7th Circuit Holds BIPA Damages Remedy Applies Retroactively

In my article “How Will the Recent Amendments to Illinois’s BIPA Affect the Use of Biometric Data?”^[1] I reported on the Illinois State Legislature’s changes in Senate Bill 2979 to the Illinois Biometric Information Privacy Act (“BIPA”). The changes were effective on August 2, 2024. One of those changes amended the limits on damages to one recovery per violation per person, regardless of the number of instances of collections of biometric information using the same method.^[2] A recent decision of the U.S. Court of Appeals for the Seventh Circuit held that the change in damages applies retroactively to cases pending when the BIPA amendments became effective.

In Clay v. Union Pacific Railroad Co.,^[3] the Court of Appeals consolidated three interlocutory appeals posing a common legal question of whether the BIPA amendment effective August 2, 2024, applies retroactively to cases pending when it was enacted. In its analysis, the Court distinguished between legislative amendments that are procedural or substantive, stating, “Crucially, the Supreme Court of Illinois treats remedial changes as procedural, not substantive.”^[4] The Court determined that the amendment to the damages section in BIPA (740 ILCS 14/20) was remedial and stated, “Illinois courts have consistently ruled that they ‘can apply retroactively statutory changes to procedural or remedial provisions, whether they are outright repeals or amendments.’ We take this principle as the rule of decision for this case.”^[5]

The Court of Appeals held:

Because the amendment to Section 20 of BIPA constitutes a remedial change, Illinois courts would have us apply it to cases pending when it was enacted. A plaintiff who alleges thousands of claims under BIPA Section 15 is only “entitled to, at most, one recovery under” Section 20. We hold that this amendment applies retroactively because it impacts only the statutory damages available to plaintiffs—it does not change BIPA’s substantive standards of liability.

The district courts in all three cases erred by holding otherwise. On remand, the district courts may need to reevaluate how this holding affects other aspects of these cases, including subject matter jurisdiction. But for now, it is enough to note that these courts, and others dealing with similar cases, must ensure they follow the latest guidance of the legislature when calculating damages under BIPA Section 20.^[6]

The BIPA damages discussed in Clay are limited to 740 ILCS 14/20 (as amended):

(b) For purposes of subsection (b) of Section 15 [740 ILCS 14/15], a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subsection (b) of Section 15 has committed a single violation of subsection (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section.

(c) For purposes of subsection (d) of Section 15, a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of subsection (d) of Section 15 has committed a single violation of subsection (d) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient.^[7]

The bottom line is that even though the BIPA damages and consequences are limited by the 2024 BIPA amendment, they can, depending on the facts, still be substantial and may include, the following, for each “person aggrieved by a violation” of BIPA as stated in 740 ILCS 14/20(a):

1. For a negligent violation: liquidated damages of $1,000 or actual damages, whichever is greater.
2. For an intentional or reckless violation: liquidated damages of $5,000 or actual damages, whichever is greater.
3. Reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses.
4. Other relief, including an injunction, as the state or federal court may deem appropriate.

Rosenbach v. Six Flags Entertainment Corporation,^[8] a seminal case in the history of BIPA litigation that had substantial consequences in the law, concerned only a single plaintiff, Stacy Rosenbach, as Mother and Next Friend of Alexander Rosenbach. If a business has multiple employees, customers, or other third parties, and collects and/or uses their biometric information subject to BIPA, the damages for a BIPA violation could become substantial.

While biometric information offers many valuable opportunities for businesses, their employees, and customers, businesses and their legal advisors need to confirm that the business’s use complies with all applicable laws (including but not limited to BIPA) concerning use of biometric information, including, without limitation, in connection with artificial intelligence systems.

1. Published in the ABA publication Business Law Today on September 4, 2024. Note, the author has been writing about the intersection of biometric data and the law since 2019. A partial list of those articles is linked here. ↑

2. 740 ILCS 14/20 (Right of action) (amended effective Aug. 2, 2024). ↑

3. Clay v. Union Pac. R.R. Co., 171 F.4th 975, 2026 U.S. App. LEXIS 9487 (7th Cir. Apr. 1, 2026). ↑

4. Id. at *9. ↑

5. Id. at *10 (citation omitted) (quoting People v. Glisson, 782 N.E.2d 251, 257 (Ill. 2002)). ↑

6. Id. at *20–21. ↑

7. 740 ILCS 14/20 (Right of action) (amended effective Aug. 2, 2024) (emphasis added). ↑

8. Rosenbach v. Six Flags Ent. Corp., 129 N.E.3d 1197 (Ill. 2019). See “Biometric Information – Permanent Personally Identifiable Information Risk” published in the ABA publication Business Law Today on January 28, 2019. ↑