When Amazon built a “virtual try-on” feature that let shoppers see how glasses and accessories would look on their faces, it almost certainly didn’t have a Chicago plaintiff firm in mind. It does now and this is a trend where privacy laws are costing business owners millions of dollars (a recent Gartner survey had it at over $3 billion for the industry last year). Firms in Chicago like Keogh Law and Almeida law find privacy violations and ask you nicely to fix it and if you don’t you may have to contend with expensive litigation.
A Firm Defined by One Illinois Statute
Keogh Law, Ltd. is a Chicago-based plaintiff boutique with a focused, and increasingly formidable, practice built around the Illinois Biometric Information Privacy Act (BIPA). Led by founding attorney Keith J. Keogh and litigated alongside partners including Theodore H. Kuyper and Timothy J. Sostrin, the firm has carved out a reputation as one of the more persistent and technically prepared BIPA plaintiff firms operating in the Northern District of Illinois and beyond.
The firm’s address—55 West Monroe Street, Suite 3390, Chicago—places it squarely in the legal ecosystem that has made Illinois the national epicenter of biometric privacy litigation. BIPA, enacted in 2008, gives Illinois residents private rights of action against any entity that collects, stores, uses, or shares their biometric data without complying with specific notice, consent, and data retention requirements. Keogh Law has spent years turning that private right into class action leverage.
The firm’s practice isn’t confined to biometrics—it handles VPPA, CIPA, and consumer fraud claims as well—but BIPA has become its signature, and the cases the firm has assembled illustrate the full range of industries and technologies the statute reaches. Firms like Almeida focus on ECPA lawsuits where healthcare data leaked triggers a HIPAA violation and class action status.
BIPA in Brief: Why This Statute Creates Extraordinary Exposure
Before examining Keogh Law’s docket, it’s worth understanding why BIPA produces the cases it does.
The statute requires that any private entity collecting biometric identifiers—fingerprints, retina and iris scans, voiceprints, face geometry, and hand geometry—must:
- Publish a publicly available retention and destruction policy before collection begins
- Inform subjects in writing of the specific biometric data being collected and its purpose
- Obtain a written release before collection
- Refrain from selling, leasing, trading, or otherwise profiting from biometric data
- Protect biometric data using the same standard of care as other sensitive confidential information
- Destroy the data within three years or when the purpose for collection ends, whichever is first
The penalties are what make BIPA extraordinary: $1,000 per negligent violation, $5,000 per intentional or reckless violation, plus attorneys’ fees. There is no cap. There is no proof of actual harm required. Each collection event from each class member can be counted as a separate violation. In a class of tens of thousands—or hundreds of thousands—the aggregate exposure can reach into the billions of dollars.
Illinois courts have read these provisions broadly. The Illinois Supreme Court held in Cothron v. White Castle System (2023) that each individual scan or transmission of biometric data constitutes a separate, accruing violation—a decision that has since driven a wave of renewed litigation activity, with firms like Keogh Law well positioned to take advantage of it.
The Cornerstone Case: Svoboda v. Amazon.com
Keogh Law’s most significant active BIPA matter is Svoboda v. Amazon.com, Inc., which has been litigated across three venues and is currently on appeal at the Seventh Circuit.
The case targets Amazon’s “virtual try-on” feature—a tool embedded in the Amazon shopping app and mobile website that uses a device’s camera to digitally overlay glasses frames, rings, and accessories onto a user’s live image or uploaded photo. Plaintiffs Tanya N. Svoboda and Antonella M. Ortiz Colosi, represented by Keogh Law, alleged that by processing users’ facial geometry to power the feature, Amazon collected biometric identifiers from Illinois residents without complying with BIPA’s consent and disclosure requirements.
Originally filed in Cook County Circuit Court in 2021 (case no. 2021CH04516), Amazon removed the case to the Northern District of Illinois (Case No. 1:21-cv-05336, assigned to Judge Jorge Luis Alonso). Keogh Law filed an amended complaint in May 2022, and the case proceeded through substantial contested discovery before reaching a pivotal moment in March 2024.
