Illinois has produced more significant privacy class action settlements than any other state in the country. That is not an accident. It is the direct result of a single statute — the Illinois Biometric Information Privacy Act — that carries uncapped statutory damages, requires no proof of actual harm, and gives every Illinois resident a private right of action against any company that collects their biometric data without following a specific set of procedural requirements. Boodell & Domanskis LLC is one of the Chicago-based plaintiff firms working that statute, and working the broader digital privacy litigation space that has grown up alongside it.
For any company that employs Illinois workers, sells to Illinois consumers, or operates a website that captures data from Illinois residents, understanding the plaintiff bar that litigates these claims is not optional. The firms that bring these cases have refined their theories, their discovery demands, and their settlement calculus over years of active litigation. Boodell & Domanskis operates in that ecosystem.
The Firm and Its Position in the Illinois Plaintiff Bar
Boodell & Domanskis LLC is a Chicago-based plaintiff litigation firm with a practice that spans consumer class actions, data privacy claims, and civil litigation. Its Illinois base is strategically significant: the Northern District of Illinois is one of the busiest federal venues for privacy class actions in the country, and the Cook County state court system has processed thousands of BIPA complaints since the statute’s passage in 2008. A firm operating in this environment does not have to build a market for BIPA litigation — the market exists, has been validated by landmark settlements, and continues to generate new cases as companies adopt biometric technologies without building compliant frameworks around them.
The firm’s practice reflects the natural evolution of the Illinois plaintiff bar: starting from BIPA’s well-established statutory framework, then expanding into ECPA and CIPA digital tracking claims as those theories matured in California courts and began migrating to other jurisdictions. This dual-track approach — biometric claims under Illinois law, wiretapping and interception claims under federal and California statutes — characterizes a growing number of plaintiff boutiques that have recognized the structural similarity between the two litigation categories. Both turn on the same core allegation: a company collected, transmitted, or used consumer data without the notice and consent the law required.
BIPA: The Statute That Makes Illinois the Highest-Stakes Privacy Jurisdiction in the Country
No analysis of a firm practicing in this space is useful without understanding what BIPA actually does and why it has produced the settlements it has.
The Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq., enacted in 2008, imposes a specific set of obligations on any private entity that collects, stores, uses, or shares biometric identifiers from Illinois residents. Those identifiers include fingerprints, retina and iris scans, voiceprints, facial geometry, and hand geometry — the biometric data used in fingerprint time clocks, facial recognition systems, voice authentication tools, and augmented reality features that map facial structure.
The statute requires that before collection occurs, a company must publish a publicly available written retention and destruction policy; inform the subject in writing of the specific data being collected and its purpose; and obtain a signed written release. Biometric data cannot be sold, leased, traded, or otherwise profited from. It must be protected using the same standard of care applied to other sensitive confidential information. It must be destroyed within three years or when the original collection purpose ends, whichever comes first.
The damages framework is what makes BIPA extraordinary. Negligent violations carry $1,000 per violation. Intentional or reckless violations carry $5,000 per violation. There is no statutory cap. Proof of actual harm is not required — the Illinois Supreme Court confirmed in Rosenbach v. Six Flags Entertainment Corp. (2019) that a technical statutory violation is sufficient to confer standing. And the Illinois Supreme Court’s 2023 decision in Cothron v. White Castle System, Inc. held that each individual scan or transmission constitutes a separate accruing violation — meaning an employer whose fingerprint time clock scans 500 employees twice daily for three years without a compliant policy is not facing one violation. It is facing a damages exposure that compounds with every clock-in.
This statutory architecture has produced some of the largest privacy settlements in American legal history. Google settled a BIPA facial recognition case for $100 million. Facebook settled for $650 million. TikTok settled a consolidated BIPA action for $92 million. These numbers are not outliers — they reflect what BIPA’s uncapped, per-violation damages framework produces when applied to companies with large Illinois user bases and non-compliant data practices.
Boodell & Domanskis operates within the litigation ecosystem that produces these settlements.
