Photo of Jason StiehlPhoto of Kate GrowleyPhoto of Jacob Canter

A recent Illinois appellate decision has narrowed a key protection that state and local government contractors have long been able to rely on under Illinois’ Biometric Information Privacy Act (BIPA). In Thomas v. Cornerstone Services, Inc., the Illinois Appellate Court held that BIPA’s government contractor exemption does not provide blanket immunity to contractors simply because they hold a contract or subcontract with a state agency or local unit of government. The ruling carries important compliance implications for contractors and subcontractors operating across both government and private-sector markets.

The Opinion

Section 25(e) of BIPA states the following: “Nothing in this Act shall be construed to apply to a contractor, subcontractor, or agent of a State agency or local unit of government when working for that State agency or local unit of government.”

In Cornerstone Services, the Court held that the phrase in this section “when working for the State agency or local unit of government” exempts a government contractor’s actions only when the contractor possesses a government contract and its alleged BIPA violation was within the scope of its government contractual work.

This holding is consequential because, previously, government contractors had argued that the BIPA exemption operated to bar BIPA lawsuits in all circumstances. The Appellate Court rejected this broader interpretation as inconsistent with BIPA’s purpose of protecting the public from private entities that compromise biometric data.

In this case, the plaintiff is a former Cornerstone Services employee, and the defendant is an Illinois state government contractor.

Why BIPA Matters for Government Contractors

Enacted in 2008, BIPA regulates the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information, including fingerprints and hand scans, by private entities. Critically, BIPA provides a private right of action with statutory damages that multiply rapidly in the class action context, making it potentially one of the most financially consequential privacy statutes in the United States.

Government contractors are particularly exposed because they frequently use biometric systems — such as fingerprint timekeeping and identity verification tools — across both government and commercial operations. Cornerstone Services makes clear that a government contract does not insulate a contractor from BIPA liability for biometric data practices conducted outside the scope of that contract.

In its briefing, Cornerstone Services argued that this conclusion “creates an ‘unworkable scheme’ where some operations by government contractors are exempt and others are not.” But the court was unmoved by this concern, remarking that “[s]uch concerns are beyond our purview where the language of the Act is plain and unambiguous,” observing that available solutions include separating portions of the workforce or receiving statutory consent.

With class action BIPA litigation remaining active, contractors that have assumed broad exemption protection should reassess that assumption immediately.

Steps Government Contractors Should Take Now

In light of Cornerstone Services, government contractors that do work with state agencies or local units of government should take the following steps to reduce BIPA exposure:

  1. Audit biometric data practices. Map all biometric data collection, storage, and disclosure activities across the organization. Identify which practices are tied to government contract performance and which relate to private-sector or general administrative operations (e.g., payroll processing).
  2. Obtain proper employee consent for non-governmental uses. For any biometric data activities not clearly within the scope of a government contract, ensure employees have received the written disclosures and provided the written consent required by BIPA before their data is collected or disclosed.
  3. Review third-party vendor agreements. Audit all agreements with payroll processors and timekeeping vendors that receive biometric data and confirm disclosures are properly authorized.
  4. Implement separate compliance protocols. Establish clear internal policies distinguishing between biometric data practices within the scope of government contracts and those that are not, and maintain documentation to support any exemption claim.
  5. Train staff and update written policies. Ensure that biometric data retention and destruction schedules, written notices, and employee-facing policies comply with BIPA across all lines of business, and train personnel on how the exemption applies — and where it does not.

Crowell actively monitors BIPA and other privacy and government contracting developments and is available to assist further.

Tags: data privacy, government contracts
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jason Stiehl Jason Stiehl

Balance and comprehension are Jason Stiehl’s strengths. Splitting his practice between class action defense and trade secret protection, Jason immerses himself in the business of his clients. With a depth of understanding and appreciation for the risks and growth strategies in his clients’…

Balance and comprehension are Jason Stiehl’s strengths. Splitting his practice between class action defense and trade secret protection, Jason immerses himself in the business of his clients. With a depth of understanding and appreciation for the risks and growth strategies in his clients’ markets, he defends the assets and brands most valuable to his clients before trouble strikes.

Jason is a partner in Crowell & Moring’s Chicago office, where he is a member of the firm’s Litigation and Technology and Brand Protection groups. Jason is an experienced trial lawyer with a nationwide practice in federal and state courts focusing on complex litigation, consumer class actions, and advertising disputes. He serves clients in the retail, food and beverage, pharmaceutical and medical equipment, advertising, and technology sectors defending allegations related to consumer fraud, false labeling and deceptive practices, and Lanham Act violations. As a leading consumer class action defense lawyer, Jason also defends clients in matters involving the regulatory alphabet soup. His experience includes defense and counseling regarding the Illinois Biometric Information Privacy Act and the Telephone Consumer Protection Act and navigating the myriad varying state consumer protection statutes, including California’s Legal Remedies Act and the California Consumer Privacy Act.

Read more about Jason Stiehl
Show more Show less
Photo of Kate Growley Kate Growley

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy…

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Read more about Kate Growley
Show more Show less
Photo of Jacob Canter Jacob Canter

Jacob Canter is an attorney in the San Francisco office of Crowell & Moring. He is a member of the Litigation and Privacy & Cybersecurity groups. Jacob’s areas of emphasis include technology-related litigation, involving competition, cybersecurity and digital crimes, copyright, trademark, and patent…

Jacob Canter is an attorney in the San Francisco office of Crowell & Moring. He is a member of the Litigation and Privacy & Cybersecurity groups. Jacob’s areas of emphasis include technology-related litigation, involving competition, cybersecurity and digital crimes, copyright, trademark, and patent, as well as general complex commercial matters.

Jacob graduated from the University California, Berkeley School of Law in 2018, where he launched Berkeley’s election law outreach program and pro bono project. He joins the firm after a year of practice at an international law firm in Washington, D.C., and a year clerking in the Southern District of New York for the Hon. Lorna G. Schofield. Jacob was exposed to and provided support in a variety of complex substantive and procedural legal topics during the clerkship, including trade secrets, insurance/reinsurance, contracts, class actions, privacy, intellectual property, and arbitrability.

Read more about Jacob Canter
Show more Show less
Related Posts
Fastest 5 Minutes: DEI EO, SBIR, Pentagon Budget
May 7, 2026
FAR Council Issues Deviation Implementing EO 14398 With FAR 52.222-90 — DEI Restrictions on Federal Contractors
April 22, 2026
COFC Holds that USAID Contractors Properly Pleaded Breach of Contract by Improper Mass Termination in Bad Faith/Abuse of Discretion
April 22, 2026