Illinois
BIPA Compliance for Employers (2026): Step-by-Step
Most BIPA lawsuits target employers that use fingerprint or face-scan timeclocks without consent. Compliance comes down to seven duties under Section 15: written notice, a written release, a retention policy, timely destruction, no sale, controlled disclosure, and reasonable security.
Jurisdiction scope: This is a general compliance overview of the Illinois Biometric Information Privacy Act (740 ILCS 14) for employers. It is general legal information, not legal advice; consult an attorney licensed in Illinois.
The Seven Steps
- Give written notice first. Before collecting a fingerprint, face scan, or voiceprint, tell the employee in writing that biometric data is being collected and stored, and state the specific purpose and how long it will be kept.
- Get a written release. Obtain the employee's signed consent before the first scan. After the 2024 amendment, an electronic signature satisfies this requirement.
- Publish a retention and destruction policy. Make a written schedule publicly available.
- Destroy data on time. Delete biometric data when its purpose is met or within three years of the employee's last interaction, whichever is first, and keep records that you did.
- Never sell or profit from it. Selling, leasing, or trading biometric data is prohibited outright.
- Control disclosures. Do not share biometric data, including with your timeclock or payroll vendor, unless the employee consented or the law requires it.
- Secure it. Protect biometric data at least as well as your other confidential and sensitive information.
A Quick Self-Check
Use the educational self-assessment below to see which of the seven requirements your current practices may not meet. It does not provide legal advice or a compliance opinion.
BIPA Compliance Self-Check
Answer the seven questions below to see which BIPA requirements your practices may not yet meet. This is an educational self-assessment, not a legal audit or legal advice.
1. Before collecting any biometric data (fingerprints, face or hand geometry, voiceprints), do you give the person a written notice stating that it is being collected and the specific purpose and retention period?
2. Do you obtain a signed (or electronically signed) written release consenting to the collection before the first scan?
3. Do you maintain a publicly available written retention and destruction policy for biometric data?
4. Do you destroy biometric data when its purpose is satisfied, or within 3 years of the person’s last interaction, whichever is first?
5. Do you avoid selling, leasing, trading, or otherwise profiting from biometric data?
6. Do you limit sharing biometric data with third parties (including your timeclock or software vendor) to disclosures the person consented to or that the law requires?
7. Do you store and transmit biometric data using at least the reasonable standard of care for your industry?
Why Vendors Matter
The company that builds the biometric timeclock or access system is itself a private entity under BIPA and can be sued directly. Many BIPA suits name both the employer and the technology vendor. When you evaluate a biometric system, confirm in writing how the vendor handles consent, retention, and security, because their failures can become your liability.
More on BIPA
Sources and References
- Illinois Biometric Information Privacy Act, 740 ILCS 14(ilga.gov).gov
- 740 ILCS 14/20 - Right of Action and Damages(ilga.gov).gov
- Public Act 103-0769 (SB 2979) - 2024 BIPA Amendment(ilga.gov).gov
- Cothron v. White Castle System, Inc., 2023 IL 128004(courtlistener.com)
- Tims v. Black Horse Carriers, Inc., 2023 IL 127801(courtlistener.com)