Skip to main content

Illinois Biometric Information Privacy Act

The Illinois Biometric Information Privacy Act regulates private collection and handling of biometric identifiers such as fingerprints and facial geometry, requiring written consent, retention schedules, and secure storage. Its private right of action has driven major litigation and settlements.

Jurisdiction
Illinois

Illinois Biometric Information Privacy Act

The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, is the oldest and most consequential biometric privacy law in the United States. It regulates how private entities collect, store, use, and destroy biometric identifiers and biometric information. Biometric identifiers include retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry. BIPA's significance comes largely from its private right of action, which has produced extensive litigation and large settlements.

Who It Applies To

BIPA applies to private entities, including companies and individuals, that collect or possess biometric identifiers or biometric information of Illinois residents. It does not apply to government agencies or contractors acting for them, and it excludes data covered by HIPAA when collected for treatment, payment, or operations. There is no revenue or volume threshold, so any private entity handling biometrics is in scope.

Key Requirements

Before collecting biometric data, an entity must inform the subject in writing of the collection and the specific purpose and length of term, and obtain a written release. Entities must develop a publicly available written retention schedule and guidelines for permanently destroying biometric data when the initial purpose is satisfied or within three years of the individual's last interaction, whichever is first. Entities may not sell, lease, trade, or otherwise profit from biometric data, and may not disclose it without consent. Biometric data must be stored using the reasonable standard of care for the industry and at least as protectively as other confidential information.

Penalties for Non-Compliance

BIPA provides a private right of action. Prevailing parties may recover liquidated damages of 1,000 dollars for each negligent violation and 5,000 dollars for each intentional or reckless violation, or actual damages if greater, plus attorneys' fees. A 2024 amendment clarified that repeated collections of the same biometric from the same person constitute a single violation, limiting the per-scan damages theory that had driven very large awards.

How to Comply

Identify every system that captures biometrics, including time clocks, facial recognition, and voice systems. Obtain written, informed consent before collection. Publish a written retention and destruction policy and enforce it on schedule. Never sell or profit from biometric data, secure it with strong safeguards, and bind vendors contractually.

Relationship to Other Laws

BIPA stands apart from comprehensive privacy laws because it is narrow in subject matter but unusually potent in enforcement, thanks to its private right of action and statutory damages. It has shaped biometric practices nationwide, influencing how companies deploy fingerprint time clocks, facial recognition, and voiceprints far beyond Illinois. Texas and Washington have biometric laws, but only Illinois allows private suits, which is why BIPA dominates biometric litigation. Any organization deploying biometric technology should treat written consent, published retention schedules, and timely destruction as mandatory baseline controls.

Operational Mechanics

Implementing BIPA in practice centers on three durable controls. First, a written consent (release) must be obtained before any biometric capture, and the consent record should identify the specific biometric collected, the purpose, and the retention term; consent forms are typically retained for the life of the data plus a margin. Second, a publicly available written retention-and-destruction policy must state that biometric data is destroyed when the initial purpose is met or within three years of the individual's last interaction, whichever comes first, and automated deletion jobs should enforce that schedule. Third, biometric data must be stored with strong safeguards, encrypted at rest and in transit, with strict access controls and vendor contracts that prohibit secondary use or sale. Because liability can arise from simple procedural failures regardless of any breach, organizations should audit every system that could capture biometrics, including HR time clocks, building access, customer verification, and voice systems, and confirm the consent and retention controls are in place before go-live.