Companies have been concerned about the weaponization of BIPA, Illinois’s biometric privacy law. As many are well aware, BIPA contains a private right of action, which has resulted in a flood of BIPA suits in the state. A recent federal court decision gives companies some relief, at least when it comes to damages calculations.
As those who have been tracking these developments know, in August 2024 Governor Pritzker signed into law BIPA amendments regarding damages calculations. As amended, an entity that violates BIPA would be viewed as committing one violation, not multiple one. In other words, the amendments preclude “per scan” damages.
The amendments were passed in response to a 2023 Illinois Supreme Court case (Cothron v. White Castle Systems, Inc.). In Cothron, the Court noted that BIPA’s remedies provision allowed plaintiffs to recover damages on a “per scan” basis. While the Cothron Court allowed per scan damages calculations, it encouraged the Illinois legislature to clarify BIPA’s confusing damages provision. The legislature then amended the statute to eliminate per scan calculations.
While the change helped those who brought suit after the amendment, what about cases pending prior to the change? In this recent Seventh Circuit case, the court ruled that amendments do apply retroactively. This case is Clay v. Union Pacific Railroad Co., 2026 WL 891902 (7th Cir. 2026). In Clay, the plaintiffs had sought per scan damages in BIPA cases filed before passage of the 2024 amendments. The court declined to calculate damages in this way because it held the law’s changes were procedural and therefore did not impact plaintiffs’ substantive rights. Under Illinois law, procedural amendments to statutes apply to all cases pending when the amendments took effect.
Putting it into Practice: This ruling is welcome news for BIPA defendants whose cases were pending on the day the amendments took effect. That said, it is a reminder that the plaintiffs’ bar is active in this space. Companies would be well served to assess the extent to which BIPA applies to their practices, and if so, that they have appropriate consent processes in place.