The Illinois Biometric Information Privacy Act (“BIPA” or “the Act”) is one of the most restrictive biometric privacy laws in the United States. Consumers have obtained over $800 million in BIPA settlements from Meta, Google, and TikTok alone.1 However, a recent decision from the U.S. Court of Appeals for the Third Circuit, and another pending in the U.S. Court of Appeals for the Seventh Circuit, shed light on how much leeway the Act may give to defendants facing BIPA lawsuits under its so-called “financial-institution” exemption.
This article provides background on BIPA’s enforcement, including recent developments in how courts interpret its financial-institution exemption. Further, it provides insights on potential litigation risks for companies handling individual biometric data or working with business partners who do so.
I. BIPA is enacted in 2008, and an explosion of litigation follows.
The Illinois legislature enacted BIPA to protect consumer privacy by regulating the collection and use of biometric data.2 Biometric data is information that describes and classifies certain human biological, physical, or behavioral characteristics, such as fingerprints and facial recognition. Its use is ubiquitous in modern society. Billions of consumers worldwide rely on the convenience of biometric data. The appeal is unsurprising: placing your thumb on a screen is faster and easier than entering a complex password. But with convenience comes heightened risk. Unlike passwords or social security numbers, biometric data is effectively immutable; a social security number can be changed, a fingerprint cannot. As a result, a data breach affecting consumer biometric information creates a substantial risk of identity theft.3
BIPA obligates private entities that collect or use biometric data to adopt a public retention-and-destruction policy, obtain informed written consent before collecting biometric identifiers, protect data using reasonable security measures, and take other actions to safeguard biometric data.4 Further, it bars entities from selling, profiting from, or disclosing biometric data without informed consent or a statutory exemption.5 BIPA allows recovery of $1,000 per negligent violation and $5,000 per reckless or intentional violation.6
Before BIPA was amended in 2024, Illinois courts considered each instance of biometric data collection or use as an independent violation under the Act.7 This exposed defendants to hundreds of billions of dollars in damages, particularly through class actions.8 In 2021, TikTok’s parent company, ByteDance, settled a BIPA class action for $92 million, based on its use of face and voice data through the TikTok app.9 In 2022, Google settled an Illinois BIPA class action for $100 million in connection with its use of facial recognition technology recognition without express consent.10
II. In 2024, the BIPA tide turns toward defendants.
In 2024, the Illinois legislature, by amendment,11 and the Illinois Supreme Court, in Mosby v. Ingalls Memorial Hospital,12 reined in BIPA’s exceedingly plaintiff-friendly apparatus.13 The amendment limited damages under BIPA to one violation per person,14 and Mosby declined to extend BIPA’s protections to patients and healthcare workers whose information is governed under HIPAA.15
Most recently, McGoveran v. Amazon Web Services,16 a May 2026 decision from the U.S. Court of Appeals for the Third Circuit, suggests that another defendant-friendly shift under BIPA is on the horizon.
III. Recent developments under BIPA’s financial-institution exemption create uncertainty and risk for defendants outside the financial industry.
a. BIPA Section 25(c): the financial-institution exemption.
Under Section 25(c) of BIPA, financial institutions subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 (the “GLBA”) are exempt from BIPA liability.17 The GLBA, like BIPA, obligates financial institutions to protect their customers’ privacy and nonpublic personal information.18 The GLBA defines “financial institution” as “any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 [12 USCS § 1843(k)].”19 In turn, the Bank Holding Company Act recognizes several activities that are “financial in nature,” including lending, exchanging, insuring, and dealing in securities,20 providing financial, investment, or economic advisory services,21 and engaging in any activity that the Federal Reserve Board determines is “closely related to banking or managing or controlling banks.”22
b. Defendants face mixed results when moving to dismiss BIPA claims under Section 25(c) at the pleadings stage.
