BIPA
Illinois Biometric Information Privacy Act (740 ILCS 14)
BIPA is an Illinois statute that regulates how private entities collect, store, use, and disclose biometric identifiers and information such as fingerprints, retina or iris scans, voiceprints, and face geometry. It is one of the strictest biometric laws in the US because it gives individuals a private right of action with statutory damages, driving extensive class action litigation.
Who it applies to
Private entities that collect or possess biometric identifiers or biometric information of Illinois residents. It does not apply to government agencies and excludes photographs and demographic data from the definition of biometric identifiers.
Identity requirements
- Obtain a written release (informed consent) before collecting or capturing a person's biometric identifier or information
- Provide written notice of the purpose and the length of time the biometric data will be collected, stored, and used
- Maintain a publicly available written retention schedule and destruction guidelines, destroying data when the purpose is satisfied or within three years of last interaction
- Do not sell, lease, trade, or otherwise profit from a person's biometric identifiers or information
- Do not disclose biometric data without consent except in limited statutory circumstances
- Store and protect biometric data using the reasonable standard of care for the industry
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Identity verification (KYC/proofing) | Any biometric identity proofing or matching of Illinois residents requires prior written consent, notice, and a retention schedule. |
| Authentication & MFA | Biometric authentication such as fingerprint or face login triggers BIPA consent and retention duties, a frequent source of class action exposure. |
| Customer identity & consent (CIAM) | Consumer-facing biometric features require explicit written release and clear notice, directly shaping CIAM consent design. |
| Audit, logging & accountability | Entities must keep a documented, publicly available retention and destruction policy and demonstrate compliance if sued. |
Penalties
Prevailing plaintiffs may recover liquidated damages of 1,000 dollars per negligent violation or 5,000 dollars per intentional or reckless violation (or actual damages if greater), plus attorneys' fees; a 2024 amendment limits repeated identical collections by the same method to a single recoverable violation.
BIPA: frequently asked questions
- Can individuals sue directly under BIPA?
- Yes. BIPA provides a private right of action, and the Illinois Supreme Court has held that a person need not show actual injury beyond the statutory violation to recover damages.
- What changed in the 2024 BIPA amendment?
- An August 2024 amendment provides that repeated collection or disclosure of the same biometric identifier by the same entity using the same method counts as a single violation for calculating statutory damages.
- Does BIPA cover face recognition and fingerprint login?
- Yes. Scans of face geometry, fingerprints, retina or iris scans, and voiceprints are covered, so face or fingerprint authentication of Illinois residents must meet BIPA's consent, notice, and retention rules.