The Biometric Privacy Litigation Explosion#
Biometric data, fingerprints, facial geometry, iris scans, voiceprints, represents the most intimate form of personal information. Unlike passwords or credit card numbers, biometrics cannot be changed if compromised. This permanence, combined with the proliferation of facial recognition technology and fingerprint authentication, has triggered an unprecedented wave of privacy litigation.
At the center of this legal revolution stands the Illinois Biometric Information Privacy Act (BIPA), the nation’s first and most powerful biometric privacy law. With its private right of action and statutory damages of $1,000-$5,000 per violation, BIPA has spawned over 2,000 lawsuits and billions in settlements, fundamentally reshaping how companies handle biometric data.
- 2,000+ BIPA lawsuits filed in Illinois state and federal courts
- $4.5 billion+ in cumulative BIPA settlements (2019-2025)
- $650 million largest biometric privacy settlement (Facebook 2021)
- $228,000 average per-violation damages after Cothron (2023)
- 5 states with comprehensive biometric privacy laws
Illinois BIPA: The Ground Zero of Biometric Litigation#
Understanding BIPA’s Framework#
Enacted in 2008, the Illinois Biometric Information Privacy Act was a legislative response to the bankruptcy of Pay By Touch, a fingerprint-based payment system that left millions of users’ biometric data in legal limbo. BIPA establishes strict requirements for the collection, use, storage, and destruction of biometric identifiers.
Key BIPA Requirements:
| Requirement | Description |
|---|---|
| Written Policy | Companies must publish a publicly available policy on biometric data retention and destruction |
| Informed Consent | Must obtain written consent before collecting biometric data, explaining purpose and retention period |
| No Profit from Biometrics | Cannot sell, lease, trade, or profit from biometric data |
| Reasonable Security | Must store and transmit biometric data using industry-standard security |
| Timely Destruction | Must destroy biometric data when purpose is achieved or within 3 years of last interaction |
What Qualifies as Biometric Data:
- Fingerprints
- Retina or iris scans
- Face geometry (facial recognition templates)
- Voiceprints
- Hand geometry
NOT covered: Photographs, written signatures, demographic data, physical descriptions, tattoo descriptions, or data collected for healthcare treatment.
The Private Right of Action#
BIPA’s transformative power lies in Section 20, which grants individuals the right to sue directly for violations, no need to prove actual harm.
Statutory Damages:
- $1,000 per negligent violation
- $5,000 per intentional or reckless violation
- Plus attorney’s fees and costs
This private enforcement mechanism, combined with class action availability, has made BIPA the most-litigated privacy statute in American history.
Cothron v. White Castle: The Case That Changed Everything#
The Ruling That Multiplied Damages#
On February 17, 2023, the Illinois Supreme Court issued its landmark ruling in Cothron v. White Castle System, Inc., fundamentally expanding BIPA liability.
The Facts: Latrina Cothron, a White Castle employee since 2004, alleged the restaurant chain violated BIPA by requiring workers to scan their fingerprints for timekeeping and computer access, without proper consent or written policies. Crucially, she scanned her fingerprint for every shift, potentially thousands of times over 14 years.
The Question: Does each individual biometric scan constitute a separate BIPA violation, or does liability accrue only once, when consent is first not obtained?
The Illinois Supreme Court’s Answer: Each scan is a separate violation.
The court ruled that BIPA’s language requires consent “prior to” each collection, meaning every collection or disclosure without consent triggers a new violation. For White Castle, this transformed a potential liability of $1,000-$5,000 per employee into potentially $17 billion in aggregate damages.
Impact on BIPA Litigation#
| Before Cothron | After Cothron |
|---|---|
| One violation per employee | Thousands of violations per employee |
| Manageable settlement exposure | Existential liability for defendants |
| Limited discovery focus | Intensive analysis of scan frequency |
| Moderate settlement pressure | Extreme settlement incentives |
Settlement Implications: The Cothron ruling dramatically increased settlement values. White Castle ultimately settled the case in 2024 for approximately $9.4 million, a fraction of theoretical exposure, but far more than pre-Cothron cases of similar scope.