BIPA’s financial-institution exemption was first examined by the U.S. District Court for the Southern District of Illinois in the 2020 case, Stauffer v. Innovative Heights Fairview Heights, LLC.23 In Stauffer, an employee sued her employer, Innovative Heights, for collecting, storing, and using employee fingerprint data in violation of BIPA.24 During discovery, the employee learned that another company, Pathfinder, controlled and operated the system containing employees fingerprint data.25 The employee then amended her complaint to assert a BIPA claim against Pathfinder. Pathfinder moved to dismiss the BIPA claim on several grounds, including Section 25(c)’s financial-institution exemption. The Court declined to conclude at the motion-to-dismiss stage that Pathfinder is a financial institution exempt under BIPA.26 In denying Pathfinder’s motion, the Court explained that Pathfinder described itself as a “leader in the entertainment software industry,” not a financial institution, and did not engage in the type of activities that would subject it to the GLBA.27
In a BIPA suit before the U.S. District Court for the Northern District of Illinois, defendant Northwestern University claimed it was exempt under BIPA’s financial-institution exemption.28 As in Stauffer, the Court’s decision turned on whether the defendant’s activities were financial in nature.29 Citing the Federal Trade Commission’s GLBA Privacy of Consumer Financial Information Rule, which recognizes colleges and universities as financial institutions if they “appear to be significantly engaged in lending funds to consumers[,]”30 GLBA’s “broad definition”31 of financial institution, and publicly available documents confirming that Northwestern is significantly engaged in lending funds to consumers,32 the Court concluded that Northwestern is exempt from BIPA under section 25(c).33
c. The Third Circuit upholds dismissal of BIPA claims against a technology company at the pleading stage, based on the Act’s financial-institution exemption.
In McGoveran, Illinois consumers filed a putative class action under BIPA against John Hancock in the Circuit Court for the Third Judicial Circuit in Madison County, Illinois.34 Consumers alleged that when they called John Hancock, a financial services company, about their retirement accounts, their calls were routed through Amazon Connect, which employed Pindrop Security, Inc. (“Pindrop”) to authenticate callers using voiceprints without obtaining consent.35 After an arduous procedural journey,36 the plaintiffs filed a similar suit in the U.S. District Court for the District of Delaware.37 The Court dismissed the BIPA claim against Pindrop, citing the financial-institution exemption.38
The consumers appealed to the U.S. Court of Appeals for the Third Circuit, which upheld the district court’s dismissal of the BIPA claim against Pindrop based on the financial-institution exemption.39 As in Doe v. Northwestern University,40 where the Chicago federal district court relied in part on a Federal Trade Commission rule to conclude Northwestern is a financial institution,41 in McGoveran, the Third Circuit cited a Federal Reserve Board regulation,42 which provides that “authenticating the identity of persons conducting financial and nonfinancial transactions” is an activity “so closely related to banking as to be a proper incident thereto.”43
The Third Circuit’s ruling is the most recent indication that BIPA’s financial-institution exemption may extend beyond traditional financial institutions like banks and insurance companies to entities outside the financial industry. McGoveran reflects that defendants can obtain dismissal of BIPA actions under the financial institution-exemption at the pleadings stage. Dismissal before discovery can spare businesses significant costs. However, the Third Circuit does not have the final say on the scope of BIPA’s financial-institution exemption. Businesses should be mindful that Illinois courts may decline to expand Section 25(c) beyond the GLBA’s traditional domain.
d. The Seventh Circuit may weigh in on the scope of BIPA’s financial institution-exemption later this summer.
The Seventh Circuit is considering the scope of BIPA’s financial-institution exemption in Cisneros v. Nuance Communications, Inc.44 Like McGoveran, Cisneros concerns whether the defendant, an authentication provider that provides customer identity verification to Charles Schwab, is exempt under Section 25(c).45 The U.S. District Court for the Northern District of Illinois held that the authenticator is exempt under BIPA because its services are used to authenticate consumers engaged in financial transactions.46
At this time, companies that do not fit the GLBA’s traditional definition of financial institution will continue to face litigation risk under BIPA. Illinois courts may decide to construe the financial-institution exemption narrowly to promote BIPA compliance. In light of the uncertainty around the exemption’s reach, businesses outside the financial industry should monitor developments in this area of law and examine their biometric data practices.
Even traditional financial institutions—such as banks, brokerage firms, and credit unions—should remain attentive to BIPA’s requirements and engage external business partners on how they collect, use, and safeguard biometric data. Litigation against an external business partner, such as an authentication service provider, may nevertheless expose your company to significant operational, financial, and reputational risks under BIPA.
V. How Dorsey Can Help
Dorsey has an experienced team dedicated to advising companies working with biometric data. Please contact Jose Lopez and Noor Hasan to discuss how Dorsey can help your company navigate compliance and litigation risk under BIPA and its evolving landscape.
