Contents

1️⃣ Why the High Stakes: Biometric identifiers are immutable - a password can be reset, a fingerprint cannot! It is a permanent vulnerability, a "Biological Secret"!

No Actual Harm Required ➲ Rosenbach v. Six Flags (2019)

3️⃣ The Black Horse Carriers case, the White Castle case and the $75 Million Warning!

The Five-Year Horizon of Biometric Privacy Claims ➲ Tims v. Black Horse Carriers, Inc. (2023)

"Per-Scan" Damages ➲ Cothron v. White Castle System Inc. (2023)

A Partial Fingerprint Scan still counts ➲ Howe v. Speedway LLC (2024)

The $75 Million Warning! ➲ Rogers v. BNSF Ry. (2023)

4️⃣ The 2024 Course Correction: SB 2979 and the "Single-Recovery" Doctrine

Refining the Biometric Shield ➲ The 2024 Illinois BIPA Reform

The Retroactivity Split

Initial decision Retro, but after Schwartz changed position to future application. Certified for appeal (awaiting appellate ruling as at Feb 2026) ➲ Gregg v. Cent. Transp. LLC (2024-2025)

Future Application ➲ Schwartz v. Supply Network, Inc. d/b/a Viking SupplyNet (2024)

5️⃣ The New Frontier: AI Meeting Assistants and Mass Arbitration

6️⃣ The Insurance Gap: Why Your Commercial General Liability Insurance Policy May Not Have Your Back

Biometric Privacy and the Judicial Divide in Insurance Coverage ➲ Nat’l Fire Ins. Co. of Hartford v. Visual Pak Co. (2023)

Biometric Privacy Rights and the Workers' Compensation Exclusivity Rule ➲ McDonald v. Symphony Bronzeville Park, LLC (2022)

⚖️ Conclusion: Navigating the High Stakes of Biometric Data Risks

1️⃣ Why the High Stakes: Biometric identifiers are immutable - a password can be reset, a fingerprint cannot! It is a permanent vulnerability, a "Biological Secret"!

In the architecture of modern cybersecurity, a password is a temporary credential; a fingerprint is a permanent vulnerability.

This distinction forms the bedrock of the Illinois Biometric Information Privacy Act (BIPA).

Unlike a Social Security number or a credit card token—which can be canceled and reissued—biometric identifiers like face scans and iris patterns are "immutable facets of personal identity."

Organizations across the globe sleepwalked into a jurisdictional quagmire by adopting biometric timeclocks and "frictionless" security tools for the sake of convenience.

They treated this data as just another IT asset, but the Illinois legislature saw it differently.

The legislative intent of BIPA was prophylactic: because the "full ramifications of biometric technology" were unknown at the time of drafting, the law prioritizes individual autonomy over corporate efficiency.

For the C-suite, the "so what" is clear: the moment you collect a thumbprint, you are no longer just managing a workforce; you are stewarding an irreplaceable asset with "annihilative" liability attached to its misuse.

2️⃣ The "No-Harm" Paradox: Why Technical Errors Cost Millions

In traditional litigation, a plaintiff must usually prove financial loss or identity theft to sustain a claim.

BIPA, however, operates within a counter-intuitive "no-harm" reality established by the jurisprudential landmark Rosenbach v. Six Flags (2019).

No Actual Harm Required ➲ Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186, 129 N.E.3d 1197 (Jan. 25, 2019)

Key Facts

The case originated when a mother, Stacy Rosenbach, brought a lawsuit on behalf of her 14-year-old son, Alexander, against Six Flags amusement park. When visiting the Six Flags Great America theme park in Gurnee, Illinois, the minor was required to scan his thumbprint into the company's biometric identification system to authenticate his identity for a season pass.

The plaintiffs alleged that Six Flags violated the Illinois Biometric Information Privacy Act (BIPA) because it failed to inform them in writing of the specific purpose and length of time the fingerprint would be collected and stored, and failed to obtain a signed written release before collecting the biometric data.

Crucially, the plaintiffs did not allege that the data collection resulted in any actual financial, physical, or extreme emotional harm; the claim was based entirely on the company's failure to follow BIPA's procedural requirements.

The Decision

The Illinois Supreme Court ruled in favor of the plaintiffs, reversing an appellate court's holding that an individual must allege an additional injury or adverse effect to sue under BIPA.

Writing the opinion for the court, Chief Justice Lloyd A. Karmeier held that an individual does not need to suffer actual damages to qualify as "aggrieved" under the statute.

