Overview
The Illinois Biometric Information Privacy Act (BIPA), enacted on October 3, 2008, is the most consequential US biometric privacy law. BIPA regulates how private entities collect, use, safeguard, handle, store, retain, and destroy biometric identifiers and biometric information.
BIPA was the first US state law to provide a private right of action for biometric privacy violations, and its enforcement through class action litigation has produced some of the largest privacy settlements in US history — including Facebook's $650 million resolution — with new filings and settlements continuing through 2025 and 2026. It is the primary legal framework shaping how companies deploy facial recognition, fingerprint scanning, voiceprint analysis, and other biometric technologies in Illinois.
A major 2024 amendment, SB 2979, reshaped BIPA's damages exposure: it overturned the Cothron v. White Castle "per-scan" rule and limited repeat collections of the same biometric identifier from the same person to a single recovery. See the 2024 Amendment section below.
Key requirements:
- Written notice before collecting biometric identifiers
- Written consent (release) from the individual
- Published retention and destruction policy
- Restrictions on disclosure to third parties
- Reasonable security measures for stored biometric data
Who It Applies To
Private Entities
BIPA applies to any private entity — corporations, LLCs, partnerships, sole proprietors, and other non-government organizations — that collects, captures, purchases, receives through trade, or otherwise obtains biometric identifiers or biometric information of Illinois residents.
No Size Threshold
There is no revenue minimum, employee count requirement, or industry carve-out. A startup scanning employee fingerprints for time-and-attendance must comply just as a Fortune 500 company deploying facial recognition at scale.
Exemptions
BIPA does not apply to:
- State or local government agencies
- Financial institutions subject to GLBA
- Contractors or subcontractors of government agencies when working under a government contract
- Information collected under the Health Insurance Portability and Accountability Act (HIPAA)
Biometric Identifiers Covered
BIPA covers these biometric identifiers:
| Identifier | Examples |
|---|---|
| Retina or iris scan | Eye-scanning access control |
| Fingerprint | Time clocks, device unlock, identity verification |
| Voiceprint | Voice authentication, voice-based AI analysis |
| Scan of hand geometry | Hand scanners for access control |
| Scan of face geometry | Facial recognition, emotion detection, identity verification |
What Is NOT Covered
- Writing samples
- Written signatures
- Photographs (unless used to extract facial geometry)
- Demographic data
- Tattoo descriptions
- Physical descriptions (height, weight, hair color, eye color)
- Biological samples used for scientific testing or screening
- Information collected under HIPAA
Consent Requirements
Three-Step Process
Before collecting any biometric identifier, private entities must:
- Inform the individual in writing that biometric data is being collected or stored
- Disclose the specific purpose and length of term for which the data will be collected, stored, and used
- Obtain a written release executed by the individual (or the individual's legally authorized representative)
Written Release
The release must be a standalone document or clearly identified section — burying consent in a general terms-of-service agreement may not satisfy BIPA's requirements. Illinois courts have held that the release must be:
- Informed (based on the specific written notice described above)
- Voluntary (not coerced or conditioned on unrelated services)
- Written or electronic (verbal consent is insufficient)
Electronic Signature (2024 Amendment)
The SB 2979 amendment (signed August 2, 2024) expressly confirmed that a "written release" may be executed by electronic signature. The statute now defines an electronic signature as "an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record" (740 ILCS 14/10). This clarification lets entities collect valid BIPA consent through electronic onboarding and e-signature workflows, not only handwritten releases.
Retention & Destruction
Written Policy Required
Every private entity possessing biometric identifiers or information must develop a publicly available written policy establishing:
- A retention schedule
- Guidelines for permanently destroying biometric data
Destruction Triggers
Biometric data must be permanently destroyed when:
- The initial purpose for collecting the data has been satisfied, or
- Within 3 years of the individual's last interaction with the private entity
Whichever occurs first.
Scope of Destruction
Destruction must cover all copies of the biometric data, including backups, replicas, and any derived data (such as mathematical representations or templates created from the original biometric identifier).
Disclosure Restrictions
Private entities may not sell, lease, trade, or otherwise profit from biometric identifiers or information.
Disclosure to third parties is prohibited unless:
- The individual consents
- The disclosure completes a financial transaction requested by the individual
- Disclosure is required by law or municipal ordinance
- Disclosure is required pursuant to a valid warrant or subpoena
Vendor and Subcontractor Relationships
When using third-party processors (e.g., cloud biometric services, AI vendors), the private entity remains responsible for ensuring BIPA compliance throughout the data lifecycle, including at the vendor level.
Penalties & Enforcement
Private Right of Action
BIPA's private right of action is its most powerful enforcement mechanism. Any person aggrieved by a violation may sue and recover:
| Violation Type | Statutory Damages | Details |
|---|---|---|
| Negligent | $1,000 per violation | Or actual damages, whichever is greater |
| Intentional or reckless | $5,000 per violation | Or actual damages, whichever is greater |
Courts may also award:
- Attorneys' fees and costs to prevailing plaintiffs
- Injunctive relief to stop ongoing violations
Class Action Exposure
BIPA has generated the largest biometric privacy class action settlements in US history:
- Facebook (Meta): $650 million (2021) — facial recognition in photo tagging
- Google: $100 million (2022) — face grouping in Google Photos
- TikTok: $92 million (2021) — biometric data collection
- BNSF Railway: $228 million jury verdict (2022) — fingerprint scans without consent
Damages Accrual: From Per-Scan to Single Recovery
In Cothron v. White Castle (2023), the Illinois Supreme Court held that a separate BIPA violation accrued each time biometric data was scanned or transmitted without consent — not just upon the first collection. Because statutory damages are assessed per violation, this "per-scan" theory created the potential for astronomical exposure in repeat-scan scenarios such as employee fingerprint time clocks.
