BIPA Got Smaller. Your Risk Just Got Bigger.

A single worker gets their face scanned fifteen hundred times clocking in and out of a warehouse. Before last year, that worker could seek seven and a half million dollars in damages under Illinois' biometric privacy law. Today, the maximum is five thousand.

That's not a typo

That's not a typo. The legal ceiling for biometric privacy violations in Illinois dropped by more than ninety-nine percent — and most people outside the legal world have no idea it happened. If you've ever scanned your finger to punch a time clock, or had your face captured walking into a store, this shift touches you directly. Illinois' Biometric Information Privacy Act — known as B.I.P.A. — has been the strongest biometric privacy law in the country for over a decade. It's the law that forced Facebook to pay six hundred and fifty million dollars to settle a class action back in twenty twenty-one. It's the law Clearview A.I. settled under for nearly fifty-two million dollars just last year. Now, appellate courts are trimming it back — and a new ruling in an Amazon Web Services biometric data case has legal experts saying the judiciary is tilting toward defendants. So if the penalties are shrinking, does that mean the risk of collecting someone's biometric data just got smaller too?

The answer is more complicated than the headline suggests. Start with what actually changed. In twenty twenty-four, Illinois amended B.I.P.A. to cap damages at one recovery per person — not one recovery per scan. That's a massive difference. Under the old framework, every single time a system captured your fingerprint or your faceprint counted as a separate violation. Fifteen hundred scans, fifteen hundred violations, five thousand dollars each. That math is what made B.I.P.A. the most feared biometric statute in the country. The amendment collapsed all of those scans into one claim per person, with a maximum payout of five thousand dollars.

Then came the Seventh Circuit. According to reporting from Sidley Austin's Data Matters blog, the Seventh Circuit ruled this damages cap applies retroactively — meaning it reaches back to cover cases that were already pending before the amendment passed. Plaintiffs who filed suit expecting seven-figure recoveries suddenly found themselves capped at five thousand dollars per person.

And in a separate case, the U.S. Court of Appeals for the Third Circuit issued a ruling involving Amazon's biometric data practices. According to Law.com, legal experts say this opinion may signal a broader movement in the courts toward favoring the defense and narrowing B.I.P.A.'s overall reach. Two different federal circuits, both pulling in the same direction — away from plaintiffs, toward companies collecting biometric data.

If you run facial comparison workflows or manage

If you run facial comparison workflows or manage biometric systems for an organization, that probably sounds like good news. Lower damages, friendlier courts, less exposure. But zoom out.

According to Privacy World's twenty twenty-five year-end review, more than one hundred new B.I.P.A. class actions were filed in Illinois in twenty twenty-five alone. One hundred. After the damages cap passed. After the courts started signaling they'd side with defendants. The plaintiffs' bar didn't retreat. They adapted.

What does that look like in practice? Lower per-case damages, but higher volume. Instead of one massive lawsuit that ends in a nine-figure settlement, you get dozens of smaller ones — each one still requiring legal defense, each one still creating operational disruption, each one still generating headlines. For an everyday person, it means the law that was supposed to protect your face and your fingerprints still exists — it just bites differently now. For organizations, it means the cost of a single lawsuit dropped, but the odds of facing one didn't.

And the jurisdiction question matters more than ever in twenty twenty-six. Where the biometric data gets collected determines how much leverage a plaintiff holds. Collect a faceprint in Illinois, and B.I.P.A. still applies — damages cap and all. Collect it in Texas or Washington, and you're under different rules entirely. The legal landscape isn't settling into one clear standard. It's fragmenting.