The court determined that BIPA vests individuals with a right to privacy in, and control over, their biometric identifiers.

When a private entity fails to comply with BIPA's notice and consent requirements, that statutory violation alone constitutes an invasion of the individual's privacy rights.

The court directly rejected the defendant's argument that such procedural failures were a mere "technicality," instead ruling that the loss of the right to maintain biometric privacy is a "real and significant" injury in itself.

Significance

The Rosenbach decision is regarded as the most significant threshold matter in BIPA's history, reshaping the landscape of biometric privacy litigation.

Its significance includes:

• No Actual Harm Required: It firmly established that plaintiffs do not need to prove an "injury-in-fact," such as identity theft, financial loss, or emotional distress, to successfully sue and recover liquidated damages under BIPA.

• Opening the Floodgates for Class Actions: By establishing that mere technical or procedural violations are sufficient to bring a lawsuit, the decision effectively decoupled standing from physical or financial harm. This spurred a massive wave of BIPA class-action lawsuits against businesses across various industries, with the number of BIPA cases filed jumping exponentially following the ruling.

• Strict Corporate Deterrence: The court reasoned that subjecting companies to substantial liability for simply failing to adhere to statutory procedures—without forcing plaintiffs to wait until irreversible harm occurs—gives businesses the "strongest possible incentive to conform to the law" and properly safeguard sensitive biometric data.

As the court famously observed regarding the unique nature of this data:

"Biometric resources, once compromised, are lost forever. Unlike a Social Security number, which can be changed, a person’s biometric identifiers are unique and permanent. Once the 'biological secret' is out, there is no recourse for the individual."

Strategic Insight: For business leaders, this shifts the focus from "data security" to "procedural perfection."

You can have the most secure encrypted vault in the world, but if your website is missing a retention schedule, your balance sheet remains exposed to a class-action blizzard.

3️⃣ The Black Horses case (5 year limitation period), the White Castle case ("Per-Scan" Damages) and the $75 Million Warning!

The financial risks associated with BIPA reached astronomical levels with the 2023 decisions of Cothron v. White Castle System, Inc (2023) and Tims v. Black Horse Carriers, Inc. (2023).

The Five-Year Horizon of Biometric Privacy Claims ➲ Tims v. Black Horse Carriers, Inc., 2023 IL 127801, 216 N.E.3d 845 (Ill. 2023)

Key Facts

An employee who worked for Black Horse Carriers from June 2017 to January 2018 alleged that the company collected and distributed his fingerprints throughout his employment without obtaining his informed consent, in violation of the Illinois Biometric Information Privacy Act (BIPA).

The central dispute in the case revolved around the applicable statute of limitations.

The defendant employer argued that a one-year statute of limitations—which typically governs privacy claims involving publication, such as libel or slander—should apply to the BIPA claims.

The plaintiff, however, argued for the application of Illinois's "catchall" five-year statute of limitations, which is used for civil actions that lack a specified limitations period.

Previously, a lower appellate court had taken a split approach, applying the one-year limitations period to certain sections of BIPA and the five-year period to others.

The Decision

The Illinois Supreme Court ruled in favor of the plaintiff, holding that Illinois's five-year "catchall" statute of limitations applies uniformly to all causes of action arising under BIPA.

The court explicitly rejected the appellate court's split approach, reasoning that applying two different limitations periods to different subsections of the same statute would create an "unclear, inconvenient, inconsistent, and potentially unworkable regime".

Furthermore, the court determined that a five-year period better served BIPA's legislative intent; unlike a defamation injury where the harm is quickly noticed by the victim, a BIPA violation might remain undiscovered by an individual for a significant amount of time, making a longer window to seek redress necessary.

Significance

The Tims decision is a landmark BIPA ruling with significant implications for businesses:

• Established a Uniform Standard: It provided certainty, predictability, and uniformity by establishing a single five-year statute of limitations for all sections of BIPA.

• Significantly Expanded the "Look-Back" Period: By adopting the longer five-year period over the one-year period, the court drastically expanded the look-back period for potential liability.

• Increased Employer Liability: The ruling meant that employers were suddenly at risk of facing lawsuits from former employees whose claims they had previously assumed were extinguished or time-barred. When combined with the court's subsequent decision in Cothron v. White Castle (which ruled that a claim accrues with every single scan), the Tims decision exponentially increased the financial risk and potential exposure for companies defending against legacy BIPA claims.

