Our Take
Amazon's settlement signals that state-level worker privacy laws with teeth are outpacing federal inaction on health data collection in hiring.
Why it matters
Illinois's Biometric Information Privacy Act has become a real enforcement lever for worker protections, not just corporate compliance theater. Other large employers (Walmart, Topgolf) are facing similar pressure, making this a pattern, not an isolated case.
Do this week
Legal/Compliance: audit your pre-employment questionnaires and health screening protocols against state biometric privacy statutes (starting with Illinois, California, and Texas) before your next hiring cycle.
Amazon agrees to settle biometric privacy lawsuit
Amazon has settled a lawsuit filed by Illinois workers alleging the company requested family medical histories during hiring or employment processes without proper consent or disclosure. The case turned on the Illinois Biometric Information Privacy Act (BIPA), which restricts how employers collect, store, and use biometric and health-related personal data.
Illinois law requires explicit written consent before collection and imposes specific retention and deletion rules. Amazon's alleged violation, according to the lawsuit, centered on requesting sensitive family health information without meeting those consent standards.
The settlement itself does not establish the dollar amount or remedial terms (per the available reporting), but the case aligns with a broader pattern of enforcement under BIPA. Walmart and Topgolf have also faced legal action under the same statute for similar practices.
State law is where worker privacy enforcement is actually happening
Federal employment law remains silent on worker consent for health data collection. HIPAA covers healthcare providers and insurers, not employers. The Americans with Disabilities Act (ADA) restricts what employers can ask, but enforcement is reactive and often weak. BIPA fills that gap by creating a private right of action, meaning workers can sue directly, without waiting for agency intervention.
Illinois's law is among the strictest in the country. California, Texas, Washington, and Vermont have similar statutes. As more states adopt or strengthen biometric privacy laws, the legal exposure for employers who request or retain family medical histories without explicit consent compounds. Amazon's settlement does not establish precedent in federal court, but it does confirm that state-level enforcement is real and costly enough to force settlement.
The pattern across multiple major employers (Amazon, Walmart, Topgolf) suggests this is not isolated vendor overreach but a systematic practice that now carries litigation risk.
Audit health data requests before they become liability
Any pre-employment form, screening questionnaire, or intake process that requests family medical history, genetic information, or health conditions must now be reviewed against state biometric and health privacy statutes, not just federal ADA guidance. Consent language matters. Generic consent checkboxes do not satisfy BIPA's requirement for specific, written, informed consent.
If you conduct hiring in Illinois, California, or other states with strong biometric privacy laws, conduct an audit of what health information you currently request, how you store it, how long you retain it, and whether you have documented consent. Surplus questions (especially family health history) should be eliminated. The compliance cost of a settlement or class action far exceeds the cost of tightening intake forms now.