BIPA Got Smaller. Your Risk Just Got Bigger.
BIPA Got Smaller. Your Risk Just Got Bigger.
This episode is based on our article:
Read the full article →BIPA Got Smaller. Your Risk Just Got Bigger.
Full Episode Transcript
A single worker gets their face scanned fifteen hundred times clocking in and out of a warehouse. Before last year, that worker could seek seven and a half million dollars in damages under Illinois' biometric privacy law. Today, the maximum is five thousand.
That's not a typo
That's not a typo. The legal ceiling for biometric privacy violations in Illinois dropped by more than ninety-nine percent — and most people outside the legal world have no idea it happened. If you've ever scanned your finger to punch a time clock, or had your face captured walking into a store, this shift touches you directly. Illinois' Biometric Information Privacy Act — known as B.I.P.A. — has been the strongest biometric privacy law in the country for over a decade. It's the law that forced Facebook to pay six hundred and fifty million dollars to settle a class action back in twenty twenty-one. It's the law Clearview A.I. settled under for nearly fifty-two million dollars just last year. Now, appellate courts are trimming it back — and a new ruling in an Amazon Web Services biometric data case has legal experts saying the judiciary is tilting toward defendants. So if the penalties are shrinking, does that mean the risk of collecting someone's biometric data just got smaller too?
The answer is more complicated than the headline suggests. Start with what actually changed. In twenty twenty-four, Illinois amended B.I.P.A. to cap damages at one recovery per person — not one recovery per scan. That's a massive difference. Under the old framework, every single time a system captured your fingerprint or your faceprint counted as a separate violation. Fifteen hundred scans, fifteen hundred violations, five thousand dollars each. That math is what made B.I.P.A. the most feared biometric statute in the country. The amendment collapsed all of those scans into one claim per person, with a maximum payout of five thousand dollars.
Then came the Seventh Circuit. According to reporting from Sidley Austin's Data Matters blog, the Seventh Circuit ruled this damages cap applies retroactively — meaning it reaches back to cover cases that were already pending before the amendment passed. Plaintiffs who filed suit expecting seven-figure recoveries suddenly found themselves capped at five thousand dollars per person.
And in a separate case, the U.S. Court of Appeals for the Third Circuit issued a ruling involving Amazon's biometric data practices. According to Law.com, legal experts say this opinion may signal a broader movement in the courts toward favoring the defense and narrowing B.I.P.A.'s overall reach. Two different federal circuits, both pulling in the same direction — away from plaintiffs, toward companies collecting biometric data.
If you run facial comparison workflows or manage
If you run facial comparison workflows or manage biometric systems for an organization, that probably sounds like good news. Lower damages, friendlier courts, less exposure. But zoom out.
According to Privacy World's twenty twenty-five year-end review, more than one hundred new B.I.P.A. class actions were filed in Illinois in twenty twenty-five alone. One hundred. After the damages cap passed. After the courts started signaling they'd side with defendants. The plaintiffs' bar didn't retreat. They adapted.
What does that look like in practice? Lower per-case damages, but higher volume. Instead of one massive lawsuit that ends in a nine-figure settlement, you get dozens of smaller ones — each one still requiring legal defense, each one still creating operational disruption, each one still generating headlines. For an everyday person, it means the law that was supposed to protect your face and your fingerprints still exists — it just bites differently now. For organizations, it means the cost of a single lawsuit dropped, but the odds of facing one didn't.
And the jurisdiction question matters more than ever in twenty twenty-six. Where the biometric data gets collected determines how much leverage a plaintiff holds. Collect a faceprint in Illinois, and B.I.P.A. still applies — damages cap and all. Collect it in Texas or Washington, and you're under different rules entirely. The legal landscape isn't settling into one clear standard. It's fragmenting.
The Bottom Line
Everyone's focused on the damages going down. The sharper signal is the filings going up. A law that's cheaper to violate but more frequently enforced didn't get weaker — it mutated.
So — courts cut B.I.P.A.'s maximum penalty from millions to thousands per person, and they made that cut apply to lawsuits already in progress. But plaintiffs' lawyers filed over a hundred new cases anyway, because the right to sue didn't disappear — just the size of the check. The risk of using biometric data without proper consent and documentation didn't shrink. It just got easier to underestimate. Whether you manage an investigations unit or you're just the person whose face gets scanned at the door, the rules around your biometric data are still being written — and right now, nobody's finished the sentence. The written version goes deeper — link's below.
Ready for forensic-grade facial comparison?
Full forensic reports with detailed similarity scoring. Results in seconds.
Run My First SearchMore Episodes
You Only Have One Face. A Court Just Ruled You Get to Control It.
You have exactly one face. No spare. No backup. And if someone copies the pattern of it — the distance between your eyes, the shape of your jaw — you can't reset it like a password. A court just said
PodcastYour Face Just Approved 611 Million Payments — And Fraudsters Are Practicing
Last month, six hundred and eleven million payments in India got approved by someone's face or fingerprint. No PIN. No password. Just a glance or a touch. And here's the part that should make you sit
PodcastThat "Insurance Rep" on Video Might Be a Deepfake — and Your Medical File Is the Prize
Only about a third of people can spot a deepfake — even after someone warns them one's coming. When nobody warns them at all, most still get fooled. Those aren't numbers from some distant lab. Researc
