The Illinois BIPA statute — the Biometric Information Privacy Act — remains one of the most expensive compliance traps in American employment law. A 2024 amendment took some of the sting out of the damages math, but do not mistake that for safety. Fingerprint timeclocks are still lawsuit bait, and the plaintiffs’ bar is still filing.
If your business scans fingerprints, faces, or any other biometric identifier to track time, this guide explains what Illinois BIPA requires in 2026, how the damages rules changed, and why a simple onboarding mistake can still turn into a class action.

What You’ll Learn
What Illinois BIPA Requires from Employers
Illinois BIPA governs how private entities collect, store, and use biometric identifiers such as fingerprints, retina or iris scans, voiceprints, and hand or face geometry. Before an employer captures any of that data, the law requires several steps that are easy to skip in a busy hiring process.
At a minimum, a covered employer must maintain a written, publicly available retention-and-destruction policy, provide written notice of what is collected and why, and obtain a written release from each person before collection. Illinois BIPA also bars businesses from selling or profiting from biometric data and requires reasonable safeguards for storage. The full statute is published by the Illinois General Assembly.
These duties sit alongside other Illinois workplace obligations; our overview of the Illinois pricing and consumer rules shows how aggressively the state enforces disclosure requirements generally.
Fingerprint Timeclocks: Why They Trigger Illinois BIPA
Fingerprint timeclocks are the classic Illinois BIPA defendant. Every time an employee presses a finger to clock in or out, the device captures a biometric identifier — squarely within the statute. Because the collection is routine and repeated, a single non-compliant timekeeping system can sweep in an entire workforce.
The problem is rarely the technology itself. It is the paperwork. Employers roll out a biometric clock without a written policy, without notice, and without signed consent, then discover years later that every scan since day one was arguably unlawful. Vendors that process the data can be liable too, which is why regtech and compliance systems should be vetted before deployment.
The 2024 Amendment: How SB 2979 Capped Damages
For years, courts treated each scan as a separate Illinois BIPA violation. With two scans a day, five days a week, a single employee could rack up hundreds of “violations” per year — and statutory damages of up to $5,000 apiece produced eye-watering, sometimes company-ending, exposure.
Senate Bill 2979, signed into law on August 2, 2024, changed that. Under the amendment, collecting the same biometric identifier from the same person by the same method counts as a single violation, not one per scan. The same law also confirmed that an electronic signature satisfies the written-consent requirement. Statutory damages remain significant — $1,000 for negligent violations and $5,000 for intentional or reckless ones — but the per-scan multiplier is gone.
Why Illinois BIPA Is Still Lawsuit Bait
Capping the multiplier did not close the courthouse. Illinois BIPA is still lawsuit bait for several reasons:
- Consent gaps persist. If you never obtained written consent, you still have a violation for every employee — just capped at one each.
- New hires reset the risk. Every onboarding that skips the notice-and-release step creates a fresh claim.
- Long limitations window. BIPA carries a five-year statute of limitations, so old lapses stay actionable.
- Class aggregation. Even at one violation per person, a few hundred employees at $1,000–$5,000 each adds up fast, as recent fingerprint-timeclock settlements show.
In short, the amendment reduced worst-case exposure without eliminating everyday liability. Employers that treated the 2024 fix as permission to relax are the ones getting sued. When disputes escalate, they often overlap with the ownership and control fights covered in our business partnership disputes guide.
What the Seventh Circuit Retroactivity Ruling Means
A key open question was whether the SB 2979 damages fix applied to cases already pending when it passed. The U.S. Court of Appeals for the Seventh Circuit answered yes — the amendment applies retroactively. That ruling meaningfully reduced exposure in existing Illinois BIPA litigation and gave defendants a stronger settlement position.
Retroactivity is helpful, but it is a damages limit, not a liability shield. Federal regulators also continue to scrutinize biometric practices; the Federal Trade Commission’s guidance on biometric information signals broader enforcement interest beyond Illinois.
Compliance Checklist for Biometric Timekeeping
Bringing a fingerprint timeclock into Illinois BIPA compliance is straightforward if you do it before, not after, deployment:
- Publish a written biometric retention-and-destruction policy.
- Give every worker written notice of what is collected, the purpose, and the retention period.
- Obtain a signed (paper or electronic) release before the first scan.
- Confirm your timeclock vendor’s data handling and contract terms.
- Audit existing employees and re-paper any missing consents now.
For litigation exposure and class-action defense, the trial team at Howard Law Group handles biometric privacy matters, while operators building repeatable onboarding controls often work with Collateral Base on the process side. Wage-and-hour timekeeping rules interact with BIPA too, as our wage compliance coverage explains.
This summary is specific to Illinois and current as of 2026. Verify the latest statute and case law before acting.
Frequently Asked Questions
Are fingerprint timeclocks legal under Illinois BIPA?
Yes, if the employer first publishes a retention policy, gives written notice, and obtains a signed release before collecting any fingerprints. The technology is legal; skipping the consent steps is what creates liability.
Did the 2024 amendment end BIPA lawsuits?
No. SB 2979 capped damages at one violation per person per method rather than one per scan, but employers with missing consents can still be sued, and the five-year limitations period keeps old lapses actionable.
What are the damages under Illinois BIPA?
Statutory damages are $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys’ fees. After the 2024 amendment, repeated scans of the same person by the same method count as one violation.
Does the damages amendment apply to old cases?
Yes. The Seventh Circuit held that the SB 2979 damages amendment applies retroactively to cases pending when it was enacted, reducing exposure in existing litigation.
Next Steps
If your business uses any biometric timekeeping, an Illinois BIPA audit is the cheapest insurance you can buy. Contact Howard East to review your consent forms, vendor contracts, and retention policy before a demand letter arrives.
This article is general information, not legal advice. No attorney-client relationship is created by reading it. Attorney Advertising.


