Every dispensary in America scans IDs. It is a legal necessity — age verification is the bright line between a compliant sale and a license-ending violation. But in Illinois, and increasingly in the states modeling their privacy laws on it, the device that keeps you compliant on age can simultaneously expose you to one of the most expensive categories of privacy litigation in the country: the Biometric Information Privacy Act.

A pair of cases and a recent appellate ruling have reshaped that risk in 2026. The exposure is real, but it is also more measurable — and more manageable — than it was even a year ago.

What changed on April 1, 2026

On April 1, 2026, the U.S. Court of Appeals for the 7th Circuit issued an opinion holding that the August 2024 amendment to BIPA (SB 2979) — which limited the accumulation of statutory damages — is a procedural change that must be applied retroactively to pending cases.

This matters enormously. Pre-amendment, BIPA’s per-violation damages could compound to catastrophic, arguably existential numbers, because every individual scan could count as a separate violation. The 2024 amendment capped that accumulation, and the 7th Circuit’s retroactivity holding means that cap reaches back to cases already in the pipeline. The practical effect: the “death knell” scenario that made BIPA so feared in the cannabis sector is meaningfully reduced. It is not eliminated.

The first wave of post-amendment litigation suggests a clear pattern: dispensaries and vendors that deploy clear, consent-oriented workflows now face substantially less existential risk. Those that scan biometric data without notice and consent still face liability — just liability that is more bounded than before.

The cases that show the exposure

Two Illinois matters illustrate where the risk actually lives.

PharmaCann / TokenWorks. TokenWorks, a provider of ID-verification software, has been drawn into a legal battle alongside PharmaCann, a well-known Illinois dispensary operator. The lawsuit alleges that visitors to PharmaCann stores had biometric data captured, collected, stored, and disseminated without consent, with plaintiffs pointing to TokenWorks’ IDentiFake scanners as the mechanism. The case underscores a critical point: liability does not stop at the vendor. The dispensary deploying the device is squarely in the frame.

4Front Ventures. At least one cannabis retailer has been sued under BIPA by a former employee over fingerprint scanning. This is the employee-side mirror of the customer-facing risk: time-and-attendance biometrics, common in cultivation and manufacturing facilities, carry the same notice-and-consent obligations as a customer ID scanner.

Together these cases map the full surface of dispensary biometric exposure: customers at the point of sale, and employees at the time clock.

Where biometrics hide in a “simple” ID scan

The trap is that operators often do not realize they are collecting biometrics at all. An ID scanner that merely reads the text off a driver’s license is generally low-risk. The problem arises when the device or its software:

  • captures and analyzes face geometry to match the cardholder to the person presenting the ID,
  • extracts a biometric identifier from the photo on the license,
  • stores a template derived from any of the above, or
  • shares that derived data with a vendor for verification or fraud-detection purposes.

Any of these can cross the line from “reading an ID” into “collecting biometric information” under BIPA — and the operator frequently has no idea the vendor’s product does it, because it happens inside the device.

Building a defensible biometric workflow

The encouraging news is that the elements of a defensible workflow are now well understood. They are not exotic; they are discipline.

Know exactly what your scanner collects

Start with the vendor. Ask, in writing, whether the device or its backend captures, derives, or stores any biometric identifier — face geometry, fingerprint, retina, or a template of any of these. Get the answer documented. If the vendor will not answer clearly, treat that as a finding, not a dead end.

Provide written notice before collection

BIPA requires that you inform the individual, in writing, that biometric data is being collected, the purpose, and how long it will be retained. For a dispensary, this means a clear notice at the point where scanning happens — not buried in a privacy policy the customer never sees.

Notice alone is not enough. You need the individual’s written consent (a “written release”) before collection. The consent must be specific and informed. Consent-oriented workflows are precisely what the post-amendment courts have signaled they expect.

Adopt and publish a retention-and-destruction schedule

BIPA requires a publicly available retention schedule and guidelines for permanently destroying biometric data when the purpose is satisfied or within a set period. Most dispensaries have never written one. Do it, and make sure your scanner vendor actually deletes the data on your schedule, not theirs.

Push the obligations down to your vendor by contract

Because liability reaches the operator, your contract with the scanner vendor should require BIPA-compliant handling, prohibit unauthorized profiting from biometric data, mandate deletion on your schedule, and require breach notification. The PharmaCann/TokenWorks case is a reminder that “the vendor handles it” is not a defense if your contract never said so.

Apply the same rigor to employee biometrics

If you use fingerprint or face-based time clocks, the 4Front case is your warning. Employees get the same notice, consent, retention, and destruction protections as customers. Audit your HR and facility-access systems alongside your retail ID scanners.

The strategic read

The 7th Circuit’s retroactivity ruling has lowered the temperature on BIPA’s most catastrophic damages scenario, and that is genuinely good news for an industry that has watched these cases warily. But lowering the ceiling on damages is not the same as removing the obligation. Dispensaries that collect biometric data without notice and consent still lose these cases — they just lose them for less.

The smarter posture is to stop treating BIPA as a litigation lottery and start treating it as a data-governance question: know what you collect, tell people, get their consent, delete on schedule, and hold your vendors to the same standard. That is the workflow the courts now reward, and it is the same discipline that protects every other category of sensitive data a dispensary holds.

For more on dispensary data exposure, see our analysis of why cannabis loyalty programs are privacy lawsuits waiting to happen and the 2026 state cannabis data privacy compliance map.

This article is provided for informational purposes only and does not constitute legal advice.