"Per-Scan" Damages ➲ Cothron v. White Castle Sys., Inc., 2023 IL 128004, 216 N.E.3d 918 (Ill. 2023)

Key Facts

‍The plaintiff, Latrina Cothron, worked as a manager at White Castle starting in 2004. During her employment, White Castle required her to scan her fingerprint into a biometrically-enabled timekeeping system to clock in and out, access computers, and view her paystubs.

BIPA was enacted in 2008, but Cothron alleged that White Castle continually collected and transmitted her fingerprint data to a third-party vendor without obtaining the required written consent or providing the necessary disclosures until October 2018.

Cothron filed a class-action lawsuit, and White Castle moved to dismiss the claims as time-barred.

The company argued that the plaintiff's claim "accrued" in 2008 (when BIPA was enacted and the first actionable scan occurred), meaning the statute of limitations had long since expired by the time she filed her lawsuit.

The plaintiff countered that a new BIPA violation occurred every time she scanned her fingerprint.

The Decision and Its Significance‍

The Illinois Supreme Court ruled in favor of the plaintiff, holding that a separate BIPA claim accrues "each and every time" a private entity scans or transmits an individual's biometric identifier without prior informed consent.

The court reasoned that BIPA's statutory language contained no text limiting a claim's accrual to the initial scan, meaning every subsequent scan constitutes a new, separate violation.

The court acknowledged White Castle's warning that this strict, mechanical application of the statute could lead to "ruinous" and "annihilative" liability—amounting to an estimated $17 billion for a class of just 9,500 employees.

However, the court concluded that it could not rewrite the statute to avoid harsh consequences and instead invited the Illinois legislature to review the policy concerns.

The court did note that trial courts possess the discretion to tailor actual damage awards to preserve BIPA's deterrent effect without financially destroying defendants.

The significance of the Cothron decision includes:
‍
*   "Per-Scan" Liability: The ruling established a multiplicative "per-scan" damages model, which exponentially increased the financial risk for businesses. Because BIPA awards $1,000 to $5,000 per violation, an employee scanning their fingerprint multiple times a day could independently generate tens of thousands of dollars in liability, opening the door for multi-billion-dollar judgments.
‍
*   Rolling Statute of Limitations: By ruling that each scan is a new violation, the decision effectively restarted the five-year statute of limitations clock with every scan, allowing plaintiffs to seek damages for ongoing violations even if the initial collection occurred many years prior.
‍
*   Catalyst for Legislative Reform: The threat of existential financial ruin created by the Cothron decision directly prompted the Illinois legislature to amend BIPA in August 2024 (S.B. 2979).

Answering the court's invitation, the legislature effectively overruled the Cothron decision by mandating a "single violation" rule, which caps recovery at one violation per person regardless of how many times the same biometric data is collected using the same method.

The Cautionary Tale of Routine Operations

White Castle estimated its potential liability for approximately 9,500 employees at a staggering $17 billion.

Even more shocking for tech leaders is the recent ruling in Howe v. Speedway, which closed a common loophole.

The court clarified that even partial fingerprint scans and the alphanumeric templates (mathematical hashes) derived from them count as regulated biometric information.

If your system captures a "fragment" of a print to generate a hash, you are fully within BIPA's crosshairs.

A Partial Fingerprint Scan still counts ➲ Howe v. Speedway LLC, 2024 WL 4346631 (N.D. Ill. Sept. 29, 2024)

Key Facts

Christopher Howe, a former employee of Speedway LLC, brought a class-action lawsuit alleging that the company violated the Illinois Biometric Information Privacy Act (BIPA).

Speedway required employees to clock in and out using a timekeeping system that collected "partial fingerprint scans" without obtaining proper informed consent or providing the necessary written notices.

Speedway raised several defenses in an attempt to secure summary judgment:

• Definition of Fingerprint: It argued that BIPA's protections only apply to "full" fingerprints (such as those collected by law enforcement), rather than the partial scans it collected.

• Biometric Information: It argued that the alphanumeric templates generated from the finger scans lacked sufficient detail to uniquely identify individuals, and therefore did not qualify as "biometric information".

• Collection and Possession: It argued that because the scanned fingerprint images were immediately discarded—in less than half a second—after the templates were generated, Speedway did not "collect" or "possess" the biometric data.

• Intent: It argued that, at worst, its actions were negligent rather than reckless or intentional, which dictates whether the statutory damages are $1,000 or $5,000 per violation.

