RatedWithAI

RatedWithAI

Accessibility scanner

Biometric PrivacyJuly 9, 2026

BIPA's 2024 Amendment: Single-Incident Damages Cap for AI Vendors 2026

Illinois amended its Biometric Information Privacy Act in 2024 to cap statutory damages at one violation per person, per method of collection — closing off the per-scan damages stacking that had driven some of the largest BIPA settlements. AI companies using facial recognition, voice biometrics, or gaze tracking still face real exposure; the calculus just changed.

1 per method
A violation now accrues once per person, per collection method — not per scan
$1K–$5K
Per-violation statutory damages remain unchanged by the amendment
Prospective
Courts have generally applied the change forward, not to past conduct

Why the Amendment Happened

Before 2024, Illinois courts had interpreted BIPA to allow damages to accrue every time a company scanned or captured someone's biometric identifier — meaning an employee clocking in with a fingerprint scanner five days a week, or a user whose face was scanned on every login, could generate thousands of separate "violations" over time. That interpretation produced settlement and verdict figures large enough to threaten the viability of any company using biometric tools at scale, and it became the central argument for legislative reform.

The amendment responded directly: a violation now accrues once per person, per method of collection or disclosure — not once per capture event. Repeated scans through the same collection method against the same person count as a single violation for damages purposes.

What Actually Changed

Damages no longer stack per scan

A facial-recognition login system used daily by an employee for a year is now, at most, a single violation for that collection method — not hundreds. This is the amendment's core effect and the one most relevant to AI vendors with high-frequency biometric touchpoints.

Electronic signatures now satisfy the written-consent requirement

BIPA requires a written release before biometric collection. The amendment confirms an electronic signature satisfies that requirement, removing ambiguity that had complicated purely digital consent flows for AI products.

What Didn't Change

The amendment is narrower than headlines sometimes suggest. It did not touch:

  • Per-violation damages amounts — $1,000 for negligent violations and $5,000 for reckless or intentional violations remain in place; only the counting method changed.
  • Written notice and consent requirements — companies must still inform individuals in writing of the collection purpose and retention schedule and obtain a written release before capturing biometric data.
  • The private right of action — individuals can still sue directly without needing to show actual injury beyond the statutory violation itself, and class actions remain the dominant enforcement mechanism.
  • Retention and destruction obligations — biometric data must still be destroyed within the statutory window once the initial purpose for collection has been satisfied or within three years of the individual's last interaction with the company.
  • Multiple collection methods, multiple violations — a company using both facial recognition and voice biometrics against the same person can still face separate violations for each distinct method.

What This Means for AI Vendors

For AI companies building facial recognition, voice authentication, gaze tracking, or any tool that processes biometric identifiers, the amendment reduces the worst-case tail risk from runaway per-scan damages calculations — a meaningful relief for high-frequency use cases like login authentication or continuous monitoring. But it does not reduce the underlying compliance burden: notice, consent, a public retention policy, and defensible data-handling practices are still mandatory, and class-action exposure on a per-person, per-method basis can still reach significant aggregate figures across a large user base.

Compliance Checklist Post-Amendment

Inventory every product feature that collects facial, voice, gait, or other biometric identifiersStart here
Confirm written consent is captured before first collection — electronic signature is now expressly validEssential
Publish a written retention and destruction schedule and follow itEssential
Map each distinct collection method separately — the per-method cap doesn't merge different biometric modalitiesEssential
Don't rely on the amendment to reduce exposure for pre-amendment conduct — treat it as prospectiveLegal review
Review vendor and processor agreements for biometric-handling indemnificationVendor risk

Biometric compliance is one part of a larger risk surface

RatedWithAI scans your web properties for the accessibility and compliance gaps that turn into complaints. Start with a free scan.

Scan Your Site for Free →

Frequently Asked Questions

Does the BIPA amendment lower the $1,000–$5,000 per-violation damages figures?

No. The dollar amounts per violation are unchanged. What changed is how a 'violation' is counted — once per person, per collection method, rather than once per individual scan or capture event.

Can a company still face a large class-action settlement under BIPA?

Yes. With statutory damages calculated per person per method and no cap on class size, aggregate exposure across a large user base can still reach tens of millions of dollars, even without per-scan stacking.

Does the amendment apply to biometric data collected before 2024?

Courts have generally treated the change as applying prospectively. Conduct and violations predating the amendment's effective date should be assessed under the prior interpretation — don't assume retroactive relief without legal review.

Is a click-through consent checkbox enough under the amended law?

The amendment confirms electronic signatures satisfy the written-release requirement, but the release must still be informed — disclosing the specific purpose and retention period for the biometric data. A generic terms-of-service checkbox without that specificity remains legally risky.

Related Guides