Illinois BIPA: The Strictest Biometric Privacy Law in America and What It Means for AI

What Is Illinois BIPA?

The Illinois Biometric Information Privacy Act (BIPA) is the strongest biometric data privacy law in the United States. Enacted on October 3, 2008 — years before AI became mainstream — BIPA has become increasingly relevant as AI systems increasingly rely on biometric data for facial recognition, voice analysis, emotion detection, and identity verification.

What makes BIPA uniquely powerful is its private right of action: any individual whose biometric data is mishandled can sue directly, without needing to prove actual harm. This has led to billions of dollars in settlements and made BIPA compliance a top priority for any company handling biometric data.

Why BIPA Matters for AI Companies

AI has dramatically expanded the use of biometric data:

• Facial recognition for security, access control, customer identification, and age verification
• Voice recognition for authentication, customer service, and meeting transcription
• Fingerprint and iris scanning for employee time-tracking and building access
• Emotion detection AI that analyzes facial expressions or voice patterns
• Gait recognition and other behavioral biometrics

If your AI system collects, captures, processes, stores, or shares any of these data types from Illinois residents, BIPA applies.

What Biometric Data Is Covered

BIPA covers biometric identifiers including:

• Retina or iris scans
• Fingerprints
• Voiceprints
• Hand geometry scans
• Face geometry (the specific measurements AI uses for facial recognition)

BIPA also covers biometric information — any information based on a biometric identifier used to identify an individual, regardless of how it is captured or converted.

What Is NOT Covered

• Writing samples
• Written signatures
• Photographs (though facial geometry extracted from photos IS covered)
• Demographic data
• Physical descriptions
• Tattoo descriptions
• Information captured from a medical or healthcare setting

Core Requirements

1. Written Policy

Every private entity that possesses biometric data must develop a written policy, made available to the public, establishing:

• A retention schedule and guidelines for permanently destroying biometric data when the initial purpose has been fulfilled or within 3 years of the individual's last interaction — whichever comes first
• Guidelines for storing, transmitting, and protecting biometric data

2. Informed Written Consent

Before collecting biometric data, the entity must:

• Inform the subject in writing that biometric data is being collected and stored
• Inform the subject in writing of the specific purpose and length of time for which the data will be stored and used
• Receive a written release from the subject authorizing the collection and storage

This is a strict requirement. Implied consent, verbal consent, or buried terms-of-service disclosures are not sufficient.

3. No Sale or Profit

Private entities may not sell, lease, trade, or otherwise profit from a person's biometric data. This is an absolute prohibition with no exceptions.

4. No Disclosure Without Consent

Biometric data may not be disclosed to third parties unless:

• The subject consents
• The disclosure completes a financial transaction requested by the subject
• A valid warrant or subpoena requires it
• Disclosure is required by state or federal law

5. Security Standards

Entities must store, transmit, and protect biometric data using a standard of care that is:

• Reasonable given the sensitivity of the data
• At least equal to the standard used for other confidential and sensitive information

Penalties and Enforcement

This is where BIPA stands apart from every other US privacy law:

Private Right of Action

Any person aggrieved by a BIPA violation may sue. They do not need to prove actual harm — the violation itself is sufficient.

Claims Accrue Per Violation

In a landmark February 2023 ruling (Cothron v. White Castle), the Illinois Supreme Court held that a separate claim accrues each time biometric data is scanned or transmitted without consent — not just the first time. This means:

• If an employee uses a fingerprint scanner to clock in every day for 3 years without proper consent, each scan is a separate violation
• A company with 500 employees could face millions of violations and billions in potential liability

Major Settlements

BIPA has already produced massive settlements:

• Facebook (Meta): $650 million (2021) — facial recognition in photo tagging
• Google: $100 million (2022) — Google Photos face grouping
• TikTok: $92 million (2022) — collecting biometric data from minors
• BNSF Railway: $228 million (2023) — fingerprint scanning for truck drivers

How This Applies to AI Systems

Facial Recognition AI

If your AI system captures, analyzes, or stores facial geometry — whether for security cameras, identity verification, age estimation, or customer analytics — you must:

1. Get written consent from every person whose face is scanned
2. Explain why you're collecting the data and how long you'll keep it
3. Publish your biometric data policy
4. Never sell or share the data without explicit consent

Voice AI and Speech Recognition

If your AI system analyzes voiceprints — for voice authentication, customer service analytics, meeting transcription with speaker identification, or emotion detection — the same requirements apply. Each voice capture without consent is a potential violation.

Employee Biometric Systems

AI-powered time clocks, building access systems, and attendance trackers using fingerprints, facial recognition, or hand geometry must all comply. Many BIPA lawsuits have involved employee-facing biometric systems.

Computer Vision and Retail AI

Retail AI systems that use cameras to analyze customer behavior, detect shoplifting, or identify repeat customers via facial recognition must comply if any customers are Illinois residents.

How to Comply

Step 1: Biometric Data Audit

Identify every point in your organization where biometric data is collected, processed, or stored. Include:

• Employee-facing systems (time clocks, building access, devices)
• Customer-facing systems (identity verification, facial recognition, voice authentication)
• Internal AI tools (meeting transcription with speaker ID, emotion analysis)
• Third-party tools and vendors that process biometric data on your behalf

Step 2: Written Biometric Data Policy

Create and publish a policy that covers:

• What biometric data you collect and why
• How long you retain it (must destroy within 3 years of last interaction or when purpose is fulfilled)
• How it is stored and protected
• Who has access
• How individuals can request deletion

Step 3: Consent Mechanism

Implement a clear, standalone written consent process:

• Separate from general terms of service
• Clearly states what data is collected
• Clearly states why and for how long
• Requires affirmative written consent (digital signatures count)
• Provides an opt-out option where feasible

Step 4: Vendor Compliance

If you use third-party AI tools that process biometric data:

• Ensure your vendor agreements include BIPA compliance obligations
• Verify vendors do not sell or share biometric data
• Ensure vendors meet reasonable security standards
• Include indemnification clauses for BIPA violations

Step 5: Security Measures

Implement security protections at least equal to what you use for other confidential data:

• Encryption at rest and in transit
• Access controls and logging
• Regular security audits
• Incident response plans specific to biometric data breaches

States with Similar Laws

While BIPA is the strongest, other states have enacted biometric privacy protections:

• Texas CUBI: Requires consent but no private right of action (AG enforcement only)
• Washington State: Biometric identifiers included in privacy law; no private right of action
• New York SHIELD Act: Includes biometric data in security breach notification requirements
• California CCPA/CPRA: Classifies biometric data as sensitive personal information

Related Regulations

• NYC Local Law 144: If your AI hiring tool uses video analysis (biometric data), both laws may apply
• EU AI Act: Classifies biometric identification systems as high-risk or prohibited
• Colorado AI Act: Overlaps if biometric AI is used for consequential decisions
• GDPR Article 9: Special category data protections for biometric data in the EU