The U.S. Court of Appeals for the Third Circuit ruled on May 12, 2026, that Amazon Web Services, Inc. and Pindrop Security, Inc. did not violate the Illinois Biometric Information Privacy Act (BIPA). This decision affects a group of Illinois citizens who alleged that their biometric voiceprints were collected without consent during phone calls to a financial services company. The ruling is significant as it clarifies the application of BIPA and the protections it offers regarding biometric data.

The case, titled Christine McGoveran v. Amazon Web Services Inc., was filed by several plaintiffs, including Christine McGoveran, Joseph Valentine, and Amelia Rodriguez, who claimed that their calls to John Hancock were routed through Amazon's technology. They alleged that Amazon and Pindrop collected their voiceprints without their consent, violating BIPA. The case began in Illinois state court in 2019 but was later moved to federal court, where it faced various motions and dismissals.

The plaintiffs initially filed their lawsuit in Illinois state court, claiming that their biometric voiceprints were collected without their consent. After the case was dismissed due to lack of personal jurisdiction, the plaintiffs refiled in the U.S. District Court for Delaware, naming both Amazon and Pindrop. The District Court dismissed the case on several grounds, including the financial institution exemption under BIPA and issues related to extraterritoriality. The plaintiffs appealed the District Court's decisions, leading to the current ruling by the Third Circuit.

The Third Circuit upheld the lower court's decisions, affirming that Pindrop was exempt from BIPA's requirements because it operated as a financial institution under the law. The court stated, "We will affirm on each issue," indicating that the plaintiffs' arguments did not convince the judges to overturn the lower court's findings. The judges noted that Pindrop's authentication services were directly related to financial transactions, thus qualifying for the exemption.

The court also addressed the plaintiffs' claims regarding Amazon, ruling that the extraterritoriality doctrine barred their BIPA claims. The judges emphasized that Illinois laws do not apply outside the state unless explicitly stated in the statute. They concluded that the alleged misconduct did not occur primarily in Illinois, as Amazon's servers were located in Virginia, and the calls were processed outside the state.

In addition to affirming the dismissal of Pindrop, the court also upheld the District Court's summary judgment in favor of Amazon. The judges found that the plaintiffs failed to demonstrate that their claims fell within the jurisdiction of Illinois law. They noted that the plaintiffs did not provide sufficient evidence to show that the relevant activities occurred in Illinois, thereby supporting the lower court's decision.

This ruling is important for the future of biometric data privacy laws, particularly in Illinois. It clarifies the extent to which companies can be held accountable under BIPA and sets a precedent regarding the financial institution exemption. The decision may influence how other courts interpret similar cases involving biometric data collection and consent.

The outcome of this case may have broader implications for consumers and companies involved in biometric data processing. It highlights the need for clear consent mechanisms and could affect how businesses approach biometric data collection in the future. Companies may need to reassess their compliance strategies to ensure they align with state privacy laws.

Looking ahead, the plaintiffs have the option to appeal the Third Circuit's decision to the U.S. Supreme Court, although it is unclear if they will pursue this route. There are currently no related cases pending that would directly impact this ruling. However, the outcome may encourage other plaintiffs to consider similar lawsuits under BIPA or related privacy laws.