The Illinois Biometric Information Privacy Act (BIPA) is a prime example of a misdirected law that has led to more litigation abuse than consumer protection. This edition of ILR Briefly takes a close look at BIPA – the only state biometric privacy law that authorizes a private right of action – and documents how the law has become a litigation magnet.

Following the law’s enactment in 2008, hardly any lawsuits were filed under BIPA until 2016, when the first class-wide settlement was approved for a lawsuit under the statute. BIPA lawsuits immediately picked up to a steady stream that became a flood in 2019, after the Illinois Supreme Court’s decision in Rosenbach v. Six Flags established that plaintiffs do not need to show they suffered actual harm in order to sue – all they need to do is claim the defendant violated one of BIPA’s numerous, highly technical provisions.

The upshot is that 2019 closed out with nearly 300 BIPA lawsuits filed in Illinois – almost four times the total for 2018, the previous high watermark. All told, according to a search of court filings, plaintiffs’ lawyers have filed over 900 cases alleging BIPA violations through September 2021.

These lawsuits have targeted a broad swathe of businesses both large and small, for alleged violations linked to collecting, using, and sharing biometric identifiers (like a fingerprint scan for clocking into work, or a voiceprint for activating hands-free features like volume control).

In fact, according to the Illinois Chamber, it is mostly small businesses that are facing litigation under BIPA. Because the law is so complex – and unlike other state biometric privacy laws, does not contain a “cure period” for businesses to correct mistakes – it can be extremely difficult to follow for small businesses that can’t afford large compliance departments. Even small technical mistakes can result in millions of dollars in liability, since BIPA allows plaintiffs to seek $1,000 – $5,000 in damages per violation of the law.

As it stands, BIPA’s private right of action, its low hurdles to bring suit, and its technical complexity make this law a lucrative target for plaintiffs’ lawyers, who routinely harvest millions of dollars in settlement proceeds while BIPA plaintiffs get far less. Legislators considering biometric privacy laws for their own states should study BIPA closely – not as a blueprint, but as a lesson in what not to do.


Megan L. Brown, Duane C. Pozza, Kathleen E. Scott, and Tawanna D. Lee, Wiley Rein LLP.