The catch was that the amendment said nothing about whether it applied to lawsuits already in progress. Three federal district courts said it did not. The Seventh Circuit disagreed.
Chief Judge Brennan, writing for a unanimous panel that included Judges Hamilton and Jackson-Akiwumi, applied Illinois's established retroactivity framework. Under that framework, the key question is whether a statutory change is substantive or procedural. Illinois law treats remedial changes – those affecting the damages available rather than the underlying rights and obligations – as procedural. Procedural changes apply to pending cases.
The court found the BIPA amendment fits neatly into the remedial category. The legislature placed it in Section 20, the damages provision, and left Section 15, where the substantive consent requirements live, completely untouched. The amendment's own language reinforces this reading: it speaks of recovery, not rights or duties. The court also pointed to the Illinois Supreme Court's observation in Cothron that BIPA damages appear to be discretionary rather than mandatory, noting that the statute uses the word "may" when describing what a prevailing party can recover.
The plaintiffs pushed back on several fronts. They argued that collapsing thousands of violations into one is a substantive change, not a remedial one. The court rejected that argument, finding it both misread the amendment and overstated what Cothron actually decided. Cothron addressed when claims accrue for statute of limitations purposes under Section 15 – it did not interpret how violations are counted for damages under Section 20. The plaintiffs also raised constitutional objections, claiming vested rights in the per-scan damages regime. The court was unmoved, noting that Illinois has held for more than a century that no plaintiff has a vested right to a particular remedy.
The practical effect is significant for HR departments. Employers who collect biometric data through time clocks and access systems still need to comply with BIPA's consent and notice requirements – those obligations have not changed at all. But the financial exposure for past noncompliance has shrunk dramatically. Instead of facing damages multiplied by every scan across every employee, companies now face per-person liability. For organizations with large hourly workforces in Illinois, that shift can mean the difference between a manageable settlement and a business-ending judgment.
The cases have been reversed and sent back to the district courts, where judges will need to reconsider how the ruling affects the remaining issues, including whether some claims still meet the threshold for federal jurisdiction now that the dollar amounts have dropped.
