Skip to main content

Biometric Information Privacy Act News

You could file a claim if your biometric data has been collected without your permission

Nationwide Success

Investigating Biometric Invasion of Privacy Claims

Consumers and workers have filed numerous complaints, alleging that social media companies, tech companies, and employers have violated their right to privacy by collecting and selling their biometric data. As a result, lawsuits have been filed, and companies have been hit with hundreds of millions in penalties.  

Mass Tort 25

The Biometric Information Privacy Act (BIPA), meant to regulate companies’ use of biometrics, is the cornerstone piece of legislation that has led to high-value class action personal privacy lawsuits.

The Lyon Firm is reviewing class action BIPA claims and investigating privacy violations on behalf of plaintiffs nationwide. We stay current with the latest updates, including the latest Illinois BIPA amendment, making us well-equipped to represent our clients. Contact us online or call (513) 381-2333 to learn how we can defend your privacy rights. 

What Is Biometric Data?

Biometrics are unique physical or behavioral characteristics, like facial features or fingerprints, that are used to identify individuals. Today, tools for collecting biometric data are becoming increasingly advanced, allowing for detailed and speedy capture of our unique identifiers. 

Lawmakers established the Illinois Biometric Information Privacy Act (BIPA) in 2008 in response to the growing concern about collecting biometric data without disclosure or permission. Cases now include all kinds of alleged biometric technology, including multiple cases involving biometric time clocks and the unlawful collection of biometric identifiers.

According to the BIPA, biometric identifiers may include:

  • Retina or iris scan
  • Fingerprints
  • Voiceprint
  • Palmprints
  • Face geometry

What Is BIPA?

The Illinois Biometric Information Privacy Act (BIPA) stresses the need to notify individuals in writing and obtain a written release from both consumers and employees. BIPA also requires companies to make available a biometric retention schedule and prohibits profiting from such sensitive data.

Some of the more important provisions of biometric privacy laws include the following:

  • Requirements for companies to seek informed consent prior to collecting personal biometric data
  • A limitation of rights to sell or disclose collected biometric data
  • A requirement for companies to create confidentiality and data retention guidelines
  • A prohibition on profiting from collected biometric data
  • The right to legal action for individuals affected by data theft violations
  • Enacting damages from $1,000 to $5,000 per negligent or reckless violation

What Is the BIPA Statute of Limitations?

The statute of limitations is the legal timeframe within which someone can file a lawsuit. Once the deadline passes, you can no longer pursue legal action. 

In February 2023, the Illinois Supreme Court ruled that claims brought under BIPA are subject to a five-year statute of limitations. This longer time limit will benefit individuals whose biometric data has been collected without consent.


Please complete the form below for a FREE consultation.

  • This field is for validation purposes and should be left unchanged.


Joseph Lyon has 17 years of experience representing individuals in complex litigation matters. He has represented individuals in every state against many of the largest companies in the world.

The Firm focuses on single-event civil cases and class actions involving corporate neglect & fraud, toxic exposure, product defects & recalls, medical malpractice, and invasion of privacy.


The Firm offers contingency fees, advancing all costs of the litigation, and accepting the full financial risk, allowing our clients full access to the legal system while reducing the financial stress while they focus on their healthcare and financial needs.

Biometric Information Privacy Act News

On May 16, 2024, the Illinois legislature passed SB 2979, amending BIPA. Under this Illinois BIPA amendment, if an entity captures someone’s biometric data multiple times in the same way, the person affected can only claim damages for one violation, regardless of how many scans occurred. 

It follows a recent Illinois Supreme Court decision, Cothron v. White Castle System, Inc., which previously allowed separate damages for each instance of biometric data collection.

This update reduces the potential liability for businesses under BIPA. The amendment aims to address concerns about excessive awards and balance consumer protection with fair regulation for businesses. This change will likely influence ongoing and future BIPA litigation. 

While this is good news for businesses, it could potentially harm consumers or employees by limiting their right to seek fair compensation for repeated violations of their biometric privacy rights.

Having your biometric data gathered without your knowledge can be extremely harmful because it invades your privacy, risks identity theft, and denies you your rightful control over how your personal traits are used. 

If you’re worried about how the latest Illinois BIPA amendment could affect your claim, The Lyon Firm can address any questions or concerns. Contact us online or call (513) 381-2333 for fast and reliable answers from our team.

How Much Could I Recover in a BIPA Lawsuit?

Under BIPA, any person harmed by a privacy violation has a right to legal action. In a lawsuit, the amount someone could recover varies from case to case, which means there is no guaranteed fixed amount due to each unique situation.

Plaintiffs may be able to recover damages of up to $1,000, and for intentional or reckless violations, up to $5,000 in liquidated damages or actual damages, whichever is greater.

BIPA Lawsuit Settlements and Verdicts 

Previous settlements have been massive, and the courts have ruled favorably for victimized plaintiffs in privacy cases. Below are a few examples of how courts have held large corporations accountable for harvesting biometric data from unsuspecting individuals without permission.