Judge Alonso granted class certification. The certified class covers all individuals who used Amazon’s virtual try-on feature while in Illinois on or after September 7, 2016, excluding those who used it only in “model mode” or for hair color visualization. The certification ruling found that the class members’ BIPA claims were “suitable for, if not demanding of, class-wide treatment”—language that Keogh Law has since cited as persuasive authority in subsequent citations of supplemental authority filed at the Seventh Circuit.
Amazon appealed the class certification ruling. The Seventh Circuit heard oral argument on September 9, 2025. Amazon argued that the potential for a large damages award to the class should defeat the Rule 23(b)(3) superiority requirement—a theory that would effectively render mass BIPA damages classes uncertifiable. Keogh Law opposed, filing a response to Amazon’s petition for rehearing en banc as recently as January 26, 2026. The case remains one of the most consequential BIPA class certification disputes in the statute’s history, with implications for whether aggregate BIPA damages can survive appellate scrutiny.
The Employer Front: Jenkins v. Regal Cinemas
Not all of Keogh Law’s BIPA litigation involves consumer-facing technology. Jenkins v. Regal Cinemas, Inc. (N.D. Ill., Case No. 1:20-cv-03782, filed June 2020, assigned to Judge April M. Perry) targets the workplace—specifically, the fingerprint-based timekeeping systems that became widespread in service industries during the 2010s.
Plaintiff Oshea Jenkins alleged that Regal Cinemas collected employees’ fingerprints through time-clock systems without satisfying BIPA’s written consent, disclosure, or data retention obligations. The case followed a well-established BIPA template in the employment context: an hourly worker clocks in and out using a biometric scanner, the employer never provides a written policy or obtains a written release, and years of fingerprint scans accumulate in the system without a destruction schedule.
The Jenkins case illustrates how durable BIPA employment claims can be. The matter was filed in 2020, survived the pandemic disruptions that stalled many cases, and by August 2024 was still generating contested discovery disputes—with Keogh Law filing motions to compel discovery regarding both damages calculations and Regal Cinemas’ compliance efforts. The length of the litigation reflects both how seriously Regal contested the case and how committed Keogh Law is to taking BIPA matters through the full discovery process rather than settling early at diminished value.
The Industrial Defendant: Roberts v. Graphic Packaging International
Roberts v. Graphic Packaging International, LLC (S.D. Ill., Case No. 3:21-cv-00750, filed June 2021, assigned to Judge David Wayne Dugan) is a workplace BIPA case against a large industrial packaging manufacturer—a defendant type that has seen significant BIPA exposure as manufacturing and logistics companies integrated biometric access and timekeeping systems at scale.
Plaintiff Jocelyn Roberts alleged that Graphic Packaging’s use of biometric timekeeping systems violated BIPA’s consent, disclosure, and data retention requirements. Co-counsel on the case included Gregg M. Barbakoff and William M. Sweetnam alongside Keith Keogh, reflecting the firm’s practice of bringing in co-counsel on cases with complex facts or large class sizes.
The case resolved through a class action settlement. In January 2024, Barbakoff filed Plaintiff’s Motion for Preliminary Approval of Class Action Settlement, accompanied by a Keith Keogh declaration (Exhibit B) supporting the adequacy of the proposed settlement terms. Judge Dugan granted preliminary approval on February 6, 2024. The case terminated in November 2024 following final settlement approval—a result that demonstrated Keogh Law’s ability to develop an industrial BIPA case from initial filing through successful class resolution over a multi-year timeline.
The Firm’s BIPA Targeting Logic
Across its BIPA docket, Keogh Law’s case selection reflects a coherent targeting framework built around three converging factors:
Large Class Size. BIPA damages multiply with class size. The firm focuses on defendants with large employee workforces or large Illinois consumer bases—manufacturers, major retailers, entertainment chains, and technology platforms with millions of users. The Svoboda class against Amazon is potentially the largest BIPA class the firm has developed.
Systematic Non-Compliance. Rather than cases where a defendant arguably made a good-faith attempt at compliance that fell short, Keogh Law targets defendants with apparent structural non-compliance—no written policies, no retention schedules, no written consent obtained from any class member. This pattern makes it difficult for defendants to argue good-faith compliance and bolsters the case for finding violations reckless or intentional, which triggers the $5,000 per-violation damages tier.
