Regulome
Search regulations…⌘K
For providersFree Checker
The Ledger · Saturday, 10 January 2026Issue № 18All issues →

AI Compliance Hub · newsroom

Enforcement Updates · 7 min read

BIPA Class Actions in 2025: What Employers Need to Know

Illinois BIPA litigation generated billions in settlements. Here’s what happened in 2025, where the law stands after the 2023 Cothron ruling, and what employers must do to limit exposure.

Regulome · AI Compliance Hub editors7 min read
BIPA Class Actions in 2025: What Employers Need to Know
Enforcement UpdatesIllustration · AI Compliance Hub

The Illinois Biometric Information Privacy Act (BIPA) has generated more litigation than any other AI-adjacent law in the US. As of 2025, total settlements have exceeded $3 billion. Here’s the state of play and what it means for employers.

The Cothron Ruling and Its Aftermath

The 2023 Illinois Supreme Court ruling in *Cothron v. White Castle* clarified that each separate BIPA violation — each collection or transmission of biometric data without consent — accrues separately. For a company that collected fingerprints daily from 1,000 employees over five years, this could mean millions of violations.

Post-*Cothron*, BIPA exposure became effectively uncapped for most defendants. The Supreme Court acknowledged the potential for “staggering damages” but said it was a legislative problem, not a judicial one.

The Illinois legislature responded in 2024 with amendments that:

  • Capped total damages for a single claimant at $30,000 per defendant regardless of the number of violations
  • Preserved the private right of action

The cap significantly reduced per-claimant exposure but didn’t eliminate class action risk for large employer-class combinations.

2025 Enforcement Landscape

Settlement activity: Major BIPA settlements continued in 2025, with several healthcare, manufacturing, and logistics companies settling for $10M-$100M. The sectors most affected: manufacturing (timeclocks with fingerprint scanners), healthcare (biometric access controls), retail (facial recognition at checkout), and technology (voice biometrics in customer service).

New defendants: Plaintiff’s firms expanded their targets beyond obvious biometric technology to include:

  • Employers using voiceprint matching in call centers
  • Retailers using facial recognition for loss prevention
  • Fitness chains using fingerprint gym access
  • Gig economy platforms using biometric identity verification

Federal circuit split: Courts continue to grapple with Article III standing for BIPA claims. Some federal circuits require actual harm; others allow technical statutory violations. Most plaintiffs prefer Illinois state court.

What BIPA Actually Requires

Many employers violate BIPA without realizing they’re collecting biometric data. BIPA’s core requirements:

1. Written Policy (Section 15(a))

You must have a publicly available written policy on biometric data retention and destruction. Many employers don’t have this or haven’t updated it.

2. Informed Written Consent (Section 15(b))

Before collecting biometric identifiers (fingerprints, retinal scans, facial geometry, voiceprints), you must:

  • Inform the person in writing that biometric data is being collected
  • State the purpose and duration of collection
  • Obtain a written release

This consent must be obtained before collection. Retroactive consent doesn’t count.

3. No Sale or Profit (Section 15(c))

Cannot sell, lease, trade, or profit from biometric data.

4. No Unauthorized Disclosure (Section 15(d))

Cannot disclose biometric data without consent except in limited circumstances (legal process, etc.).

5. Destruction Schedule (Section 15(a) and (e))

Must destroy biometric data within 3 years or when the initial purpose is fulfilled, whichever is first.

Who Is Most at Risk

The highest-risk employers are those who:

  • Use fingerprint timeclocks for clocking in/out
  • Use facial recognition for building access
  • Use voiceprint verification for customer service or internal systems
  • Have multiple locations in Illinois and have collected biometric data for years without proper consent

The class action math: 500 employees x 5 years of daily scans x $30,000 cap per person = potential exposure up to $15 million before legal fees.

Practical Steps to Reduce Exposure

Immediate audit: Identify every system that captures biometric data from Illinois employees or customers. Include vendors — many timeclock vendors collect biometric data and process it.

Update or create a biometric data policy: Must be written, publicly available, and compliant with the statutory requirements.

Obtain written consent: For any current biometric data collection without prior written consent, consult counsel before attempting retroactive remediation.

Review vendor contracts: Ensure vendors who collect biometric data on your behalf have appropriate data processing agreements and deletion commitments.

Set destruction schedules: Implement a documented process for destroying biometric data within the statutory timeframe.

The Bottom Line

BIPA litigation is a well-developed plaintiff’s bar practice with established playbook. Companies that haven’t done a biometric data audit are exposed. The 2024 amendments reduced per-person exposure but didn’t eliminate class action risk for large employers.

Tagged regulations
IllinoisBIPAClass ActionsBiometricsLitigation
AI Compliance Hub editors
The editorial desk covers AI and cyber regulation across the US, EU, and UK. Tips? editors@aicompliancehub.com
Not legal advice

This article is for informational purposes only and does not constitute legal advice. Always consult qualified counsel before making compliance decisions. Try the free compliance checker →

← Back to The Ledger

Keep the Ledger coming.

A weekly edition of new regulations, enforcement actions, and compliance deadlines — delivered every Friday. Free forever. No tracking pixels.

Subscribe free →

Read by 4,000+ compliance teams · Cancel any time