Legislative Response: SB 2979#
In response to concerns about ruinous damages, the Illinois legislature passed SB 2979 in August 2024, which Governor Pritzker signed into law.
Key Provisions:
- Caps damages at a single violation per employee affected by the same policy during a single course of conduct
- Does not apply retroactively to pending cases
- Preserves the private right of action
- Does not affect informed consent requirements
Impact: While SB 2979 reduces exposure for future claims, the approximately 1,000 pending BIPA cases as of the law’s passage remain subject to Cothron’s per-scan theory.
Major BIPA Settlements#
The $650 Million Facebook Settlement (2021)#
The largest biometric privacy settlement in history resolved claims that Facebook’s “Tag Suggestions” facial recognition feature violated BIPA by creating facial templates without consent.
In re Facebook Biometric Information Privacy Litigation
Facebook's Tag Suggestions feature automatically identified users in photos using facial recognition, creating biometric 'faceprints' without the written consent BIPA requires. The settlement covered approximately 1.6 million Illinois users, with average payments of $345 per class member. The case established that facial recognition technology triggers BIPA compliance obligations even when users arguably 'consented' to general terms of service.
Key Takeaways:
- Facial geometry templates constitute biometric identifiers under BIPA
- Terms of service acceptance does not satisfy BIPA’s informed written consent requirement
- Out-of-state companies are subject to BIPA for Illinois residents’ biometric data
TikTok $92 Million Settlement (2021)#
In re TikTok Consumer Privacy Litigation
TikTok settled claims that its facial recognition filters and 'For You' algorithm collected biometric data and viewing information without consent. The settlement covered both BIPA claims (Illinois users) and Video Privacy Protection Act claims (nationwide users). The case demonstrated that entertainment features using facial recognition trigger the same compliance obligations as security applications.
Google Photo Settlement ($100 Million, 2022)#
Rivera v. Google
Google's Photos app face grouping feature automatically created facial recognition templates for Illinois users without BIPA-compliant consent. The settlement followed Facebook's, establishing that photo organization features using AI facial recognition require explicit biometric consent separate from general terms of service.
Comprehensive BIPA Settlement Tracker#
| Company | Settlement Amount | Year | Biometric Type | Key Issue |
|---|---|---|---|---|
| $650,000,000 | 2021 | Facial recognition | Tag Suggestions feature | |
| Clearview AI | $52,000,000 | 2024 | Facial recognition | Scraped photos for law enforcement |
| BNSF Railway | $228,000,000 | 2023 | Fingerprints | Employee fingerprint scanning |
| Google (Photos) | $100,000,000 | 2022 | Facial recognition | Face grouping feature |
| TikTok | $92,000,000 | 2021 | Facial recognition | Facial filters, algorithm |
| Snapchat | $35,000,000 | 2022 | Facial recognition | Lenses/filters |
| Walmart | $10,000,000 | 2023 | Fingerprints | Employee timekeeping |
| Amazon | $30,850,000 | 2023 | Voiceprints/Video | Alexa/Ring recordings |
| Topgolf | $7,800,000 | 2022 | Fingerprints | Employee timekeeping |
| White Castle | $9,400,000 | 2024 | Fingerprints | Employee scanning post-Cothron |
| Kronos | $15,000,000 | 2024 | Fingerprints | Timekeeping software |
Clearview AI: The Most Controversial Biometric Case#
The Company That Scraped the Internet#
Clearview AI became the most notorious biometric privacy defendant after a 2020 New York Times investigation revealed the company had scraped billions of photographs from social media and public websites to build a facial recognition database sold primarily to law enforcement.
Clearview’s Business Model:
- Scraped 30+ billion facial images from the public internet
- Created facial recognition database without subject consent
- Sold access to over 3,100 law enforcement agencies
- Accuracy claims of 99%+ for facial matching
BIPA Litigation Against Clearview#
ACLU v. Clearview AI
The ACLU and partner organizations secured a groundbreaking settlement banning Clearview from selling its database to most private businesses and individuals in the United States. Clearview agreed to stop selling to any Illinois-based entity (public or private) and to offer free opt-out for anyone who requests it. The case established that mass scraping of facial images for commercial databases violates BIPA.