Facebook Biometric Information Privacy Litigation

In 2020, a federal court in California approved a $650 million settlement in a class action lawsuit against Facebook when the company allegedly collected users’ facial geometry without following BIPA requirements.

As part of the agreement, Facebook promised to make several changes. Users who haven’t chosen to allow biometric scans, or “Facial Recognition,” will have this feature turned off by default. Also, the company pledged to delete stored face templates for class members unless they give clear permission only after the company informs them of how the templates will be used.

Additionally, Meta said it would delete its database of facial profiles but keep its underlying facial recognition algorithm.

TikTok BIPA Settlement

A judge in Illinois granted approval of a $92 million settlement involving alleged violations of the BIPA against TikTok for “harvesting and profiting” from plaintiffs’ geolocation information, personally identifiable information, and unpublished digital recordings.

Google Lawsuit Illinois 

Illinois residents banded together to pursue legal action against Google over complaints that the company’s face grouping feature, which automatically identifies your face in photos and videos uploaded to Photos, violated the Biometric Information Protection Act (BIPA). 

The Google settlement Illinois included $100 million for allegedly collecting and analyzing a person’s facial structure in connection with the face grouping tool. 

This settlement allowed people who appeared in a photo or video on Google Photos between May 2015 and April 2022 to be eligible for anywhere between $200 and $400. 

Snapchat BIPA Lawsuit Settlement 

Snap, the parent company of Snapchat, reached a $35 million settlement in a class action lawsuit that alleged the company’s filters and lens features violated the Biometrics Information Privacy Act (BIPA).

Instagram BIPA Settlement

All individuals who used Instagram between August 10, 2015, and August 16, 2023, were eligible to join a class action claim against Instagram’s parent company, Meta. 

Individuals could collect a portion of a $68.5 million settlement to resolve claims that Meta collected and stored biometric data through Instagram, violating BIPA.

Contact The Lyon Firm for more information regarding biometric consent and your privacy rights or for a free BIPA class action consultation.

Data Privacy Risks: Consequences of Biometrics Invasion of Privacy

There is always the risk of data breaches or hacks leaking sensitive information to various dark webs or forums, with the potential for fraud or identity theft. Identity theft is a major concern, and if a cybercriminal obtains fingerprints, retinal, facial, or voice data, they may pose a serious security threat. You can always change bank account numbers, but you can never change your biometrics.

Some personal information could also be abused by public or private entities for financial gain. Unethical marketers and advertisers also seek personal data to better target consumers.

Which States Have Biometric Data Privacy Laws?

Only some states currently have biometric data privacy laws, though some pending bills are making their way for approval.

The National Biometric Information Privacy Act (NBIPA) was introduced in 2020. NBIPA requires informed written consent prior to collecting or capturing biometrics and also imposes retention, disclosure, and destruction requirements. 

A map of the states with BIPA laws. In recent Biometric Information Privacy Act news, 3 states have legislation.

Above is a map showcasing the extent to which states have biometric information privacy laws. Illinois, Texas, and Washington currently have broad biometric privacy laws, with many lawsuits being filed citing violations described in the Illinois BIPA.

Twelve states have enacted data privacy laws that also cover biometric information to a certain extent. 

Also, another biometric privacy bill has been introduced by South Carolina, called the Biometric Data Privacy Act (BDPA). The BDPA incorporates existing biometric privacy statutes along with a broader range of protections. 

The BDPA requires companies to adhere to the following:

  • Notice must be provided to consumers regarding the use of biometric data at or before the time any biometric data is collected.
  • Written consent must be obtained from consumers before any biometric data is collected.
  • Reasonable data security measures must be maintained to protect consumers and employees.

Why Hire The Lyon Firm for a BIPA Case?

Contact The Lyon Firm to learn more about your privacy rights and to file a claim following data privacy violations. Our firm works diligently to identify workplace data privacy violations and represent plaintiffs in class action biometrics invasion of privacy cases. Joe Lyon works with leading law firms across the country and engages multi-national corporations in various negligent security cases.

Victims of privacy violations may face a serious risk of identity theft and may seek compensation from employers or companies that violate their privacy rights. Data privacy cases often involve hundreds or thousands of individuals, and plaintiffs can be rewarded with large settlements.

The Lyon Firm is currently involved in Class Action Data Breach & Data Privacy litigation and offers free, confidential consultations to plaintiffs nationwide. Contact us online or call (513) 381-2333  for an invasion of privacy or data theft case review.

photo of biometrics data privacy attorney Joe Lyon

Reviewing Biometric Privacy Violations

Why Are Data Privacy Cases Important?

Without personal data privacy violation class actions, large corporate defendants would be able to cause small amounts of harm to a large group of individuals without any risk of monetary penalty. By holding companies accountable for safely storing your personal information, every consumer will have more control over how their data is used in the future. 


  • This field is for validation purposes and should be left unchanged.

FAQ: BIPA Lawsuits

What is a Biometric Identifier?

A recent privacy bill in Maryland proposes that a biometric identifier is defined as “data of an individual generated by automated measurements of an individual’s biological characteristics.” This could include fingerprints, voiceprints, DNA, retina or iris images, or any other unique biological characteristic used to uniquely authenticate an individual’s identity.