Durable Technology Deployments. Biometric systems deployed in manufacturing plants, movie theater chains, and major retail applications tend to run for years. Each collection event from each class member over that entire deployment period is a potential violation under Cothron. Cases involving long-running biometric systems therefore have very large theoretical damages footprints—creating significant settlement pressure even when the per-class-member payout is modest.
VPPA as a Secondary Practice
Beyond BIPA, the firm maintains a Video Privacy Protection Act (VPPA) practice—though it is secondary to biometrics in terms of case volume and profile. The VPPA theory that firms like Keogh Law have pursued targets the intersection of user authentication, video content, and advertising pixel technology.
The core claim: when a logged-in user on a subscription platform watches a video while the platform’s Meta Pixel or similar advertising tag is running, the pixel may transmit both the user’s identity (via cookie matching) and what they watched (via page URL) to Meta simultaneously—constituting a prohibited disclosure of video viewing history to a third party under 18 U.S.C. § 2710. At $2,500 in statutory damages per affected subscriber, the aggregate exposure across a large subscriber base can reach into the billions.
The firm has pursued VPPA claims in parallel with its BIPA practice, targeting subscription news publishers, streaming platforms, and healthcare education portals. While the VPPA practice has not yet produced a Svoboda-level case for the firm, the same disciplined approach—technical pre-filing investigation, authenticated session analysis, detailed pixel configuration evidence—characterizes their VPPA complaints. The firm has paired VPPA claims with CIPA § 631 wiretapping claims in California-accessible deployments, broadening both the class definitions and the damages frameworks available.
What Makes Keogh Law Distinctive
Several characteristics distinguish Keogh Law from the broader field of BIPA plaintiff firms:
Appellate Willingness. Most plaintiff firms prefer to settle cases before appellate risk materializes. Keogh Law has demonstrated a willingness to pursue cases through the circuit court level—Svoboda v. Amazon is now at the Seventh Circuit on a certification appeal that has potential to reshape BIPA class action practice nationally. Filing a response to a petition for rehearing en banc as recently as January 2026 signals that the firm intends to see this through, not settle it away.
Technical Preparation. BIPA cases involving consumer-facing technology require understanding what the technology actually does—how Amazon’s virtual try-on extracts facial geometry, how fingerprint scanners hash and store biometric templates, when and where data leaves a company’s systems. Keogh Law’s complaints in the technology space reflect genuine pre-filing technical investigation rather than formulaic allegations.
Long-Duration Case Management. Both Jenkins (filed 2020, still in discovery in 2024) and Roberts (filed 2021, settled 2024) represent multi-year case management commitments. The firm does not appear to be in the business of quick-resolve, low-value BIPA settlements. This willingness to carry cases through extended litigation cycles gives the firm credibility in demanding meaningful settlement value—and creates ongoing litigation pressure on defendants who might otherwise wait out a plaintiff’s resolve.
The Compliance Implications
Keogh Law’s docket, read as a compliance map, identifies the highest-risk BIPA exposure categories in the current litigation environment:
Consumer-Facing Biometric Features: Virtual try-on tools, facial recognition unlocking features, and any consumer product using face geometry processing in Illinois require full BIPA compliance—written disclosure, specific consent for the stated purpose, and a published retention policy before any scan occurs.
Workplace Timekeeping and Access Systems: Fingerprint time clocks remain one of the most common BIPA violation sources. Any Illinois employer using biometric timekeeping who cannot produce a written retention schedule and signed consent forms for every employee is carrying substantial litigation exposure.
Third-Party Biometric Processors: Many BIPA claims target not the employer directly but the technology vendor whose system processes the biometrics. Contracts between Illinois employers and biometric technology vendors must address BIPA compliance obligations explicitly—and the employer cannot outsource away its own statutory obligations by pointing to a vendor.
Retention and Destruction: Cothron‘s accrual ruling means every day a biometric record is retained past its required deletion date is a new potential violation. Illinois companies with legacy biometric data that predates formal compliance programs face exposure not just for the original collection but for every day of continued retention.
