By Ryan Windt | Head of Growth Marketing | Updated July 2026
If your employees clock in with a fingerprint, or your store uses facial recognition, or you collect a voiceprint anywhere in your operations, you are touching one of the fastest-moving areas of privacy litigation in the country. A single Illinois statute has generated thousands of class actions and settlements in the hundreds of millions of dollars. The uncomfortable part for most businesses is not the exposure itself. It is discovering, after a claim lands, that the cyber policy they assumed would respond quietly excludes the whole category.
What BIPA Actually Requires
The Illinois Biometric Information Privacy Act, passed in 2008, was the first biometric privacy law in the United States and remains the one that matters most for litigation. It governs biometric identifiers such as fingerprints, retina and iris scans, voiceprints, and scans of hand or facial geometry, along with any information derived from them.
The law imposes three core duties on private businesses. You must maintain a written, publicly available policy with a retention schedule and a rule for destroying biometric data once its purpose is met. You must give written notice and obtain consent before you collect. And you cannot disclose or disseminate biometric data without consent. The consent requirement is the one that trips up most defendants.
What makes BIPA different from almost every other privacy law is that individuals can sue directly. Statutory damages run to $1,000 for each negligent violation and $5,000 for each reckless or intentional one, or actual damages if greater. And in Rosenbach v. Six Flags, the Illinois Supreme Court held that a person does not need to show any actual harm to sue. The bare violation is enough. That combination, a private right of action plus damages that do not require proof of injury, is what turned BIPA into a class-action engine.
Why the Exposure Ballooned, Then Shrank
For several years the exposure grew in one direction only. In Tims v. Black Horse Carriers, the state’s high court applied a five-year statute of limitations to all BIPA claims. Then in Cothron v. White Castle, the court held that a separate violation accrues every single time biometric data is captured or transmitted without consent. For an employer whose staff scan a fingerprint to start each shift, that meant potentially hundreds of violations per employee, and damage math that could threaten the survival of the business.
The legislature stepped in. In August 2024, Illinois enacted SB 2979, which provides that repeatedly collecting or disclosing the same person’s biometric data using the same method counts as a single violation, entitling the individual to one recovery at most. The same amendment confirmed that an electronic signature satisfies the written consent requirement. Then, in April 2026, the Seventh Circuit held that this damages limit applies retroactively to cases that were already pending, treating it as a remedial change rather than a new substantive right.
The net effect is real relief, but it is easy to overread. The per-scan multiplier is gone, which pulls the most extreme damage scenarios off the table. What has not changed at all is the underlying duty: you still need notice, consent, and a retention policy, and a business that skips those steps is still exposed to per-person statutory damages across a five-year window and the cost of defending a class action.
The 2024 amendment lowered the ceiling on damages. It did not lower the odds of being sued. The consent and notice obligations that generate the lawsuits in the first place are exactly the same as they were.
Who Is Actually Getting Sued
The litigation clusters around a few predictable fact patterns. The largest by far is employee timekeeping: fingerprint or hand-scan time clocks used to stop buddy punching. Retail and hospitality businesses using facial recognition or fingerprint point-of-sale systems are a second cluster. Staffing and PEO firms draw claims because they fingerprint workers during onboarding, often through a third-party vendor. Healthcare, warehousing, and manufacturing all show up because biometric access controls are common on the floor.
The through-line is that none of these businesses think of themselves as being in the biometric data business. They adopted a time clock or an access system for an ordinary operational reason, and inherited a privacy-law exposure they never priced in.
Does Your Cyber Policy Actually Cover a BIPA Claim?
This is where businesses get surprised, because the answer has been moving against policyholders. BIPA claims have historically been tendered across several policy types, and each responds differently.
| Policy type | How it tends to respond to BIPA |
|---|---|
| Cyber liability | Historically responded through the privacy insuring agreement when the definition of confidential information was broad enough to include biometric data. Carriers are now adding express biometric and wrongful-collection exclusions. |
| Commercial general liability | Some older policies were found to owe a defense as a privacy offense, as in West Bend v. Krishna Schaumburg Tan. Newer policies carry broad violation-of-law exclusions that courts have enforced to bar BIPA claims. |
| Employment practices liability | May respond where invasion of privacy is a covered wrongful act, but many carriers now add absolute biometric exclusions, and some argue biometrics were never contemplated at all. |
Two exclusions do most of the work when a carrier denies. The first is the recording and distribution, or violation-of-law, exclusion. In cases like Visual Pak and Wexford, Illinois appellate courts found that a broadly worded catch-all barring coverage for statutes that limit the collecting or recording of information was broad enough to sweep in BIPA. Earlier, narrower versions of the same exclusion were held not to reach BIPA at all, which is why the exact wording matters so much.
