Illinois’ Biometric Information Privacy Act (BIPA) has long been one of the most formidable privacy statutes in the country, and the latest wave of litigation proves that it is not slowing down. Two significant developments have emerged that every business with an Illinois presence should be tracking.

First, plaintiffs’ attorneys have trained their sights on AI meeting note-takers, filing class actions that allege these widely adopted tools collect biometric voice data in violation of BIPA’s strict notice and consent requirements. Second, the Seventh Circuit Court of Appeals heard oral arguments last month in a consolidated set of appeals that will determine whether the Illinois legislature’s 2023 amendment to BIPA, which dramatically curtailed damages exposure, applies retroactively to the hundreds of cases already pending in Illinois courts.

Together, these developments make plain that BIPA compliance cannot be treated as a static, check-the-box exercise. It requires continuous, proactive attention.

The New Frontier: BIPA Lawsuits Targeting AI Meeting Tools

On December 18, 2025, a proposed class action was filed in federal court in Illinois against Fireflies.AI Corp., one of the most widely used AI meeting assistant platforms. The case, Cruz v. Fireflies.AI Corp., encapsulates a scenario that will resonate with many organizations: an Illinois resident joined a routine virtual meeting, never signed up for any AI service, and never consented to data collection of any kind. Yet, an AI-note taking bot automatically joined the call at the request of another participant. The bot recorded the discussion, identified individual speakers, and generated attributed transcripts. According to the complaint, those functions required Fireflies to create and store “voiceprints”—biometric identifiers under BIPA—without providing the written notice, obtaining the written consent, or publishing the retention and destruction policy that BIPA mandates.

This is not likely to be a one-off lawsuit. AI note-takers are now ubiquitous in the modern workplace, and their core functionality—distinguishing voices, attributing statements to individual speakers, and retaining recordings—maps squarely onto BIPA’s definition of biometric data collection. Platforms that automatically join meetings without the knowledge or consent of all participants are particularly vulnerable. Plaintiffs’ attorneys have noticed, and we expect significantly more filings targeting both AI vendors and their customers in the coming months.

Employer Liability: The Risk Extends Beyond the Vendor

The instinctive reaction of many employers will be to view these lawsuits as someone else’s problem. After all, the AI vendor is the named defendant in Cruz, not the meeting host or the employer. That reaction is both understandable and mistaken. Experience in BIPA litigation has shown that lawsuits against technology vendors are frequently the precursor to lawsuits against technology customers. Illinois courts have made clear that more than one entity can be held liable for the same biometric data collection, depending on who enabled, authorized, or benefitted from the technology’s use.

Employers can be drawn into BIPA litigation in several ways. An organization that selects, licenses, or encourages the use of an AI note-taker may be viewed as having assistance during business meetings, even without explicit company authorization, may bear responsibility for that conduct if it occurs in a work context. And an employer that derives value from AI-generated transcripts, summaries, or speaker-attributed archives has a harder time arguing it was a mere bystander.

Geography adds another layer of complexity. An employer headquartered outside Illinois is not exempt. If any meeting participant is physically located in Illinois when their voice is recorded, BIPA can apply, regardless of where the employer, the AI vendor, or the other participants are based. In a world of distributed, remote, and hybrid workforces, that reach is nearly universal.

Practical Steps Businesses Should Take Now

Reducing exposure to AI note-taker BIPA claims does not require abandoning these productivity tools. It requires governing them deliberately. Businesses should consider the following steps:

• Inventory your AI meeting tools. Catalog every transcription or note-taking platform to use across your organization, including tools deployed by individual employees or departments without formal IT approval. You cannot manage risk you cannot see.
• Understand what the tool actually collects. Do not rely on marketing language. Determine whether a given tool performs speaker recognition, voice identification, or other functions that may constitute biometric data collection under BIPA. Tools that distinguish speakers and attribute statements to individuals are operating squarely in biometric territory.
• Build a layered notice and consent framework. Generic privacy policies are not enough. BIPA requires written notice to participants before biometric data is collected, disclosing the purpose and duration of collection, and obtaining their written consent. That notice must be timely, clear, and accessible to all participants, and not just the account holder who deployed the tool.
• Conduct vendor due diligence and document it. Verify that your AI vendors have BIPA-compliant consent mechanisms and published retention and destruction policies. Confirm that your vendor agreements contain appropriate representations and indemnities. Documenting these efforts matters. Courts are unlikely to accept a “we relied on our vendor” defense if you cannot demonstrate you actually investigated.
• Update your AI and meeting policies. Address AI note-takers explicitly in your organizational policies. Restrict who can activate them in meetings involving external participants or Illinois-based attendees, and train employees to understand that enabling an AI assistant is not a neutral act.