That rule no longer reflects current law. The Illinois legislature responded with SB 2979 (signed August 2, 2024), which limits repeat collections of the same biometric identifier from the same person by the same method to a single recovery — effectively eliminating per-scan stacking. See the 2024 Amendment section below for the details and the Seventh Circuit's 2026 retroactivity ruling.
2024 Amendment (SB 2979)
On August 2, 2024, Governor J.B. Pritzker signed SB 2979 — the first substantive amendment to BIPA since its 2008 enactment. It took effect immediately and made two significant changes.
Single Violation, Single Recovery
SB 2979 amended BIPA's damages provision (740 ILCS 14/20) to provide that when a private entity, in more than one instance, collects the same biometric identifier or information from the same person using the same method of collection (Section 15(b)), or discloses it to the same recipient in the same manner (Section 15(d)), the person is entitled to at most one recovery for that course of conduct.
This legislatively overturned the per-scan accrual rule from Cothron v. White Castle (2023). The headline statutory damages amounts are unchanged ($1,000 negligent / $5,000 intentional or reckless), but they can no longer be multiplied by the number of scans for the same person and method.
Electronic Signature as Written Release
SB 2979 also amended the definitions (740 ILCS 14/10) to confirm that a "written release" may be executed by electronic signature, defined as "an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record." See Consent Requirements.
Retroactivity: Clay v. Union Pacific Railroad (2026)
A key open question after SB 2979 was whether the single-recovery limit applied to conduct (and cases) that predated the amendment. The U.S. Court of Appeals for the Seventh Circuit answered it in Clay v. Union Pacific Railroad Co., No. 25-2185 (7th Cir. April 1, 2026).
The court held that the SB 2979 single-recovery amendment is remedial/procedural rather than substantive — it modified Section 20 (damages) rather than Section 15 (the conduct prohibited) and addressed "recovery" rather than liability — and therefore applies retroactively to cases pending when it was enacted. The practical effect: per-scan damages are unavailable even for pre-amendment conduct in federal cases within the Seventh Circuit's jurisdiction (which includes Illinois).
Compliance Steps
-
Inventory biometric data collection points. Identify every system, device, and application that collects biometric identifiers — fingerprint scanners, facial recognition cameras, voice authentication, access control systems, AI tools analyzing facial geometry.
-
Draft and publish a retention and destruction policy. Create a publicly available written policy with a specific retention schedule and destruction guidelines. Post it on your website or make it available upon request.
-
Implement notice and consent workflows. Before any biometric collection, provide written notice of the specific purpose and retention period, and obtain a written release from each individual. Since SB 2979 (2024), the release may be captured by electronic signature.
-
Audit vendor contracts. Ensure all third-party vendors handling biometric data have contractual obligations to comply with BIPA requirements, including deletion and security obligations.
-
Set retention limits. Configure systems to automatically delete biometric data when the initial purpose is satisfied or within 3 years of the individual's last interaction.
-
Implement security safeguards. Store biometric data using a standard of care reasonable within the industry and at least as protective as the measures used for other confidential and sensitive information.
-
Train employees. Educate HR, IT, security, and operations staff on BIPA requirements, particularly the consent workflow and prohibition on sharing biometric data.
-
Document everything. Maintain records of consent, retention periods, deletion actions, and vendor compliance for defense in potential litigation.
Frequently Asked Questions
What is a biometric identifier under BIPA? Retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, and any biologically unique identifier used to identify an individual. Photographs alone are excluded unless used to extract facial geometry.
Does BIPA apply to AI facial recognition systems? Yes. Any system capturing or analyzing facial geometry — including AI-powered facial recognition, emotion detection, or liveness checks — must comply with BIPA when processing data of Illinois residents.
Can individuals sue under BIPA? Yes. BIPA provides a private right of action with statutory damages of $1,000 per negligent violation or $5,000 per intentional violation, plus attorneys' fees. Since SB 2979 (signed August 2, 2024), repeated collections of the same biometric identifier from the same person by the same method count as a single violation entitling the person to at most one recovery, replacing the former per-scan damages theory from Cothron v. White Castle.
Did the 2024 amendment end per-scan damages? Yes. SB 2979 (effective August 2, 2024) overturned Cothron's per-scan accrual rule and limited repeat collections to a single recovery. In Clay v. Union Pacific Railroad Co. (April 1, 2026), the Seventh Circuit held the amendment applies retroactively to pending cases within the circuit.
Do I need consent before collecting biometric data? Yes. Written notice and a written release are required before any collection of biometric identifiers. Since SB 2979 (2024), the release may be signed electronically.
What are the retention requirements? You must publish a written retention and destruction policy. Data must be destroyed when the initial purpose is satisfied or within 3 years of the individual's last interaction, whichever comes first.
Does BIPA apply to out-of-state companies? Yes. If an out-of-state company collects biometric identifiers of Illinois residents, BIPA applies regardless of where the company is headquartered.
Official Sources
Get weekly regulation updates, enforcement news, and compliance deadlines — free.