The Decision and Its Significance

The U.S. District Court for the Northern District of Illinois rejected Speedway's narrow interpretations and ruled against the company's motion for summary judgment.

The court made several key determinations that outline the significance of the case:

• Broad Interpretation of Biometric Identifiers: The court ruled that the plain language of BIPA is meant to protect "unique personal features" used for identification. As a result, the statute does not require a full fingerprint; even partial fingerprint scans qualify as protected biometric identifiers.

• Templates Constitute Biometric Information: The court established that alphanumeric codes and templates derived from biometric scans are considered "biometric information" because they are based on biometric identifiers and used to uniquely identify employees as they clock in and out.

• Momentary Collection is Still Collection: The court found that Speedway's retention of the partial finger scans for less than half a second before discarding them still aligned with BIPA's broad language of "or otherwise obtain". Furthermore, by retaining the resulting templates, Speedway was deemed to be in "possession" of biometric information, triggering BIPA's data retention and consent requirements.

• Degree of Fault is a Jury Question: The court declined to resolve the issue of damages, ruling that whether an employer acted negligently or recklessly/intentionally is a factual dispute regarding the company's awareness of BIPA requirements.

• ‍This establishes that the degree of fault cannot easily be resolved at summary judgment, significantly increasing the likelihood of BIPA cases going to trial.

Ultimately, Howe v. Speedway serves as a stark reminder that courts continue to interpret BIPA broadly to encompass modern workplace technologies, and that any form of biometric data collection—no matter how fleeting or heavily encrypted into alphanumeric templates—requires strict compliance with the law's consent and data handling mandates.

The $75 Million Warning! ➲ Rogers v. BNSF Ry., 680 F. Supp. 3d 1027 (N.D. Ill. 2023) (Case No. 1:19-cv-03083)

Key Facts

Richard Rogers, a truck driver, filed a class-action lawsuit alleging that BNSF Railway violated the Illinois Biometric Information Privacy Act (BIPA). BNSF had engaged a third-party security vendor to install and manage an automated gate control system that required truck drivers to register and scan their fingerprints to gain access to BNSF's railyards.

However, BNSF's system registration process failed to provide the drivers with written notice detailing the purpose and retention length for keeping the fingerprint data, and failed to obtain the required written consent from the drivers before collection.

The Decision

In October 2022, a federal jury found that BNSF had recklessly or intentionally violated BIPA 45,600 times—representing one violation for each driver in the plaintiff class.

Applying the statutory penalty of $5,000 per intentional or reckless violation, the judge initially entered a staggering $228 million judgment against BNSF.

However, following the Illinois Supreme Court's landmark decision in Cothron v. White Castle, the federal court vacated the initial judgment and ordered a new trial solely to determine damages.

The court ruled that BIPA's statutory damages are discretionary rather than mandatory, and therefore BNSF was entitled to have a jury determine the appropriate amount of damages rather than automatically applying a strict mathematical multiplier.

Ultimately, the parties avoided a new trial by agreeing to settle the case for $75 million.

Significance

The Rogers case represents a major milestone in biometric privacy litigation for several reasons:

• The First BIPA Jury Trial: It was the first-ever BIPA class action case to proceed to trial and reach a jury verdict.
  ‍
• Establishment of Discretionary Damages: The court's decision to vacate the initial $228 million award cemented the precedent that BIPA damages are not meant to be a mechanical calculation that results in annihilative liability. It reinforced that trial courts and juries possess the discretion to tailor damage awards to appropriately penalize companies without financially destroying them.
  ‍
• Vendor and Third-Party Liability: The case serves as a warning that a primary company (like BNSF) can be held liable for massive BIPA violations even if the biometric collection database and hardware are installed and managed by an outside, third-party security vendor. This represented the "settlement pressure" that businesses faced at this time. Even if the case was technically winnable, the sheer scale of potential "per-scan" damages forced companies into massive payouts to avoid corporate ruin.

4️⃣ The 2024 Course Correction: SB 2979 and the "Single-Recovery" Doctrine

In August 2024, the Illinois legislature finally blinked.

Recognizing that "ruinous" damages were stifling the state's economy, Governor Pritzker signed SB 2979 to "recalibrate" the law's impact.

The amendment introduced the "single-recovery" doctrine, effectively capping the exposure for repetitive conduct.

Refining the Biometric Shield ➲ The 2024 Illinois BIPA Reform

S.B. 2979, signed into law by Illinois Governor J.B. Pritzker on August 2, 2024, represents the first major structural amendment to the Illinois Biometric Information Privacy Act (BIPA) since its original enactment in 2008.

