Biometric Privacy

State of play.

• The Seventh Circuit has structurally reset BIPA damages exposure. In Clay v. Union Pacific Railroad Co., the court unanimously held that Illinois's 2024 per-person damages cap applies retroactively to all pending cases, reversing three Northern District decisions and eliminating the per-scan multiplier that had generated billion-dollar class exposure (→ Seventh Circuit Rules BIPA Damages Cap Applies to Pending Cases, 7th Circuit Rules 2024 BIPA Damages Amendment Applies Retroactively to Pending Cases).
• Biometric exposure has expanded into fashion, beauty, and wearables, where virtual try-on facial mapping and body scanning now qualify as sensitive personal information under omnibus state privacy laws in California, Connecticut, Indiana, Kentucky, Rhode Island, Washington, and Nevada—converting product features into consent and data-minimization obligations (→ Fashion, Beauty, Wearable Brands Face Stricter 2026 Privacy Rules).
• Non-consensual biometric manipulation is generating right-of-publicity litigation. The Meete dating app suit alleges a systematic scheme of repurposing women's public social media content with synthetic voiceovers and geotargeted delivery—testing how courts treat commercial manipulation of publicly posted biometric likenesses (→ College Student Sues Meete Dating App for Repurposing Her TikTok Video in Ads).
• DHS is deploying AI-driven biometric surveillance at scale, purchasing biometric data from commercial brokers to bypass Fourth Amendment warrant requirements, with Palantir holding a $1 billion data analysis contract (→ US Gov Expands AI Surveillance via DHS Funding and Data Broker Purchases).
• For counsel advising employers with pending BIPA litigation, the practical baseline is: immediately reassess settlement valuations and class certification strategy under the per-person damages cap, while preserving Section 15 notice-and-consent compliance as the remaining live exposure.

Where things stand.

• BIPA's damages architecture has shifted from per-scan to per-person. The Seventh Circuit's Clay decision classifies the 2024 amendment (P.A. 103-0769) as procedural and remedial, not substantive—making it retroactive to all pending cases under Illinois law. Section 15 compliance obligations (notice, consent, data handling) remain intact; only Section 20 damages are capped (→ Seventh Circuit Rules BIPA Damages Cap Applies to Pending Cases, 7th Circuit Rules 2024 BIPA Damages Amendment Applies Retroactively to Pending Cases).
• The Seventh Circuit's ruling binds federal courts in Illinois, Indiana, and Wisconsin but does not bind Illinois state courts. State court BIPA litigation may reach different retroactivity conclusions, preserving a forum-selection variable for plaintiffs (→ 7th Circuit Rules 2024 BIPA Damages Amendment Applies Retroactively to Pending Cases).
• BIPA compliance obligations remain fully enforceable. The damages cap does not affect Section 15's requirements for written policy, notice before collection, and consent—the predicate liability that still supports class certification and settlement leverage (→ Seventh Circuit Rules BIPA Damages Cap Applies to Pending Cases).
• Omnibus state privacy laws have reclassified biometric data from consumer-tech features into sensitive personal information. Virtual try-on facial mapping, body scanning, and wearable health data now trigger consent, data-minimization, and handling obligations under laws in at least seven states—with state AG enforcement of cookie and pixel-tracking practices already active across the sector (→ Fashion, Beauty, Wearable Brands Face Stricter 2026 Privacy Rules).
• AI training data pipelines are a distinct and growing biometric exposure vector. The Mercor litigation tests whether data brokers supplying AI companies can collect and share facial biometric data from contractors without adequate consent, and what downstream liability attaches to AI firms that receive that data (→ Workers File 7 Class-Action Lawsuits Against Mercor Over Data Breach Exposure[1][2]).
• Government biometric surveillance is expanding through commercial data broker purchases, exploiting a legal gap in which consent-based loopholes in user agreements allow DHS and FBI to acquire biometric records without warrants (→ US Gov Expands AI Surveillance via DHS Funding and Data Broker Purchases).
• Wearable technology is producing bystander-consent litigation. Class actions in three federal districts target Meta's Ray-Ban smart glasses over secret filming, contractor data sharing with Sama for AI training, and deceptive marketing—with a case management conference and discovery expected to accelerate .
• Age verification statutes are creating a new biometric collection mandate. More than half of U.S. states have enacted age verification or digital ID requirements; federal legislation is advancing. The systems require collection of biometric or government ID data, creating centralized breach risk that 438 researchers have publicly documented .
• Global iris-scan identity infrastructure is scaling into enterprise platforms. Tools for Humanity's World ID 4.0 integrates with Zoom, DocuSign, and Tinder, using zero-knowledge proofs and iris scans to verify human identity—but has encountered regulatory blocks in multiple jurisdictions over biometric data practices (→ Tools for Humanity unveils World ID 4.0 with Zoom, DocuSign, Tinder integrations).

