These days, many of us regularly feed pieces of ourselves into machines for convenience and security. Our fingerprints unlock our smartphones, and companies are experimenting with more novel biometric markers—voice, heartbeat, grip—as ID for banking and other transactions. But there are almost no laws in place to control how companies use such information. Nor is it clear what rights people have to protect scans of their retinas or the contours of their face from cataloging by the private sector.

There’s one place where people seeking privacy protections can turn: the courts. A series of plaintiffs are suing tech giants, including Facebook and Google, under a little-used Illinois law. The Biometric Information Privacy Act, passed in 2008, is one of the only statutes in the U.S. that sets limits on the ways companies can handle data such as fingerprints, voiceprints, and retinal scans. At least four of the suits filed under BIPA are moving forward. “These cases are important to scope out the existing law, perhaps point out places where the law could be improved, and set principles that other states might follow,” says Jeffrey Neuburger, a partner at law firm Proskauer Rose.

The bankruptcy of fingerprint-scanning company Pay By Touch spurred BIPA’s passage. Hundreds of Illinois grocery stores and gas stations used its technology, allowing customers to pay with the tap of a finger. As the bankrupt company proposed selling its database, the Illinois chapter of the American Civil Liberties Union drafted what became BIPA, and the bill passed with little corporate opposition, says Mary Dixon, legislative director of the Illinois ACLU.