Primary Legal Theories
Illinois Biometric Information Privacy Act
BIPA is the firm’s foundational statutory tool in the biometric context. The claims it supports break down into several recurring fact patterns: employers using fingerprint or hand-geometry time-and-attendance systems without written consent; retailers and technology companies using facial recognition for identity verification, loss prevention, or consumer-facing features; companies using voiceprint authentication in customer service or security systems; and third-party biometric technology vendors that process data on behalf of employers without themselves maintaining BIPA-compliant frameworks.
The employer timekeeping category alone has generated hundreds of Illinois class actions. Any company that implemented a biometric time clock without collecting signed written consent forms, publishing a retention policy, and establishing a destruction schedule has the exposure profile that BIPA plaintiff firms are built to find.
Electronic Communications Privacy Act and Digital Wiretapping
The expansion into ECPA and CIPA-based digital tracking claims reflects where the plaintiff bar has moved as biometric litigation matures and new revenue streams open in the website tracking context. The core theory — that third-party tracking scripts embedded on websites intercept user communications without authorization — has been tested extensively in California federal courts and has survived enough motions to dismiss to remain a viable litigation vehicle.
For Illinois-based or Illinois-targeting companies, ECPA claims can be layered with Illinois consumer protection theories, broadening both the potential class and the available damages theories.
Illinois Consumer Fraud and Deceptive Business Practices Act
The Illinois Consumer Fraud Act provides an additional statutory hook that plaintiff firms routinely append to BIPA and ECPA claims. ICFA claims allow courts to award actual damages, punitive damages, and attorney fees for unfair or deceptive practices — a remedy structure that complements the per-violation statutory damages available under BIPA and the actual damages available under ECPA.
Industries and Targeting Logic
The industries that generate BIPA exposure are determined by the technologies they use, not by the nature of their business. Any company that has deployed biometric tools in Illinois — for any operational purpose — without building a compliant consent and retention framework is a potential defendant.
Employers with biometric timekeeping systems. This is the highest-volume BIPA litigation category. Fingerprint and hand-geometry time clocks are standard equipment in manufacturing, logistics, food service, retail, and healthcare settings. The companies that sold these systems did not uniformly advise their employer customers about BIPA compliance obligations, and many employers implemented the technology without counsel review. The resulting exposure — per-violation damages across every employee, every scan, every day of non-compliant operation — is frequently catastrophic relative to the operational benefit of the technology.
Retailers and consumer technology companies using facial recognition. Loss prevention applications, age verification systems, and consumer-facing augmented reality features that map facial geometry all fall within BIPA’s definition of biometric identifiers. Illinois retailers operating facial recognition without compliant consent mechanisms face the same per-violation damages exposure as employers, with potentially larger class sizes.
Consumer-facing businesses with Illinois website traffic. In the digital tracking context, any company running standard marketing pixels, session replay software, or behavioral analytics tools on websites visited by Illinois users faces potential ECPA exposure. The theory that these tools intercept communications without authorization has been sufficiently validated in other jurisdictions to support demand letters and complaints in Illinois federal court.
Healthcare and financial services. Sectors that combine biometric authentication with sensitive underlying data — health records, financial account information — face compounding exposure because the sensitivity of the data that biometric access controls protect strengthens the argument for intentional or reckless violation treatment, which triggers the $5,000 per-violation tier.
What the Illinois Litigation Ecosystem Means for Defendants
BIPA litigation in Illinois operates through a well-developed plaintiff bar infrastructure. Firms share information about compliant and non-compliant employers, coordinate co-counsel arrangements on large cases, and have developed discovery protocols specifically designed to establish the scale of biometric data collection and the absence of consent documentation. A company served with a BIPA complaint from any Illinois plaintiff firm is facing an opponent who has litigated this statute before, understands the settlement value ranges the market has established, and knows exactly what documents to demand in discovery to establish liability.
Boodell & Domanskis participates in this ecosystem. The firm’s Chicago location, access to the Northern District of Illinois, and practice in both biometric and digital tracking claims reflect the dual-track approach that characterizes Illinois plaintiff boutiques operating in the current privacy litigation environment.
For defendants, the practical implication is that early resolution — before class certification briefing, before the discovery burden becomes significant, before the damages calculation is formally established — almost always costs less than late resolution. The structural economics of BIPA litigation strongly favor settlement: defendants who litigate to judgment face the prospect of uncapped per-violation damages across potentially enormous classes, while plaintiffs’ firms have built practices specifically designed to maximize the efficiency of getting to that settlement number.