The Monetary Settlement:
In a separate class action, Clearview agreed to a $52 million settlement in 2024, to be paid in the form of company equity, a creative structure given the company’s uncertain financial position. Illinois class members may receive partial ownership stakes in Clearview’s future operations.
Ongoing Clearview Litigation#
| Jurisdiction | Status | Key Issue |
|---|---|---|
| Vermont | Settled 2024 | First state AG action against facial recognition |
| Sweden | €5.2M fine | GDPR violation |
| UK | £7.5M fine | Unlawful biometric processing |
| Australia | Enforcement | Breached Privacy Act |
| France | €20M fine | GDPR violation |
| Italy | €20M fine | GDPR violation |
Texas CUBI: The Emerging Enforcement Frontier#
Understanding the Capture or Use of Biometric Identifier Act#
Texas enacted its biometric privacy law, CUBI (Tex. Bus. & Com. Code § 503.001), in 2009, just one year after Illinois BIPA. However, a critical difference limited its impact for over a decade: Texas originally granted enforcement authority exclusively to the Attorney General, with no private right of action.
2023 Amendment: The Texas legislature amended CUBI to add a private right of action, effective September 1, 2023. This change is expected to trigger a litigation wave similar to Illinois.
Key CUBI Requirements:
- Cannot capture biometric identifier without informed consent
- Cannot sell, lease, or disclose biometric identifier
- Must destroy biometric data within reasonable time
- Must protect using reasonable safeguards
Damages:
- Up to $25,000 per violation
- Actual damages if greater
- Attorney’s fees and costs
Texas AG Enforcement Actions#
Before the private right of action, Texas AG Ken Paxton brought several landmark CUBI enforcement actions:
Texas v. Meta Platforms
Texas AG Ken Paxton secured the largest biometric privacy settlement in history:$1.4 billion, resolving claims that Meta's Facebook used facial recognition technology to automatically tag users in photos without obtaining the consent CUBI requires. Meta agreed to disable the Tag Suggestions feature and destroy collected biometric data. The settlement dwarfed even the $650 million BIPA Facebook settlement.
Texas v. Google
Texas AG sued Google for allegedly collecting biometric data through Google Photos, Nest devices, and Google Assistant without proper consent. The lawsuit seeks civil penalties, injunctive relief, and attorney's fees.
Expected Private Litigation Wave#
With the private right of action now available, Texas plaintiffs’ attorneys are filing CUBI class actions against:
- Retail chains using facial recognition loss prevention
- Employers using fingerprint timekeeping
- Fitness centers with fingerprint check-in
- Entertainment venues with facial recognition
- Healthcare facilities using biometric patient identification
Washington Biometric Privacy Law#
HB 1493: A Different Approach#
Washington enacted its biometric privacy law, HB 1493, in 2017. Unlike Illinois and Texas, Washington’s law:
- Has no private right of action
- Grants enforcement authority solely to the AG
- Requires consent but defines it more broadly
- Focuses primarily on biometric data in commercial contexts
Key Requirements:
- Notice requirement before enrollment
- Consent required for commercial use
- Must not sell, lease, or trade biometric identifiers
- Reasonable security measures required
Washington Enforcement Landscape#
Washington’s AG has been less aggressive than Texas in biometric enforcement. However, a 2024 lawsuit against Amazon over Alexa voice recordings signals increased attention:
Washington v. Amazon (Alexa Voice Data)
Washington AG filed suit alleging Amazon retained children's voice recordings from Alexa devices beyond the time necessary and failed to honor deletion requests. While framed as a consumer protection action rather than biometric privacy, the case tests Washington's approach to voiceprint data.
Emerging Biometric Technologies and Litigation#
Emotion Recognition AI#
The next frontier of biometric litigation involves emotion recognition AI, systems that analyze facial expressions, voice tone, and physiological signals to infer emotional states.
Applications Under Scrutiny:
- Job interview platforms analyzing candidate expressions
- Customer service call centers scoring emotional responses
- Classroom attention monitoring
- Insurance risk assessment from facial expressions
Legal Status: Illinois amended BIPA in 2024 to clarify that emotion recognition analysis triggers biometric consent requirements if it relies on facial geometry. The EU AI Act bans most emotion recognition in employment and education contexts outright.