The legislation was passed as a direct response to the Illinois Supreme Court’s 2023 decision in Cothron v. White Castle, which had allowed for "per-scan" damages that threatened businesses with billions of dollars in annihilative liability.

The new law fundamentally recalibrates BIPA compliance and liability through two key changes:

1. The "Single Violation" Limit on Damages The most significant provision of S.B. 2979 legislatively overrules the Cothron court's holding that a new BIPA claim accrues every time biometric data is scanned or transmitted. Under the amended law, if a private entity repeatedly collects, captures, or discloses the same biometric identifier or information from the same person using the same collection method, it constitutes only a single violation.

Consequently, an aggrieved person is now entitled to "at most, one recovery" of statutory damages per section violated. This means an employee who scanned their fingerprint thousands of times to clock into work without prior written consent can now only recover a maximum of $1,000 (for negligence) or $5,000 (for recklessness/intent), effectively capping a company's financial exposure per individual and eliminating the threat of compounding, multi-billion-dollar judgments.

2. Codification of Electronic Signatures S.B. 2979 modernizes BIPA's consent requirements by adding a specific definition for "electronic signature" and incorporating it into the statute's definition of a "written release". This legally clarifies that businesses and employers can obtain and manage BIPA consent through digital workflows, such as e-signature platforms, HR onboarding software, or electronic check boxes. This provision appears aimed at thwarting plaintiffs' attorneys from invalidating otherwise timely consents simply because they were executed digitally.

An Unresolved Issue: Retroactivity While S.B. 2979 took effect immediately upon being signed, the legislature did not explicitly state whether the amendment applies retroactively to lawsuits filed before August 2024. Because of this silence, a deep split has emerged among federal and state courts. Some judges have ruled that the amendment applies retroactively because it was intended to "clarify" the legislature's original intent regarding damages, while others have ruled it applies only prospectively because it constitutes a "substantive" change to the law. Until higher appellate courts resolve this split, businesses facing legacy BIPA lawsuits remain in uncertain territory regarding their financial exposure

Feature

Old "Per-Scan" Rule (Pre-Aug 2024)

New "Single-Recovery" Doctrine (Post-Aug 2024)

Violation Count

Old: Each scan/transmission is a separate violation.

New: One violation per person, per method of collection.

Damage Cap

Old: Unlimited; based on the total number of scans.

New: Capped at $1,000 (negligent) or $5,000 (reckless) per person.

Consent Method

Old: Often required physical "wet" signatures.

New: Explicitly includes "electronic signatures" as a valid release.

The Retroactivity Split

Despite this "course correction," many organizations remain in legal limbo.

Federal courts are currently divided on whether SB 2979 applies to cases filed before August 2024.

In the Northern District of Illinois, Gregg v. Central Transport applied the amendment retroactively as a "clarification," whereas Schwartz v. Supply Network held it was a substantive change that applies only prospectively.

Until an appellate court settles this, pending litigation remains a "bet-the-company" risk.

Initial decision in Gregg "Retro", but after Schwartz changed position to "Future" application & Certified for Appeal (awaiting appellate ruling as at Feb 2026) ➲ Gregg v. Cent. Transp. LLC, No. 1:24-cv-01925, 2024 WL 4766297 (N.D. Ill. Nov. 13, 2024), opinion vacated on reconsideration, 2025 WL 907540 (N.D. Ill. Mar. 21, 2025)

Key Facts

The plaintiff filed a lawsuit under the Illinois Biometric Information Privacy Act (BIPA) prior to the statute's August 2024 legislative amendment, which limited recovery to a single violation per individual for repeated biometric data collections.

Following the amendment, the defendant moved to dismiss the case for lack of federal subject matter jurisdiction.

The defendant argued that under the new BIPA amendment, the plaintiff's potential recovery was reduced to a single violation, making it impossible for the plaintiff to meet the $75,000 amount-in-controversy requirement needed for a federal court to hear the case under diversity jurisdiction.

The Decision The case is notable for having two directly conflicting decisions issued by the same judge, U.S. District Judge Elaine E. Bucklo, as she grappled with whether the BIPA amendment applies retroactively to pending cases.