The second, and the one to watch going forward, is the wrongful collection exclusion. It targets claims arising from unauthorized or unlawful data gathering, and newer versions name BIPA directly, often alongside the video privacy and pixel-tracking statutes that drive similar suits against marketing and ad-tech businesses. The important nuance is that this exclusion is fact-driven. It is aimed at knowing collection without consent. Where a business can show it obtained proper consent and acted in good faith, there is a real argument that the exclusion should not apply.
Whether your policy responds is decided in the exclusions, not the coverage grant. And the exclusion usually turns on one question: did you get documented consent before you collected? That single fact can be the difference between a defended claim and a denied one.
Not sure whether your policy would defend a biometric claim or quietly exclude it? That answer lives in your exclusions, not your coverage grant, and most businesses have never read that far into the policy.
What to Do Before a Claim, Not After
Biometric exposure is one of the few privacy risks where the right paperwork, done in advance, changes both your liability and your coverage. A few practical steps:
- Map every place you collect biometric data, including time clocks, access controls, point-of-sale systems, and anything a vendor runs on your behalf. You cannot manage what you have not inventoried.
- Get written consent before collection, and keep the records. Electronic signatures now count, so a clear checkbox with proper disclosure is enough. Documented consent is also your strongest argument if a wrongful-collection exclusion is raised.
- Publish a biometric retention and destruction policy and actually follow the schedule. This is a standalone BIPA duty, separate from consent.
- Read your cyber, EPL, and CGL policies specifically for biometric, wrongful-collection, and violation-of-law exclusions. If you are not sure how to find them, our guide on how to read a cyber insurance policy walks through where exclusions live.
- Check your vendor contracts. If a third party runs your biometric system, you may be an additional insured on their policy, or you may have shifted risk to them by contract. Confirm it rather than assume it. Our note on vendor risk and cyber insurance covers what to verify.
For the broader picture of what standard policies leave out, see cyber insurance exclusions and why claims get denied, and for how a coverage dispute can hinge on what you represented, how application accuracy affects a claim.
Is This Only an Illinois Problem?
For now, the litigation risk is concentrated in Illinois, because BIPA is the biometric law with a strong private right of action. Texas and Washington have biometric statutes, but they are enforced by the state attorney general rather than through private lawsuits, which is why they have generated a fraction of the claims. The reason to treat this as more than an Illinois issue is direction of travel: several other states have introduced BIPA-style bills that would create their own private rights of action. If even a couple pass, the map of exposure widens quickly, and businesses operating in multiple states will want coverage that already contemplates it.
Frequently Asked Questions
Does cyber insurance cover a BIPA claim?
Sometimes, and less reliably than it used to. Cyber policies have historically covered biometric claims through the privacy insuring agreement, but carriers are increasingly adding express biometric and wrongful-collection exclusions. Whether yours responds depends on the specific exclusion wording and on whether you obtained documented consent.
We only use a fingerprint time clock. Are we really exposed?
Yes. Employee timekeeping is the single most common source of BIPA class actions. The claim is not about a data breach, it is about collecting the fingerprint without the required written notice and consent in the first place.
Did the 2024 amendment eliminate BIPA risk?
No. The 2024 amendment, now applied retroactively by the Seventh Circuit, limits repeated collection using the same method to a single violation per person, which removes the most extreme damage scenarios. It did not change the underlying consent, notice, and retention duties, and it did not stop the lawsuits.
Does BIPA apply to businesses outside Illinois?
BIPA protects Illinois residents, so a business anywhere can face a claim if it collects biometric data from people in Illinois. Other states are considering similar laws with private rights of action, which would broaden the exposure beyond Illinois.
What is a wrongful collection exclusion?
It is a policy exclusion that bars claims arising from unauthorized or unlawful data collection, and newer versions name BIPA specifically. It is generally aimed at knowing collection without consent, so documented consent and good-faith compliance are the facts that argue against it applying.
Related Resources
- Cyber Insurance Exclusions: What Most Policies Won’t Cover and Why Claims Get Denied
- Understanding Your Cyber Policy: What the Language Actually Means
- Cyber Insurance Application Errors: What They Cost You at Claim Time
- Cyber Insurance for Staffing and PEO Firms
- What Underwriters Now Verify About Your Vendor Risk Program
SeedPod Cyber is a specialized provider of cyber and Tech E&O coverage. If your business collects biometric data anywhere in its operations, it is worth knowing whether your current policy would actually respond to a BIPA claim before one arrives. Talk to our team or see what our coverage includes.
This article is general information, not legal advice. Biometric privacy law is evolving quickly, and how it applies to your business depends on your specific facts. Consult qualified counsel for advice on your situation.