Palmprint and Vein Pattern Recognition#
Amazon One (Palm Payment): Amazon’s “Amazon One” palm scanning payment system at Whole Foods stores faces scrutiny under biometric privacy laws. No litigation has yet succeeded, but:
- Class actions filed in California (dismissed for lack of private right of action)
- BIPA challenges in Illinois under investigation
- Texas AG inquiry underway
Gait Recognition#
Emerging Technology: AI systems can now identify individuals by their walking pattern, gait recognition. This technology:
- Works at a distance without subject awareness
- Cannot be easily disguised (unlike facial recognition)
- Raises questions about whether gait qualifies as a biometric identifier
Legal Uncertainty: Neither BIPA nor CUBI explicitly address gait recognition. Courts will need to determine whether gait patterns constitute “biometric identifiers” under existing statutory definitions.
Employer Biometric Cases#
Workplace Fingerprint Scanning#
The most common BIPA cases involve employer fingerprint timekeeping systems.
Common Defendants:
- Manufacturers and warehouses using Kronos timekeeping
- Restaurants with fingerprint POS systems
- Healthcare facilities with fingerprint medication dispensing
- Retail chains with fingerprint-based employee access
Rogers v. BNSF Railway
The first-ever BIPA jury trial resulted in a $228 million verdict against BNSF Railway for requiring truck drivers to scan fingerprints without proper consent. The jury found 45,600 violations at $5,000 each (reckless standard). The verdict, while later reduced, demonstrated the catastrophic exposure employers face for non-compliant biometric programs.
Key Employer Defense Strategies#
| Defense | Success Rate | Notes |
|---|---|---|
| Arbitration clauses | Moderate | Courts split on whether BIPA claims are arbitrable |
| Statute of limitations | Limited | 5-year statute, but Cothron resets clock with each scan |
| Consent obtained | Low | Consent must be in writing, specific, and prior to collection |
| Not biometric data | Variable | Works for photos; fails for facial templates |
| Extraterritoriality | Moderate | BIPA applies to biometric captures occurring in Illinois |
Other State Biometric Laws#
State-by-State Comparison#
| State | Law | Private Right of Action | Enforcement | Key Feature |
|---|---|---|---|---|
| Illinois | BIPA (2008) | Yes | AG + Private | $1,000-$5,000 per violation |
| Texas | CUBI (2009, amended 2023) | Yes (2023) | AG + Private | Up to $25,000 per violation |
| Washington | HB 1493 (2017) | No | AG only | Commercial context focus |
| California | CCPA/CPRA (2020) | Limited | AG primary | Part of comprehensive privacy law |
| New York | CPLR 52-e (2021) | Limited | AG + Private for employees | City law covers employees |
| Virginia | VCDPA (2023) | No | AG only | Part of comprehensive privacy law |
| Colorado | CPA (2023) | No | AG only | Part of comprehensive privacy law |
| Connecticut | CTDPA (2023) | No | AG only | Part of comprehensive privacy law |
Pending Legislation#
Several states are considering BIPA-style laws with private rights of action:
- Maryland (HB 33, 2024)
- Massachusetts (SD 2701, 2024)
- New Jersey (S 3261, 2024)
- Arizona (multiple bills, 2024)
AI-Specific Biometric Issues#
Facial Recognition in AI Training#
A growing litigation category involves facial images used to train AI systems without consent:
Vance v. Microsoft (GitHub Copilot adjacent)
Plaintiffs allege Microsoft collected facial images from LinkedIn users to train facial recognition AI models without BIPA-compliant consent. The case raises the question of whether AI training on biometric data requires separate consent beyond general terms of service.
Voice AI and Biometric Claims#
Voice assistants and AI voice cloning raise novel biometric issues:
Voiceprint Collection:
- Call center AI analyzing voice for identity verification
- Voice assistants creating voiceprints for speaker recognition
- AI voice cloning services capturing vocal characteristics
Litigation: The Amazon Alexa/Ring settlement ($30.85 million, 2023) addressed voice recording retention but didn’t definitively resolve whether all voice AI creates “voiceprints” under BIPA.