Compliance Implications: What BIPA Exposure Actually Requires You to Fix
The compliance gaps that produce BIPA litigation are specific and largely fixable before a complaint is filed. The challenge is that most companies do not discover their exposure until a plaintiff’s firm has already found it.
Consent documentation must predate collection. BIPA’s consent requirement is not satisfied by retroactive notice. The written release must be obtained before any biometric data is collected. Companies that implemented biometric systems and later added consent language to their onboarding paperwork have not cured the violation — they have documented it, because the gap between implementation and consent is precisely what plaintiffs’ counsel will look for in discovery.
Written retention and destruction policies must be publicly available. The statute requires a publicly available written policy — not an internal document, not a vendor agreement, not a privacy policy that references biometrics in passing. The policy must specify the retention schedule and destruction procedures, and it must exist before collection begins.
Vendor contracts are not a compliance substitute. Many companies believe that outsourcing biometric data processing to a third-party vendor transfers their BIPA obligations. It does not. The employer who directs an employee to use a biometric time clock bears BIPA obligations regardless of who built the clock or where the data is stored. Vendor agreements should address BIPA compliance, but they do not eliminate the deploying company’s own statutory duties.
Legacy data carries ongoing exposure. Following Cothron, biometric records retained past their required destruction date represent continuing violations. Companies with legacy biometric data — from systems that have since been decommissioned, from employees who have left, from consent frameworks that were never established — face exposure not just for the original collection but for every day of continued retention. Remediation requires actually deleting the data, not just updating the policy.
Illinois website traffic creates digital tracking exposure independent of BIPA. Companies without any biometric data practices are not necessarily outside the exposure profile of firms like Boodell & Domanskis. The expansion into ECPA and CIPA-based digital tracking claims means that any company running standard third-party analytics tools on websites visited by Illinois residents needs to assess its consent framework for those tools as well.
The Longer View
Illinois has been the proving ground for privacy class action litigation since BIPA’s passage in 2008. The statute has survived constitutional challenges, produced landmark Supreme Court rulings on standing and accrual, and generated settlements that have reset expectations about what privacy violations cost. The firms that litigate these cases — including Boodell & Domanskis — have spent years refining their approach in the most active biometric privacy jurisdiction in the country.
For companies with Illinois operations, Illinois customers, or websites with Illinois traffic, the question is not whether BIPA exposure exists. It is whether the exposure has been assessed and mitigated before a plaintiff’s firm completes its own assessment first. The two assessments produce very different outcomes.
5 Compliance Steps to Reduce Your Exposure
- Inventory every biometric data collection point in your operations. Time-and-attendance systems, access control terminals, facial recognition tools, voice authentication systems, and any consumer-facing feature that captures facial geometry or other biometric identifiers must be identified before you can assess your BIPA compliance posture.
- Establish written retention and destruction policies before any further collection occurs. The policy must be publicly available, must specify the retention schedule, and must address destruction procedures. If the policy does not predate collection, the collection itself is a violation regardless of what the policy says.
- Obtain signed written consent from every individual whose biometric data you hold. Retroactive consent does not cure past violations, but it stops the accrual of new ones. Current employees, current customers, and current users who have not signed a BIPA-compliant release represent ongoing exposure.
- Audit third-party vendor relationships for biometric data access. Any vendor that touches biometric data on your behalf must be assessed for its own BIPA compliance, and your contracts must address the allocation of obligations. Vendor non-compliance does not insulate the deploying company from liability.
- Implement a consent management platform for Illinois web traffic that fires before any non-essential tracking technology loads. ECPA and CIPA claims based on digital tracking are a separate exposure category from BIPA, and the consent requirements follow the same pre-collection logic: consent must be obtained before the data transmission occurs, not after.
How Captain Compliance Can Help
BIPA compliance failures are not discovered in audits — they are discovered in demand letters. By the time a plaintiff firm has identified the gap between your biometric data collection practices and your consent documentation, the remediation window has closed and the negotiation window has opened. Captain Compliance specializes in proactive protection against these claims.
Book a demo for more information below.