The Seventh Circuit’s Pivotal BIPA Retroactivity Decision

While plaintiffs’ attorneys push the AI note-taker theory forward, a separate development at the Seventh Circuit could reshape the entire BIPA damages landscape, both for pending cases and for how future litigation is valued and settled. On February 12, 2026, a three judge Seventh Circuit panel heard oral arguments in three consolidated appeals on a question with billions of dollars in consequences: does the Illinois legislature’s 2023 amendment to BIPA apply retroactively to cases filed before it took effect?

How BIPA Damages Became a Crisis

To appreciate what is at stake, one must understand how BIPA damages spiraled into an existential threat for many employers. In 2023, the Illinois Supreme Court held in Cothron v. White Castle System, Inc. that BIPA claims accrue each and every time biometric data is unlawfully collected or transmitted, and not just the first time. For employers using fingerprint-based timekeeping systems, that ruling meant every single clock-in and clock-out by every employee was a separate, actionable BIPA violation, each carrying $1,000 to $5,000 in statutory damages. For a company with hundreds of employees over several years, the arithmetic produced potential liability measured in hundreds of millions of dollars, or more.

The Illinois Supreme Court acknowledged the severity of those consequences but concluded that policy concerns were “best addressed by the legislature.” The legislature responded. In 2023, Illinois amended BIPA to provide that a private entity collecting or disclosing the same biometric data from the same person using the same method commits only a single violation, regardless of how many times the act is repeated. The shift, from “for each violation” to “for a violation,” was intended to eliminate the per-scan theory of recovery that had made BIPA legislation so lucrative for plaintiffs’ attorneys and so dangerous for defendants. The amendment took effect in August 2024.

A Sharply Contested Question at Oral Argument

The Seventh Circuit panel was visibly engaged at oral argument, pressing both sides on the core question: is the 2023 amendment a remedial change to BIPA’s damages regime, which would apply retroactively under established Illinois law, or is it a substantive change to the statute’s definition of what constitutes a “violation,” which would apply only to conduct occurring after August 2025?

Counsel for the defendants argued that the amendment is fundamentally about damages and remedies, and that under Illinois law, remedial changes apply retroactively. Counsel framed the plaintiffs’ position as asking the court to “grade the Illinois General Assembly’s homework” because legislators did not use precisely the right words, even though “everybody knows what this is all about”: limiting the runaway damages exposure created by Cothron. Plaintiffs’ counsel countered that the amendment did not merely cap recovery; rather, it retroactively eliminated thousands of accrued claims, which is a substantive change that cannot be applied to vested rights without a clear legislative directive. As plaintiffs’ counsel put it, the legislature “made the choice not to cap damages but to eliminate accrued claims.”

The panel’s questions reflected genuine uncertainty. Judge Hamilton posed a pointed hypothetical: if the legislature were instead to double the maximum BIPA damages, would that, too, apply retroactively as a remedial change? Defendants’ counsel acknowledged that it would, subject to potential constitutional constraints. Judge Jackson-Akiwumi raised the possibility of certifying the question to the Illinois Supreme Court, noting that the circumstances surrounding the amendment clearly reflected the legislature’s concern about crushing business liability. Notably, neither party embraced certification, each confident the law favored its client. And Judge Hamilton, at oral argument’s end, captured the stakes with characteristic directness: “it sounds like billions of dollars of consequences turn on how we label the change.”

Why This Decision Is Pivotal

The district courts reviewing these cases had unanimously held that the 2023 amendment, being substantive in nature, applies prospectively only. If the Seventh Circuit affirms that conclusion, the hundreds of BIPA claims filed before August 2025 retain their per-scan damages theories, and the eye-popping liability figures that come with them. Settlement values in those cases will remain at historically elevated levels, and defendants will face continued pressure to resolve claims at significant cost.

If, on the other hand, the Seventh Circuit reverses and holds the amendment retroactive, defendants in pre-2024 cases would see their exposure drop dramatically, from potentially thousands of per-scan violations per plaintiff to a single recovery per violation type per person. That outcome would prompt a fundamental reassessment of settlement posture across the BIPA docket and could render class certification far more difficult in cases where the scale of per-scan damages was the engine driving class value.

Either way, the decision’s implications will extend well beyond the three consolidated cases. It will provide authoritative guidance on how Illinois federal courts should resolve statutory retroactivity questions in the BIPA context. A ruling is expected in the coming months.

What This Means for Your Organization

The convergence of these two developments tells a consistent story: BIPA’s reach is expanding, and the cost of non-compliance—whether measured in litigation risk or settlement exposure—remains severe. For businesses operating in Illinois or employing Illinois residents, the time for reactive compliance has passed.

The AI note-taker litigation signals that any technology that touches voice data in a meeting context must be evaluated through a BIPA lens before deployment. The Seventh Circuit’s pending decision on retroactivity is equally consequential: businesses with pre-2024 BIPA exposure need to understand how the court’s ruling will affect the value and trajectory of any pending or threatened claims.