Practical Compliance Guidance#
BIPA Compliance Checklist#
For organizations collecting biometric data in Illinois:
Publish a Written Policy
- Retention schedule and destruction guidelines
- Publicly available
- Updated annually
Obtain Informed Written Consent
- Before any biometric collection
- Specify purpose and retention period
- Separate from general terms of service
- Keep signed consent records
Limit Data Use
- No sale, lease, trade, or profit from biometric data
- Use only for stated purposes
- No third-party sharing without consent
Implement Security
- Industry-standard encryption
- Access controls
- Incident response procedures
Destroy Timely
- When purpose is achieved, OR
- Within 3 years of last interaction
- Whichever comes first
Vendor Contract Requirements#
Organizations using third-party biometric services should contractually require:
- BIPA/CUBI compliance representations
- Indemnification for privacy violations
- Right to audit compliance
- Data deletion upon termination
- Notification of regulatory inquiries
Frequently Asked Questions#
General BIPA Questions#
Q: Does BIPA apply to companies based outside Illinois?
A: Yes. BIPA applies to any entity that collects biometric data from Illinois residents, regardless of where the company is headquartered. The Facebook ($650M) and TikTok ($92M) settlements both involved out-of-state defendants.
Q: Can I sue under BIPA if my employer used my fingerprint without consent?
A: Yes. Employees can sue current or former employers for BIPA violations. However, workers’ compensation exclusivity may apply to claims for physical injury from biometric collection (this remains unsettled).
Q: What is the statute of limitations for BIPA claims?
A: Five years under Illinois law. After Cothron, each biometric scan potentially starts a new limitations period, so ongoing collection extends exposure indefinitely.
Q: Do I need to show actual harm to sue under BIPA?
A: No. BIPA provides statutory damages ($1,000-$5,000 per violation) regardless of whether the plaintiff suffered actual harm. The Illinois Supreme Court confirmed this in Rosenbach v. Six Flags (2019).
Post-Cothron Questions#
Q: Does SB 2979 apply to pending cases?
A: No. The 2024 amendment limiting per-scan damages applies prospectively only. Cases filed before August 2024 remain subject to Cothron’s per-violation theory.
Q: How do courts calculate damages after Cothron?
A: Courts can reduce statutory damages when aggregate awards are unconstitutionally excessive. In White Castle, theoretical damages of $17 billion were settled for $9.4 million, demonstrating significant judicial discretion.
Compliance Questions#
Q: Does a privacy policy on our website satisfy BIPA’s written policy requirement?
A: Possibly, if the policy is publicly available and specifically addresses biometric data retention and destruction. Generic privacy policies that don’t mention biometrics are insufficient.
Q: Can terms of service acceptance constitute BIPA consent?
A: Generally no. BIPA requires consent specific to biometric collection, explaining the purpose and retention period. Clicking “I agree” to general terms doesn’t satisfy this requirement.
Q: Are photographs considered biometric data under BIPA?
A: Photographs alone are not biometric identifiers. However, if photographs are processed to extract facial geometry templates, those templates are biometric identifiers requiring consent.
Resources and Further Reading#
Key Court Decisions#
- Cothron v. White Castle System, Inc., 2023 IL 128004 (Ill. 2023), Per-scan accrual
- Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. 2019), No actual harm required
- In re Facebook Biometric Info. Privacy Litig., No. 15-cv-03747 (N.D. Cal.), Facial recognition settlement
- Rogers v. BNSF Railway, No. 19-cv-03083 (N.D. Ill. 2022), First BIPA jury verdict
Regulatory Guidance#
- Illinois Attorney General BIPA FAQ
- Texas Attorney General CUBI Guidance
- FTC Facial Recognition Guidelines
Industry Standards#
- NIST Special Publication 800-76: Biometric Specifications
- ISO/IEC 24745: Biometric Information Protection
- IEEE P2089: Age-Appropriate Digital Services Framework
This tracker is updated regularly as new cases are filed, settlements announced, and legislative changes enacted. Last updated: January 2025.