As noted in our previous alert, the Seventh Circuit Court of Appeals was set to decide whether the 2024 amendment to the Illinois Biometric Information Privacy Act (BIPA) — which limits liability by treating repeated collections of biometric data from the same person using the same method as a single violation — should apply retroactively to pending cases. That decision has now arrived. 

On April 1, 2026, a three-judge panel of the Seventh Circuit reversed a trio of district court rulings and held that the amendment applies retroactively to every lawsuit pending at the time it took effect. The consolidated appeals had each previously been decided by district courts finding the amendment to be a substantive change that could only apply prospectively. The Seventh Circuit disagreed, concluding that the amendment is remedial in nature, as it adjusts the statutory damages available to plaintiffs without altering the underlying standards of liability or the conduct that BIPA prohibits. 

The court's reasoning relied on the distinction between remedial and substantive changes under Illinois law. The panel observed that the amendment modified only one portion of the statute: liquidated damages. This leaves BIPA causes of action (and the rights, duties, and obligations it imposes) entirely intact. In rejecting the plaintiffs' argument that the amendment effectively wiped out thousands of accrued violations, the court found that BIPA's damages provision has always been discretionary. 

Plaintiffs were never guaranteed a specific recovery for each scan or disclosure. As the panel put it, the amendment "simply changed the statutory award of damages available to plaintiffs" and placed limits on the discretion of trial court judges in fashioning a remedy, rather than eliminating any substantive right. 

For employers, this ruling is a significant and welcome development. The specter of catastrophic, per-scan damages exposure that we previously flagged in connection with Cothron v. White Castle Systems, Inc. has been substantially diminished. Companies facing pending (or future) BIPA claims should see their potential liability meaningfully reduced, as plaintiffs are now limited to a single recovery for repeated collections of the same biometric identifier from the same individual. 

That said, employers should not treat this ruling as an all-clear. As we anticipated, plaintiffs may shift their litigation strategies toward alternative remedies such as injunctive relief rather than focusing exclusively on statutory damages. 

Organizations that collect biometric data — including fingerprints, facial scans, or other identifiers — should continue to ensure their practices comply with BIPA's notice and consent requirements. We will continue to monitor further developments, including any potential petition for rehearing.