Who is liable for data privacy violations?

Under current privacy law, the firm or organization that is storing user data is responsible for data breaches and will pay any fines or damages that are the result of legal action. The actual data holder—an organization that provides cloud storage—is not usually legally implicated or held responsible in litigation. 

What are some examples of data privacy lawsuits?

The majority of BIPA lawsuits are filed against employers who utilize biometric timekeeping systems with fingerprint or facial recognition scans and collect employee biometric data.

BNSF was found guilty of violating the privacy of 45,000 truck drivers, and plaintiffs were awarded  $228 million. BNSF violated the Illinois BIPA after they were accused of using a fingerprint system that allowed drivers to access railyards for pickups and drop-offs but did not obtain written consent.

Motorola, Clearview AI, and Vigilant are facing legal action for allegedly collecting mugshots that were used by law enforcement. Microsoft, Amazon, Alphabet, and FaceFirst Inc. are alleged to have violated privacy laws by collecting photos for facial recognition data from the website Flickr.

A proposed class action alleges Ring, LLC, has failed to protect the privacy of its motion-activated cameras and the personal information of its customers. The complaint alleges Ring’s devices are rife with security vulnerabilities, which may compromise the personal data of existing and future customers.

Cybercriminals may have the potential to hack into Ring devices and home networks. The lawsuit also brings to light the fact that Ring has shared users’ personal identifying information with third parties without first obtaining prior consent. The complaint says the devices are not well-equipped to deal with potential hacks.

Plaintiffs in the case want Ring to take additional security measures to protect the privacy of user accounts and installed devices, as well as stop sharing personal data without clear and informed consent.

Reports have surfaced that several user accounts and devices were hacked, and plaintiffs argue the company was late in addressing security issues.

Beyond the security issues, Ring permits third parties to track users, raising eyebrows from consumer safety and data privacy advocates.

Octapharma agreed to pay $10 million to settle a class action lawsuit regarding fingerprint scans of plasma donors, which violated the Illinois biometric privacy.

Is my genetic information protected?

The GIPA (Genetic Information Nondiscrimination Act) is a statute that expands on privacy laws, originally drafted under the Health Insurance Portability and Accountability Act (HIPAA). This act is largely concerned with the privacy of Americans’ genetic information. GIPA includes requirements applicable to genetic testing companies, health care providers, business associates, insurers, and employers.

  • Under GIPA, genetic testing and personal information derived from genetic testing are confidential and may only be released to the individual tested or other persons specifically authorized to receive the information.
  • An insurer may not seek genetic testing information for use in connection with insurance. Insurers may not use or disclose genetic information for underwriting purposes or to determine eligibility for benefits under a plan, coverage, or policy.
  • Companies providing commercial genetic testing are prohibited from sharing any genetic information or other personal information about a consumer with any health or life insurance company.
  • Employers must treat DNA and other genetic information consistent with the requirements of federal law and under GIPA.
  • Employers may not require or purchase genetic testing or genetic information or administer a genetic test to a person as a condition of employment.
  • Employers cannot use genetic information or genetic testing for workplace wellness programs unless the employee provides written authorization under GIPA.
Is facial recognition technology legal?

Yes, but consent is required to use a person’s biometrics. 

Meta Platforms, the parent company of Facebook, said it was ending the facial recognition system it used to identify people in posted images. The company is trying to limit a public relations crisis on several fronts, and facial recognition has become an increasingly toxic concept.

Meta’s facial recognition tech decision follows Microsoft Corp. and Inc., both of whom restricted the use of their facial recognition by law enforcement agencies. Several municipalities in the U.S. have passed legislation limiting the use of facial recognition technology, and privacy attorneys are calling for further restrictions, which can easily be abused by private companies.

What is a voiceprint?

A voiceprint is a unique biometric identifier. Voice recognition technology can identify specific individuals when a voice sample is saved by a company for various reasons. 

Walmart is facing an Illinois biometrics privacy law class action in which the retailer is accused of improperly recording and tracking the “voiceprints” of workers at warehouses.

Walmart and other large retailers use voiceprints and voice technology in their fulfillment and distribution centers. Voiceprints, however, are considered biometrics and subject to the Illinois Biometric Information Privacy Act (BIPA). The collection and storage of voiceprints is the primary issue, and plaintiffs say these ought to be destroyed.

Walmart allegedly violated the BIPA law by failing to obtain written authorization from workers before requiring them to scan their voiceprints.

The lawsuit argues Walmart did not provide necessary notices to workers, such as how the company would use the voice records or how they would be saved, shared, or ultimately deleted from company systems.

Your Right to Justice
Learn About Class Action Litigation

Filing Class Action lawsuits is a complex and serious legal course and can carry monetary sanctions if proper legal course is not followed. The Lyon Firm is dedicated to assisting injured plaintiffs work toward a financial solution to assist in compensating for privacy violations or other damages sustained.

We work with law firms across the country to provide the most resources possible and to build your data privacy case into a valuable settlement. The current legal environment is favorable for workers and consumers involved in data privacy class actions.