BIPA’s Government Contractor Exemption: Illinois Appellate Court Draws the Line at Contract Scope

Key Takeaways

• The Illinois Appellate Court for the Third District held that BIPA’s Section 25(e) government contractor exemption can apply even if a company performs both government-contracted and private work, rejecting the view that only entities working exclusively for the government may invoke the defense.
• A company does not receive blanket immunity from BIPA simply because it has a government contract; instead, the exemption protects only biometric practices that occur while carrying out the contractor’s actual government responsibilities.
• Businesses with both public and private operations should evaluate biometric data collection and use on a function-by-function basis, preserve clear connections between covered practices and government work, and seek to achieve full BIPA compliance for activities that fall outside the contract’s scope.

How far does BIPA’s government contractor exemption reach—and what can companies do to maximize its protection?

The Illinois Third District Appellate Court recently clarified the scope of BIPA's government contractor exemption—delivering a mixed result for contractors. In Thomas v. Cornerstone Services, Inc., 2026 IL App (3d) 240568 (Apr. 28, 2026), the court answered two certified questions regarding BIPA’s Section 25(e) government contractor exemption and made clear that (1) companies that engage in private undertakings alongside government contract work can still avail themselves of the exemption, but (2) having a government contract does not extend beyond the scope of the contractor's government work. The BIPA exemption shields a contractor only when it is acting within the scope of its government-contracted work—though conduct outside the scope of the government contract remains subject to BIPA. For companies with both government and private operations, the decision offers useful clarity on how to structure their activities to preserve the exemption’s protections and where to focus compliance efforts.

Background: A Disability Services Provider’s Biometric Timekeeping

Cornerstone Services, Inc. is a disability services organization that receives funding from the Illinois Department of Human Services (DHS), which constituted between 60% and 73% of its revenue during the relevant period. Former employee Tiara Thomas filed a putative class action in Will County Circuit Court, alleging that Cornerstone's use of a biometric timekeeping system, which shared fingerprint data with payroll processor ADP, ran afoul of BIPA's consent requirements.

Cornerstone moved to dismiss, arguing that it was exempt from BIPA under Section 25(e), which provides that the act "shall not be construed to apply to a contractor, subcontractor, or agent of a State agency or local unit of government when working for that State agency or local unit of government." Cornerstone raised a reasonable threshold defense: As a government contractor during the relevant period, it argued the exemption applied to its operations.

The circuit court denied Cornerstone’s motion to dismiss, and the parties subsequently certified two questions for interlocutory appeal:

1. Does the Section 25(e) exemption apply only to contractors who work exclusively for state agencies or local units of government?
2. If not, what does “when working for” the government entity mean?

The Court’s Analysis

No Exclusivity Requirement

On the first certified question, the court answered in the negative: The exemption does not require an exclusive contractual relationship with a government entity. A contractor that also engages in private undertakings may still invoke the exemption. The court found “nothing in the plain language of the Act” that rescinds a government contractor’s ability to assert the exemption simply because it also has private clients. Id. ¶ 23. The appellate court declined to “depart from the statute’s plain language by reading into the exemption a limitation that the legislature did not express[.]” Id. 

“When Working For” Means Within the Scope of the Contract

On the second question, the court held that the phrase “when working for” is not merely temporal. Instead, it imposes a substantive limitation: The exemption applies only when the contractor both possesses a government contract and the alleged violation occurred within the scope of that contractual work. The court explained that a government contractor “is not exempt when it violates the Act while pursuing private undertakings outside of its government contractual responsibilities.” Id. ¶ 27.

The court rejected Cornerstone’s argument that this reading creates an “unworkable scheme,” holding that such policy concerns “are beyond our purview where the language of the act is plain and unambiguous.” Id. ¶ 30. The court further observed that Cornerstone’s interpretation would afford a categorical exemption by mere possession of any government contract—regardless of its scope—effectively insulating a private entity from BIPA liability for all of its activities, including those with no connection to its government work. That reading, the court concluded, would undermine BIPA’s core purpose of protecting the public from private entities that compromise biometric data.

Conclusion

This decision has significant implications for private entities that receive state funding and seek to rely on the government contractor exemption as a categorical defense to BIPA claims. The court’s holding makes clear that Section 25(e) is not a blanket shield: It protects government contractors only for conduct tied to their government work. Entities with mixed public and private operations will need to evaluate whether their biometric data practices are sufficiently connected to their government contracts. For biometric practices that fall outside the scope of those contracts, BIPA compliance remains essential, and BIPA exposure persists.

For companies navigating this evolving landscape, the decision underscores the importance of a granular, function-by-function assessment of BIPA obligations rather than relying on entity-level exemptions.