1 See Maurice Wells, Biometric Backlash: The Rising Wave of Litigation Under BIPA and Beyond, Epstein Becker Green: Commercial Litigation Update (Aug. 21, 2025), https://www.commerciallitigationupdate.com/biometric-backlash-the-rising-wave-of-litigation-under-bipa-and-beyond.
2 See 740 Ill. Comp. Stat. Ann. 14/15.
3 S.B. 2400, 95th Gen. Assemb., Reg. Sess. (Ill. 2008).
4 740 Ill. Comp. Stat. Ann. 14/15(a)–(b), (d)–(e).
5 740 Ill. Comp. Stat. Ann. 14/15(c).
6 740 Ill. Comp. Stat. Ann. 14/20(a).
7 Wells, supra note 1.
8 Patrick McKnight, Historic Biometric Privacy Suit Settles for $650 Million, ABA Business Law Sec. (Jan. 28, 2021), https://www.americanbar.org/groups/business_law/resources/business-law-today/2021-february/historic-biometric-privacy-settlement.
9 Wells, supra note 1.
10 Id.
11 S.B. 2979, 103d Gen. Assemb., Reg. Sess. (Ill. 2024).
12 234 N.E.3d 110 (2023).
13 Hana Ferrero, COMMENT: Identifiable to Whom? Clarifying Biometric Privacy Rights in Illinois and Beyond, 92 U. Chi. L. Rev. 1027, 1042–53 (2025).
14 740 Ill. Comp. Stat. Ann. 14/20.
15 234 N.E.3d 110, 123.
16 175 F.4th 434 (3d Cir. 2026).
17 740 Ill. Comp. Stat. Ann. 14/25(c).
18 See 15 U.S.C. § 6801(a).
19 See 15 U.S.C. § 6809(3)(A).
20 See 12 U.S.C. § 1843(k)(4)(A).
21 See id. § 1843(k)(4)(C).
22 Id. § 1843(k)(4)(F).
23 480 F. Supp. 3d 888 (S.D. Ill. 2020).
24 Id. at 894.
25 Id.
26 Id. at 903–05.
27 Id.
28 Doe v. Nw. Univ., 586 F. Supp. 3d 841, 843 (N.D. Ill. 2022).
29 Id. at 843.
30 Id.
31 Id. (citing 15 U.S.C. § 6809(3)).
32 Id. (Fed. Student Aid Office, U.S. Dep’t of Educ., Dear Colleague Letter: Protecting Student Information, GEN-15-18 (July 29, 2015), https://fsapartners.ed.gov/knowledge-center/library/dear-colleague-letters/2015-07-29/protecting-student-information).
33 Id.
34 See McGoveran v. Amazon Web Servs., 488 F. Supp. 3d 714, 716 (S.D. Ill. 2020).
35 Id. at 717.
36 Amazon initially removed the case to the U.S. District Court for the Southern District of Illinois. The federal district court dismissed the case for lack of personal jurisdiction. Id. at 724.
37 Compl., McGoveran v. Amazon Web Servs. Inc., Case No. 1:20-cv-01399-UNA (D. Del. Oct. 16, 2020), ECF No. 1. U.S. District Judge Leonard Stark granted the defendants’ motion to dismiss based on extraterritoriality. Order on Mot. To Dismiss, McGoveran v. Amazon Web Servs. Inc., Case No. 1:20-cv-01399-UNA (D. Del. Sept. 30, 2021), ECF No. 35. The consumers then amended their complaint against Amazon and Pindrop. First Am. Compl., McGoveran v. Amazon Web Servs. Inc., No. 1:20-cv-01399-LPS (D. Del. Feb. 17, 2022), ECF No. 47.
38 McGoveran v. Amazon Web Servs., No. 1:20-cv-01399-SB, 2023 WL 2683553, at *12 (D. Del. Mar. 29, 2023).
39 McGoveran v. Amazon Web Servs., 175 F.4th 434 (3d Cir. 2026).
40 586 F. Supp. 3d 841 (N.D. Ill. 2022).
42 McGoveran, 175 F.4th at 434 (referencing 12 C.F.R. § 225.86(a)(2)(iii)).
43 12 C.F.R. § 225.86(a)(2)(iii)).
44 Cisneros v. Nuance Commc’ns, Inc., No. 24-2982 (7th Cir.).
45 Cisneros v. Nuance Commc’ns, Inc., No. 1:21-cv-04285, 2024 WL 5703970, at *6 (N.D. Ill. Oct. 4, 2024).
46 Id. at *8.