BIPA's 2024 Amendment: Single-Incident Damages Cap for AI Vendors 2026
Illinois amended its Biometric Information Privacy Act in 2024 to cap statutory damages at one violation per person, per method of collection — closing off the per-scan damages stacking that had driven some of the largest BIPA settlements. AI companies using facial recognition, voice biometrics, or gaze tracking still face real exposure; the calculus just changed.
Why the Amendment Happened
Before 2024, Illinois courts had interpreted BIPA to allow damages to accrue every time a company scanned or captured someone's biometric identifier — meaning an employee clocking in with a fingerprint scanner five days a week, or a user whose face was scanned on every login, could generate thousands of separate "violations" over time. That interpretation produced settlement and verdict figures large enough to threaten the viability of any company using biometric tools at scale, and it became the central argument for legislative reform.
The amendment responded directly: a violation now accrues once per person, per method of collection or disclosure — not once per capture event. Repeated scans through the same collection method against the same person count as a single violation for damages purposes.
What Actually Changed
Damages no longer stack per scan
A facial-recognition login system used daily by an employee for a year is now, at most, a single violation for that collection method — not hundreds. This is the amendment's core effect and the one most relevant to AI vendors with high-frequency biometric touchpoints.
Electronic signatures now satisfy the written-consent requirement
BIPA requires a written release before biometric collection. The amendment confirms an electronic signature satisfies that requirement, removing ambiguity that had complicated purely digital consent flows for AI products.
What Didn't Change
The amendment is narrower than headlines sometimes suggest. It did not touch:
- Per-violation damages amounts — $1,000 for negligent violations and $5,000 for reckless or intentional violations remain in place; only the counting method changed.
- Written notice and consent requirements — companies must still inform individuals in writing of the collection purpose and retention schedule and obtain a written release before capturing biometric data.
- The private right of action — individuals can still sue directly without needing to show actual injury beyond the statutory violation itself, and class actions remain the dominant enforcement mechanism.
- Retention and destruction obligations — biometric data must still be destroyed within the statutory window once the initial purpose for collection has been satisfied or within three years of the individual's last interaction with the company.
- Multiple collection methods, multiple violations — a company using both facial recognition and voice biometrics against the same person can still face separate violations for each distinct method.
What This Means for AI Vendors
For AI companies building facial recognition, voice authentication, gaze tracking, or any tool that processes biometric identifiers, the amendment reduces the worst-case tail risk from runaway per-scan damages calculations — a meaningful relief for high-frequency use cases like login authentication or continuous monitoring. But it does not reduce the underlying compliance burden: notice, consent, a public retention policy, and defensible data-handling practices are still mandatory, and class-action exposure on a per-person, per-method basis can still reach significant aggregate figures across a large user base.
Compliance Checklist Post-Amendment
Biometric compliance is one part of a larger risk surface
RatedWithAI scans your web properties for the accessibility and compliance gaps that turn into complaints. Start with a free scan.
Scan Your Site for Free →Frequently Asked Questions
Does the BIPA amendment lower the $1,000–$5,000 per-violation damages figures?
No. The dollar amounts per violation are unchanged. What changed is how a 'violation' is counted — once per person, per collection method, rather than once per individual scan or capture event.
Can a company still face a large class-action settlement under BIPA?
Yes. With statutory damages calculated per person per method and no cap on class size, aggregate exposure across a large user base can still reach tens of millions of dollars, even without per-scan stacking.
Does the amendment apply to biometric data collected before 2024?
Courts have generally treated the change as applying prospectively. Conduct and violations predating the amendment's effective date should be assessed under the prior interpretation — don't assume retroactive relief without legal review.
Is a click-through consent checkbox enough under the amended law?
The amendment confirms electronic signatures satisfy the written-release requirement, but the release must still be informed — disclosing the specific purpose and retention period for the biometric data. A generic terms-of-service checkbox without that specificity remains legally risky.