• Initial Decision (November 2024): Judge Bucklo initially ruled that the BIPA amendment applied retroactively. She reasoned that the Illinois legislature intended the amendment to "clarify" the issue of damages following the Illinois Supreme Court's express invitation for legislative clarification in the Cothron case. Applying the amendment retroactively, she found the plaintiff was entitled to a single recovery per section violated, capping the maximum recovery at $15,000. She consequently granted the defendant's motion to dismiss for failing to meet the $75,000 jurisdictional threshold.
  ‍
• Decision on Reconsideration (March 2025): Shortly after Judge Bucklo's ruling, another judge in the same district reached the exact opposite conclusion in a different case (Schwartz v. Supply Network, Inc.). The plaintiff in Gregg moved for reconsideration, and on March 21, 2025, Judge Bucklo vacated her prior order and reopened the case. Upon further review, she concluded that the BIPA amendment actually effected a substantive change in the law rather than a mere clarification. Because the legislature did not expressly state it was retroactive, she ruled that the amendment must be applied prospectively only. Under this prospective-only application, the plaintiff's pre-amendment "per-scan" damages satisfied the jurisdictional minimum, allowing the case to proceed.

Significance

The Gregg case embodies the widespread judicial confusion and intense legal battle over the retroactivity of the August 2024 BIPA amendments.

Its significance includes:

• Highlighting the Retroactivity Split: The case perfectly illustrates the deep divide within the federal courts regarding whether plaintiffs in pending, legacy lawsuits can still seek catastrophic "per-scan" damages or if they are capped by the new "single violation" rule.

• Defining Federal Court Access: The rulings demonstrate how the retroactivity question directly dictates whether federal courts have subject matter jurisdiction over individual BIPA claims, as the damages cap ultimately determines whether the $75,000 diversity threshold is met.

• Pathway to Appellate Resolution: Following her reversal, Judge Bucklo granted the defendant's request for an interlocutory appeal and certified the question of the amendment's retroactivity. The Seventh Circuit accepted the appeal (consolidating it with other similar cases), setting the stage for critical appellate guidance that will dictate the fate of hundreds of pending BIPA lawsuits.

Appellate Resolution Progress Update: On September 19, 2025, the Seventh Circuit accepted and consolidated the interlocutory appeals for Gregg and other similar cases (including Willis and Clay) to resolve the split over whether the August 2024 BIPA amendment applies retroactively. The court ordered the issue to be fully briefed in December 2025.

Most recently, the Seventh Circuit heard arguments on this consolidated issue in February 2026.

A final decision is currently pending and is expected to dictate the fate of hundreds of pending "per-scan" BIPA lawsuits.

Future Application ➲ Schwartz v. Supply Network, Inc. d/b/a Viking SupplyNet, No. 1:23-cv-14319, 2024 WL 4871408 (N.D. Ill. Nov. 22, 2024)

Key Facts

The plaintiff filed a lawsuit under the Illinois Biometric Information Privacy Act (BIPA) on September 29, 2023, which was prior to the August 2024 legislative amendments that limited BIPA damages to a single recovery per individual.

The defendant filed a motion to dismiss the case for lack of federal subject matter jurisdiction. The defendant argued that the new 2024 BIPA amendment applied retroactively to the case, which would cap the plaintiff's damages and reduce their potential recovery below the $75,000 amount-in-controversy threshold required for a federal court to hear the case.

The Decision

U.S. District Judge Georgia N. Alexakis ruled that the BIPA amendment applies only prospectively, not retroactively.

The judge concluded that the amendment enacted a substantive change to the law because it "redefines what constitutes a violation of the Act in the first place".

Because the change was substantive and the Illinois legislature did not expressly declare the amendment to be retroactive, Illinois law required it to be applied prospectively only.

Consequently, the court held that the plaintiff's claims should be evaluated under the pre-amendment standard (which allowed for multiplicative "per-scan" damages under the Cothron precedent) that was in effect at the time the lawsuit was filed.

Therefore, the plaintiff successfully met the $75,000 jurisdictional minimum to proceed in federal court.

Interestingly, the parties later voluntarily dismissed the case by stipulation, presumably having reached a settlement.

Significance

The Schwartz decision is highly significant in the landscape of BIPA litigation for several reasons:

• Creating a Judicial Split: Issued just nine days after Judge Elaine E. Bucklo's initial ruling in Gregg v. Central Transport (which found the amendment was retroactive), the Schwartz decision created a direct and immediate split within the Northern District of Illinois regarding how to apply the new law to pending cases.

