BIPA Damages Clarification

Overview

Illinois Supreme Court ruled in Cothron v. White Castle that each biometric scan (fingerprint, facial recognition) can constitute a separate BIPA violation, significantly increasing potential employer liability. Employers must obtain written consent before collecting any biometric data. (Cothron v. White Castle)

This regulatory update carries high impact for employers in Illinois. Below, we cover the key requirements, compliance timeline, practical implications, and recommended next steps.

Key Requirements

Requirements at a Glance

Key provisions of this regulatory update:

1. Illinois Supreme Court ruled in Cothron v
2. White Castle that each biometric scan (fingerprint, facial recognition) can constitute a separate BIPA violation, significantly increasing potential employer liability
3. Employers must obtain written consent before collecting any biometric data

Who Is Affected and Where This Applies

This applies to employers operating in Illinois (view Illinois compliance profile).

Industries affected: healthcare, construction, manufacturing, transportation. This update is relevant across multiple sectors. Employers should assess applicability based on their specific workforce, operations, and regulatory exposure.

Compliance Timeline

Background and Context

The Privacy Regulatory Landscape

Employee health data privacy has become an increasingly complex and high-stakes compliance area. At the federal level, HIPAA provides protections for protected health information (PHI) in healthcare settings, but employer-held records from occupational health screenings, drug tests, and fitness-for-duty exams often fall outside HIPAA's coverage. State laws like Illinois's Biometric Information Privacy Act (BIPA), Texas's Capture or Use of Biometric Identifier Act (CUBI), and Washington's biometric consent statutes create additional obligations with per-violation penalty structures.

The litigation landscape around employee health data has expanded dramatically. Courts in Illinois have ruled that BIPA violations accrue per scan — not per person — allowing statutory damages to multiply rapidly. For employers conducting biometric screenings, drug tests, and health assessments, the data collection, storage, consent, and retention practices surrounding these activities carry material financial exposure. Multi-state employers face the additional challenge of complying with different retention schedules and consent requirements across each jurisdiction.

Why This Matters for Employers

This is a high-impact regulatory change with broad implications. While this is specific to Illinois, it reflects a regulatory trend that other states are likely to follow. Employers should not wait until the enforcement date to begin compliance planning — the time to assess your exposure and update your programs is now.

Cross-industry impact: This update affects employers across multiple sectors, including healthcare, construction, manufacturing, and transportation. Each industry may face different compliance burdens depending on their existing programs and workforce composition. Multi-site employers should coordinate their response across locations to ensure consistent compliance.

For HR directors, safety managers, and compliance officers, this update should trigger a review of current written programs, training records, and standard operating procedures. The cost of proactive compliance is almost always lower than the cost of responding to violations, litigation, or workplace incidents after the fact.

Penalties for Non-Compliance

Health data privacy violations carry substantial financial exposure. Penalties vary by statute and jurisdiction, but the potential for per-scan or per-record damages can compound rapidly — particularly in class-action litigation.

What Employers Should Do Now

BlueHive provides health data privacy resources nationwide and tracks this topic through our Privacy compliance hub. View the Illinois compliance profile for all tracked regulations in this state.

Frequently Asked Questions

Related Compliance Updates

• Employee Medical Records Retention — Privacy, Federal (Dec 2023)
• Capture or Use of Biometric Identifier Act — Privacy, Texas (Dec 2024)
• AB 2188: Pre-Employment Drug Testing Restrictions for Cannabis — Drug Testing, California (Dec 2023)

---

Source: Official Legislation · Verified 2026-02-03

This article is part of BlueHive Compliance Watch, which monitors occupational health regulations across all 50 states and federal agencies. Browse all state profiles → · View all compliance articles →