Latest developments.

• Virtual try-on facial mapping and body scanning classified as sensitive personal information under omnibus state privacy laws in seven states, with state AGs actively investigating cookie and pixel-tracking practices in the fashion, beauty, and wearable tech sectors; wearable health data (stress, sleep, menstrual cycles) regulated outside HIPAA by Connecticut and Washington (→ Fashion, Beauty, Wearable Brands Face Stricter 2026 Privacy Rules).
• Meete dating app sued in Tennessee state court for repurposing a college student's public TikTok video with a synthetic voiceover and geotargeted Snapchat delivery near her dormitory; claims include misappropriation of likeness, right of publicity violations, and emotional distress; investigator evidence suggests a systematic multi-victim scheme (→ College Student Sues Meete Dating App for Repurposing Her TikTok Video in Ads).

Active questions and open splits.

• Federal court vs. Illinois state court retroactivity. The Seventh Circuit's Clay ruling binds federal courts but not Illinois state courts, which may treat the 2024 damages cap as prospective only—creating a live forum-selection question for plaintiffs' counsel and a split-track risk for defendants with cases in both venues (→ Seventh Circuit Rules BIPA Damages Cap Applies to Pending Cases, 7th Circuit Rules 2024 BIPA Damages Amendment Applies Retroactively to Pending Cases).
• Class certification viability under the per-person cap. With per-scan multipliers eliminated, amount-in-controversy thresholds and class action economics are materially altered—whether courts will decertify pending classes or plaintiffs will restructure claims is unresolved (→ Seventh Circuit Rules BIPA Damages Cap Applies to Pending Cases).
• Public social media content as biometric raw material. The Meete litigation tests whether the public nature of an original post strips a plaintiff of biometric likeness rights when a defendant commercially manipulates and recontextualizes it with synthetic audio and geotargeted delivery—no settled doctrine governs this intersection of right of publicity and non-consensual deepfake use (→ College Student Sues Meete Dating App for Repurposing Her TikTok Video in Ads).
• AI training data as biometric collection triggering BIPA and analogues. The Mercor litigation tests whether facial biometric data collected through contractor monitoring software and shared with AI model developers constitutes a BIPA-cognizable collection—and what downstream liability attaches to the AI firms receiving it (→ Workers File 7 Class-Action Lawsuits Against Mercor Over Data Breach Exposure[1][2]).
• Bystander consent in wearable surveillance. The Meta Ray-Ban litigation will test whether product terms of service satisfy disclosure obligations to third parties who are filmed without knowledge, and whether contractor data handling for AI training creates independent liability .
• Commercial data broker sales to government as Fourth Amendment workaround. DHS's biometric data purchases from brokers exploit a consent-loophole gap that no court has definitively closed—whether Carpenter v. United States extends to biometric broker purchases remains unresolved (→ US Gov Expands AI Surveillance via DHS Funding and Data Broker Purchases).
• Age verification mandates vs. First Amendment and privacy doctrine. The technical consensus against centralized age verification systems has not slowed legislative momentum; whether courts will apply strict scrutiny to biometric ID collection requirements for online access remains contested across circuits .

What to watch.

• Whether Illinois state courts follow the Seventh Circuit's retroactivity holding in Clay or treat the 2024 damages cap as prospective—a split would create parallel litigation tracks with divergent settlement economics.
• Whether the volume of BIPA filings declines materially following Clay, or whether plaintiffs' counsel pivots to state court or reframes claims to preserve class economics.
• How Tennessee state court treats the Meete misappropriation claims—particularly whether the public nature of the original TikTok post limits right-of-publicity recovery when the defendant adds synthetic audio and geotargeted commercial delivery.
• Discovery in the Mercor class actions for what contractual language governed biometric data sharing with OpenAI, Anthropic, and Meta, and whether AI firms face direct liability as downstream recipients.
• The June 2026 case management conference in the Meta Ray-Ban litigation and any early rulings on bystander-consent standing.
• Whether state AG enforcement actions against fashion and beauty tech companies over virtual try-on biometric data materialize following the omnibus privacy law reclassification.