• Influencing Other Courts: The compelling reasoning in Schwartz ultimately led Judge Bucklo to reconsider and vacate her own ruling in Gregg, eventually aligning with Schwartz to conclude that the amendment was indeed a substantive change that applies prospectively. Multiple other federal courts have since followed the Schwartz court's lead.

• Maintaining High Exposure for Legacy Cases: By holding that the amendment only applies prospectively, the ruling confirmed that defendants facing BIPA lawsuits filed prior to August 2024 could still be subjected to catastrophic "per-scan" damages, leaving them exposed to immense financial liability for legacy claims.

5️⃣ The New Frontier: AI Meeting Assistants and Mass Arbitration

As physical timeclocks are phased out, the litigation wave of 2025-2026 is targeting AI-powered meeting tools and transcription services.

These tools create "voiceprints" that fall squarely under BIPA's definition of biometric information.

The "Auto-Join" Risk: AI assistants that join meetings automatically create a "passive collection" trap.

Liability isn't just limited to the host; it extends to the "joint liability" of the vendor and the customer for participants who never consented to having their voice analyzed.

The Tactical Pivot (Mass Arbitration): Because SB 2979 made class actions less lucrative by capping damages per person, the plaintiffs’ bar has pivoted to Mass Arbitration.

Firms now recruit thousands of individual claimants to file simultaneous demands.

This forces companies to pay millions in non-refundable arbitration filing fees alone—effectively creating a new form of settlement leverage that bypasses the legislative caps.

6️⃣ The Insurance Gap: Why Your Commercial General Liability Insurance Policy May Not Have Your Back

Many leaders assume their Commercial General Liability (CGL) policies provide a safety net.

However, the insurance landscape has evolved to aggressively exclude biometric risk.

Recent decisions like Visual Pak have shown a departure from earlier, more lenient standards.

Courts are now upholding broad "Violation of Law" exclusions because they specifically include the "collecting, recording, or distribution" of information.

Insurers are now winning on three primary exclusions:

1. Statutory Violation Exclusions: Broad "catch-all" language that bars coverage for any law—like BIPA—that regulates the handling of information.
   ‍
2. Access or Disclosure Exclusions: Barring claims related to the "access or disclosure" of personal data, which the Seventh Circuit (2024) recently held bars BIPA coverage.
   ‍
3. Employment-Related Practices (ERP): Arguing that biometric timekeeping is a workplace-specific injury excluded from general liability.

As one strategist noted, policyholders must "review their coverage annually" with counsel.

Standard forms are increasingly being modified by endorsements that render your historical protections illusory.

Biometric Privacy and the Judicial Divide in Insurance Coverage ➲ Nat’l Fire Ins. Co. of Hartford v. Visual Pak Co., 2023 IL App (1st) 221160, 2023 Ill. App. LEXIS 482 (Dec. 19, 2023)

Key Facts

An underlying class action lawsuit was brought against Visual Pak on behalf of temporary staffing agency employees.

The plaintiffs alleged that the company violated the Illinois Biometric Information Privacy Act (BIPA) by utilizing fingerprint scans to collect their biometric information without obtaining proper consent.

Visual Pak sought coverage and a legal defense from its insurers (National Fire Insurance Co. / CNA), but the insurers denied the claim.

The insurers argued they had no duty to defend the company based on a policy exclusion for the "Recording and Distribution of Material or Information in Violation of Law," which contained a broad "catchall" provision barring coverage for violations of statutes relating to the "disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information".

The Decision and Its Significance

The Illinois Appellate Court ruled in favor of the insurers, affirming that they did not have a duty to defend Visual Pak.

The court determined that the policy's statutory exclusion unambiguously encompassed BIPA violations.

The court reasoned that because the exclusion still preserved coverage for common law privacy claims, applying it to statutory BIPA claims did not render the policy's overall personal and advertising injury coverage "illusory".

The significance of the Visual Pak decision lies primarily in the deep judicial divide it created regarding insurance coverage for BIPA liabilities:

• Direct Split with the Seventh Circuit: The Illinois state appellate court explicitly broke from established federal precedent. Prior to this case, the U.S. Court of Appeals for the Seventh Circuit had ruled (in Citizens Insurance Company v. Wynndalco Enterprises, LLC) that applying this exact exclusion to BIPA claims would eliminate coverage for a wide range of privacy claims, rendering the coverage illusory and unenforceable. The Visual Pak court directly addressed this, stating: "Though we do not do so lightly, we believe that this federal decision was wrongly decided and decline to follow it".

