Sued Under BIPA? After the 2024 Amendment, the Demand Letter’s Damages Math No Longer Adds Up

|

The demand letter usually starts with a fingerprint. Your employees clock in and out on a biometric time clock, the way millions of workers do, and a plaintiff’s lawyer has noticed. The complaint says the company collected those fingerprints without the written consent the Illinois Biometric Information Privacy Act requires, and then it multiplies. Every scan, by every employee, on every shift, across years, becomes a separate violation, each one tagged at $1,000 or $5,000, and the spreadsheet at the bottom of the letter reaches a figure that looks like the entire value of the company. The message is the one every BIPA demand is built to send. Settle now, because trial would be extinction.

That math is built to look fixed. It is not, and since August 2024 it is wrong on its face. The Illinois legislature amended BIPA that month, and the year before, the Illinois Supreme Court had already said that the damages a plaintiff demands are not the damages the statute commands. The company’s real exposure under the law the courts are actually applying today is a fraction of the number on the demand letter, and understanding why changes the entire posture of the case.

BIPA, codified at 740 ILCS 14, requires a business to give written notice and obtain a written release before it collects a person’s fingerprint, faceprint, or other biometric identifier, and section 20 sets liquidated damages of $1,000 for a negligent violation and $5,000 for one that is intentional or reckless, plus attorney’s fees. The Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment Corporation that a person need not prove any actual injury beyond the statutory violation to sue, which is the holding that keeps these cases alive in state court and the premise on which every demand letter is built. The defense begins where that premise ends.

The first development is the one the demand letters hope you have not read. In August 2024, by Public Act 103-0769, Governor Pritzker signed the first amendment to BIPA since the statute was enacted in 2008. It changed section 20 so that a business that repeatedly collects the same biometric identifier from the same person by the same method commits a single violation, for which the person is entitled to at most one recovery. The per-scan multiplier, the engine that drives the demand letter’s spreadsheet, is gone for conduct going forward. A daily fingerprint clock-in, counted thousands of times across a class, is now one violation for each employee rather than thousands. Courts are still divided over whether the amendment reaches conduct that predates it, so a case built entirely on older scans is contested ground rather than a closed door, but the direction of the law is unmistakable.

The second development came from the Illinois Supreme Court itself. In Cothron v. White Castle System, while holding that a fresh claim accrues with each scan, the court held that BIPA damages are discretionary rather than mandatory. Section 20 says a prevailing party “may” recover the liquidated amounts, not that it “shall,” and the court read that word deliberately, explaining that a trial judge has discretion to fashion an award that compensates the class and deters violations without destroying the defendant’s business. The astronomical figure on the demand letter assumes a mandatory multiplication that the statute does not require, and that the state’s highest court has said it does not require.

The third development narrows where the case can even be heard. In Bryant v. Compass Group, and again in the Supreme Court’s decision in TransUnion v. Ramirez, the courts held that a bare violation of the statute’s retention and destruction policy provision is a duty owed to the public at large, not a concrete injury to a particular plaintiff, and so it cannot support standing in federal court. That distinction gives a defendant real leverage over which claims survive and in which forum they are heard.

The fourth point is the defense that ends a claim rather than shrinking it. Consent. A compliant written notice and release defeats a collection claim outright, and the 2024 amendment confirmed that an electronic signature qualifies as a written release, as does a release an employee signs as a condition of employment. Many businesses have better consent records than they assume, buried in an onboarding packet or a timekeeping vendor’s enrollment screen, and finding them early can resolve the case.

The fifth defense is the clock, and the sixth is the carve out. The Illinois Supreme Court held in Tims v. Black Horse Carriers that a five-year limitations period governs BIPA claims, which trims the class period and cuts off the oldest scans the spreadsheet counts. And the statute exempts whole categories of data and defendants. The Illinois Supreme Court read the health care exemption broadly in Mosby v. Ingalls Memorial Hospital, and financial institutions covered by the federal Gramm-Leach-Bliley Act fall outside the Act altogether.

Three moves matter in the first month. First, pull the consent records and the timekeeping vendor contracts before counsel for the class does, because whether a signed release exists, and when it was signed, reshapes the entire case. Second, identify the collection method and the date range with precision, since the single-violation cap and the five-year cutoff both turn on those facts. Third, resist the instinct to treat the demand’s number as the starting point for negotiation, because anchoring to a figure the statute no longer supports concedes the one issue most worth fighting.

A BIPA class action is a serious matter, and the consent requirements are real obligations worth meeting going forward. But the catastrophe the demand letter describes depends on a damages model that the legislature and the Illinois Supreme Court have both rejected. The companies that overpay are the ones that settle against the spreadsheet instead of against the statute.

At DiTommaso Lubin, P.C., we defend Illinois businesses against BIPA and other biometric and privacy class actions, from the first demand letter through dispositive motions, standing and removal strategy, and class certification. If a biometric class action has put a number in front of you that looks like your company’s whole valuation, the exposure under the law the courts apply today is usually far smaller. Call DiTommaso Lubin, P.C. at 630-333-0333 for a free consultation, or contact us online. We can help you measure the exposure that BIPA actually creates, not the one the demand letter imagines. This post is for general information and is not legal advice.

Contact Information
Chicago Office
19 S LaSalle St #702
Chicago, IL 60603
Phone: 630-333-0333
Mailing Address
17W220 22nd St #410
Oakbrook Terrace, IL 60181
Phone: 630-333-0333 Please direct all mail correspondence to our Oakbrook Terrace address office.
Highland Park Office
189 Whistler Rd
Highland Park, IL 60035
Phone: 630-710-4990
We accept the following credit cards
Credit Cards Accepted
We accept payment via Venmo at: @L-A-LAW
Phone: 603-333-0333
Visit our site: chicagobusinesslawfirm.com

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.

Copyright © 2026, DiTommaso Lubin, PC
JUSTIA Law Firm Blog Design