Illinois
BIPA Explained: Illinois Biometric Privacy Act (740 ILCS 14)
The Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14, is the strictest biometric privacy law in the United States. Enacted in 2008, it requires written consent before a private company collects your fingerprint, face scan, or voiceprint, and it is the only such law that lets individuals sue on their own.
Jurisdiction scope: This guide covers the Illinois Biometric Information Privacy Act (740 ILCS 14) as of 2026, including the 2024 amendment. It is general legal information, not legal advice. For Illinois biometric rules in the broader state-privacy context, see our Illinois data privacy guide.
What Is BIPA?
The Biometric Information Privacy Act is an Illinois statute, 740 ILCS 14, that the General Assembly passed in 2008. Its purpose is straightforward: a biometric identifier is biologically unique and, unlike a password or a credit card number, cannot be changed if it is leaked. The law therefore regulates how private companies handle that data and gives Illinois residents enforceable rights over it.
BIPA covers four kinds of biometric identifiers: a retina or iris scan, a fingerprint, a voiceprint, and a scan of hand or face geometry. It also covers biometric information, meaning any data based on one of those identifiers that is used to identify a person. The statute deliberately excludes some things, including photographs, written signatures, physical descriptions such as height or eye color, and health-care data already governed by HIPAA.
What BIPA Requires
BIPA's core duties live in Section 15. A private company that handles biometric data must do all of the following.
- Get informed written consent first (Section 15(b)). Before collecting a biometric identifier, the company must tell the person in writing that the data is being collected and stored, explain the specific purpose and how long it will be kept, and obtain a written release. After the 2024 amendment, an electronic signature counts as that written release.
- Publish and follow a retention and destruction schedule (Section 15(a)). The policy must be publicly available, and the data must be destroyed when the purpose is satisfied or within three years of the person's last interaction, whichever comes first.
- Never sell or profit from the data (Section 15(c)).
- Limit disclosure (Section 15(d)). Biometric data cannot be shared without consent, unless a narrow exception applies, such as completing a transaction the person requested or responding to a valid warrant or subpoena.
- Store it securely (Section 15(e)), using at least the reasonable standard of care for the industry.
Who BIPA Covers (and Who It Does Not)
BIPA applies to a "private entity," which includes companies, partnerships, and associations. It expressly excludes state and local government agencies and any court, clerk, or judge in Illinois, so public bodies are not subject to its private right of action. The biometric-timeclock vendor that builds the system is itself a private entity and can be sued directly, which is why technology providers, not just employers, are frequent BIPA defendants.
Penalties and the Right to Sue
Section 20 is what makes BIPA so consequential. Any person aggrieved by a violation can sue in state court, or as a supplemental claim in federal court, and recover the greater of liquidated or actual damages: $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, plus reasonable attorney fees and costs and injunctive relief. The Illinois Supreme Court has clarified that these statutory damages are discretionary rather than automatic, giving trial courts room to avoid ruinous awards.
The Cases That Shaped BIPA
Three Illinois Supreme Court decisions define how BIPA works today.
- Rosenbach v. Six Flags Entertainment Corp. (2019 IL 123186). The court held that a person does not need to allege any injury beyond the statutory violation to be aggrieved. The violation of the right is itself the harm. This opened the door to the wave of BIPA class actions.
- Tims v. Black Horse Carriers, Inc. (2023 IL 127801). The court held that a single five-year limitations period applies to all BIPA claims, settling earlier uncertainty about the filing deadline.
- Cothron v. White Castle System, Inc. (2023 IL 128004). The court held that a separate claim accrues every time a company scans or transmits biometric data without consent, not just the first time. Because a fingerprint timeclock can scan an employee thousands of times, this created enormous potential damages and prompted the legislature to act.
A related ruling, Mosby v. Ingalls Memorial Hospital (2023 IL 129081), held that BIPA's health-care exemption is not limited to a hospital's own patients.
The 2024 Amendment
In response to Cothron, the Illinois legislature amended BIPA through Senate Bill 2979, enacted as Public Act 103-0769 and effective August 2, 2024. The amendment made two important changes:
- A single recovery for repeated collection. When a company collects or discloses the same biometric identifier from the same person using the same method more than once in violation of Section 15(b) or 15(d), it now counts as a single violation, and the person is entitled to at most one recovery. This directly overrides Cothron's per-scan multiplication of damages.
- Electronic signatures count. The amendment confirms that an electronic signature satisfies BIPA's written-release requirement.
One open question remains unsettled: whether this damages limit applies to claims that arose before August 2024. The federal Seventh Circuit has applied the amendment retroactively, but Illinois state courts have not uniformly resolved the issue, so treat retroactivity as evolving.
BIPA in the Workplace
The largest share of BIPA litigation comes from the employment context, where companies use fingerprint or hand-geometry timeclocks without completing the notice-and-consent steps. Rosenbach involved a theme-park fingerprint, and Cothron, Tims, and the BNSF case all involved worker biometric scans. For an employer, compliance means giving each employee written notice and obtaining a signed or electronically signed release before the first scan, publishing a retention and destruction policy, never selling the data, controlling disclosures to the timeclock vendor, and securing the data.
Major BIPA Settlements
| Company | Amount | Year | Status |
|---|---|---|---|
| Facebook / Meta (face tagging) | $650 million | 2021 | Final |
| Google (Google Photos face grouping) | $100 million | 2022 | Final |
| TikTok | $92 million | 2021 | Final |
| Clearview AI (face-scraping) | About $51.75 million, paid as an equity stake | 2025 | Final |
| BNSF Railway (fingerprint timeclocks) | $75 million settlement (an earlier $228 million jury verdict was vacated) | 2024 | Settled |
Explore BIPA in Detail
- BIPA damages: what a violation is worth
- BIPA statute of limitations: the 5-year deadline
- BIPA compliance for employers (with a free self-check)
- Do you have a BIPA claim? (eligibility checker)
Related Guides
- Illinois Biometric Privacy (state context): how BIPA fits within Illinois data privacy law.
- Biometric Privacy Laws by State: how Illinois compares to Texas, Washington, and every other state.
- Illinois Data Privacy Laws: the full Illinois consumer privacy picture.
Sources and References
- Illinois Biometric Information Privacy Act, 740 ILCS 14(ilga.gov).gov
- 740 ILCS 14/15 - Collection, Retention, Disclosure, Destruction(ilga.gov).gov
- 740 ILCS 14/20 - Right of Action and Damages(ilga.gov).gov
- Public Act 103-0769 (SB 2979) - 2024 BIPA Amendment(ilga.gov).gov
- Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186(illinoiscourts.gov).gov
- Cothron v. White Castle System, Inc., 2023 IL 128004(courtlistener.com)
- Tims v. Black Horse Carriers, Inc., 2023 IL 127801(courtlistener.com)