• Expansion of Insurer Defenses: The ruling represents a significant victory for the insurance industry, demonstrating an ongoing evolution where courts are increasingly willing to enforce broader exclusions to bar coverage for BIPA-related claims.

• Heightened Importance of Venue: Because state and federal courts in Illinois now hold directly contradictory precedents on identical insurance policy language, the Visual Pak decision highlights that the choice of venue and governing law will be a fundamental, make-or-break factor in future BIPA insurance coverage disputes

Biometric Privacy Rights and the Workers' Compensation Exclusivity Rule ➲ McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511 (Ill. Feb. 3, 2022)

Key Facts

Marquita McDonald filed a putative class-action lawsuit against her former employer, Symphony Bronzeville Park, LLC, a medical care facility. McDonald alleged that Bronzeville utilized a biometric timekeeping system that required her and her coworkers to scan their fingerprints to track their time and prevent time card fraud. McDonald claimed the company violated the Illinois Biometric Information Privacy Act (BIPA) because it never informed them in writing of the specific purpose and length of time their biometric data would be stored, and it failed to obtain a written release before collecting the data.

While her original complaint alleged the violations caused her mental anguish, McDonald later amended her complaint to drop the mental anguish claim, seeking only BIPA's statutory liquidated damages.

Bronzeville moved to dismiss the lawsuit, arguing that the claims were preempted by the Illinois Workers’ Compensation Act (IWCA).

Bronzeville contended that the IWCA serves as the "exclusive remedy" for accidental injuries that arise out of and in the course of employment, which should preclude an employee from recovering civil damages from an employer in state court.

The Decision

The Illinois Supreme Court unanimously ruled that the exclusive remedy provisions of the Workers' Compensation Act do not bar or preempt an employee's BIPA claims for statutory damages.

The court analyzed the distinct purposes of the two statutes, concluding that a BIPA violation does not categorically fit within the purview of the IWCA.

The Workers' Compensation Act is a remedial statute designed to provide financial protection for medically documented physical and psychological work injuries that diminish an employee's earning capacity.

In contrast, the court reasoned that BIPA violations cause "personal and societal injuries" regarding the loss of the ability to maintain privacy rights, which are different in nature and scope from the injuries covered by workers' compensation.

Because the injury was not compensable under the IWCA, McDonald was free to pursue her class-action lawsuit in civil court.

Significance

The McDonald ruling is highly significant for businesses and biometric privacy litigation because it:

• Eliminated a Potent Employer Defense: The decision removed a primary, widely asserted defense that employers relied on to shield themselves from BIPA liability.

• Kept Employee Class Actions in Civil Court: By confirming that BIPA claims bypass the Workers' Compensation Commission, the ruling ensured that employees can continue to pursue highly lucrative individual and class-wide statutory damages claims directly against their employers in civil court.

• Highlighted Pleading Strategy: A concurring opinion noted that if the plaintiff had maintained her claim of "mental anguish" (an actual psychological injury), her claim likely would have been barred by the IWCA. By carefully amending her complaint to allege only statutory, no-injury BIPA violations, she successfully evaded the workers' compensation exclusivity trap.

⚖️ Conclusion: Navigating the High Stakes of Biometric Data Risks

The biometric "Tsunami" is no longer just an Illinois phenomenon.

While Illinois remains the epicenter, California, Texas, and Washington are establishing their own enforcement frontiers, often focusing on "sensitive personal information" categories.

As corporate efficiency increasingly relies on the data of the human body, leaders must navigate a delicate equilibrium.

Is the convenience of a face scan worth the potential for company-ending liability?

The "right to say no" to the collection of one’s own body data is now a protected legal standard.

In this biometric-reliant world, strict, prophylactic compliance programs are not merely a "best practice"—they are a survival necessity for the modern enterprise.

Full disclosure: The first draft of this blog article and the cover image infographic were AI-generated. The entire audio podcast (unedited) was AI-generated.

Social Sharing Image: © BLUEOCEAN.law

Credits: This blog article was edited by James D. Ford Esq., GAICD CIPP/US CC | Principal Solicitor, Blue Ocean Law Group℠.

Important Notice:

This blog article is intended for general interest + information only.

To the extent this article is deemed advertising or solicitation, it is hereby identified as such.  

It is not intended to constitute legal advice; the statements made are opinions about general situations, and they are not a substitute for advice as to any specific matter.

We recommend you always consult a lawyer for legal advice specifically tailored to your needs & circumstances.