Illinois Biometric Privacy Laws: Collection, Consent & Penalties (2026)
Illinois stands alone among all 50 states. Its Biometric Information Privacy Act, known as BIPA, is the only biometric privacy law in the country that lets individuals sue companies directly for collecting their fingerprints, face scans, or other biometric data without proper consent.
Since its passage in 2008, BIPA has generated billions of dollars in settlements, reshaped how employers use fingerprint timekeeping systems, and forced major technology companies to change how they handle facial recognition data. If you live or work in Illinois, understanding BIPA is essential whether you are an employee, a consumer, or a business owner.
This article covers the full scope of BIPA as it stands in 2026, including the 2024 amendment that changed how damages are calculated.
What Is the Illinois Biometric Information Privacy Act?
BIPA is codified at 740 ILCS 14/1 et seq. and took effect on October 3, 2008. The Illinois General Assembly passed the law after Pay By Touch, a biometric payment company, went bankrupt in 2007. That bankruptcy raised urgent questions about what would happen to the millions of fingerprint records the company held.
Unlike a Social Security number or a password, a fingerprint cannot be changed if it is compromised. The legislature recognized that biometric data demands stronger protections precisely because of its permanence.
BIPA applies to all private entities operating in Illinois. Government agencies and courts are excluded from the law.
What Biometric Data Does BIPA Protect?
Under Section 10 of BIPA, a "biometric identifier" includes:
- Fingerprints
- Retina or iris scans
- Voiceprints
- Scans of hand geometry
- Scans of face geometry
"Biometric information" is defined more broadly as any information based on a biometric identifier that is used to identify an individual. This distinction matters because it extends BIPA's protections beyond the raw scan itself to any data derived from that scan.
BIPA specifically excludes writing samples, written signatures, photographs, demographic data, tattoo descriptions, physical descriptions, and medical imaging such as X-rays, MRIs, and CT scans.
BIPA Consent and Notice Requirements
Section 15 of BIPA establishes strict requirements that private entities must follow before collecting any biometric data.
Written Notice Before Collection
Before collecting a biometric identifier or biometric information, a private entity must inform the individual in writing that biometric data is being collected or stored. The notice must also explain the specific purpose for collecting the data and the length of time it will be retained.
Written Consent Required
After providing notice, the entity must receive a written release from the individual or their legally authorized representative. The 2024 amendment (Public Act 103-769) clarified that "written release" includes an electronic signature, defined as "an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record."
This change made compliance easier for employers and businesses that use digital onboarding systems.
No Sale or Profit from Biometric Data
Section 15(c) flatly prohibits any private entity from selling, leasing, trading, or otherwise profiting from a person's biometric identifier or biometric information. There are no exceptions to this rule.
Restrictions on Disclosure
Section 15(d) prohibits disclosing or sharing biometric data with third parties unless one of four narrow exceptions applies:
- The individual has consented to the disclosure
- The disclosure completes a financial transaction that the individual requested or authorized
- A state or federal law requires or mandates the disclosure
- A valid warrant or subpoena issued by a court of competent jurisdiction compels the disclosure
Data Retention and Destruction
Section 15(a) requires every private entity that possesses biometric data to develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information.
Destruction must occur when the initial purpose for collecting the data has been satisfied or within three years of the individual's last interaction with the private entity, whichever comes first.
Security Standards
Section 15(e) requires entities to store, transmit, and protect biometric data using a reasonable standard of care within the entity's industry. The protections must be at least as strict as those the entity uses for other confidential and sensitive information it maintains, such as Social Security numbers and financial account data.
BIPA's Private Right of Action and Damages
What sets BIPA apart from every other state biometric privacy law is Section 20, which creates a private right of action. Individuals do not need to wait for the attorney general or any government agency to act. They can file suit directly.
Damages Structure
Any person aggrieved by a BIPA violation may recover:
- Negligent violations: Liquidated damages of $1,000 or actual damages, whichever is greater
- Intentional or reckless violations: Liquidated damages of $5,000 or actual damages, whichever is greater
- Attorney fees and costs: Including expert witness fees and other litigation expenses
- Injunctive relief: Courts may issue orders to stop ongoing violations
No Actual Harm Required (Rosenbach v. Six Flags)
In Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, the Illinois Supreme Court held that a person does not need to show actual injury or adverse effect beyond the statutory violation itself to qualify as "aggrieved" under BIPA. The court stated that "a person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of" and that "no additional consequences need be pleaded or proved."
This ruling opened the floodgates for BIPA litigation by confirming that the mere act of collecting biometric data without consent is enough to sue.
Five-Year Statute of Limitations
BIPA does not include its own statute of limitations. In February 2023, the Illinois Supreme Court ruled in Tims v. Black Horse Carriers, Inc. that the five-year catchall limitations period under the Illinois Code of Civil Procedure applies to all BIPA claims. The court reasoned that the "full ramifications of the harms associated with biometric technology is unknown" and that a longer limitations period gives individuals more time to discover violations.
The 2024 Amendment: How Damages Changed
The Cothron v. White Castle Problem
In Cothron v. White Castle System, Inc., 2023 IL 128004 (February 17, 2023), the Illinois Supreme Court ruled 4-3 that a separate BIPA claim accrues every time a private entity scans or transmits biometric data without consent. Under this per-scan interpretation, an employer that required daily fingerprint scans for timekeeping could face thousands of individual violations per employee.
White Castle alone faced potential liability of up to $17 billion because its employees had scanned their fingerprints multiple times per shift over a period of years.
Public Act 103-769 (Effective August 2, 2024)
The Illinois General Assembly responded to the Cothron ruling by passing SB 2979, signed into law as Public Act 103-0769. The amendment made three key changes:
Single-violation rule: When a private entity collects the same biometric identifier from the same person more than once using the same method, or discloses the same biometric information to the same recipient multiple times, the repeated acts constitute a single violation. The aggrieved person is entitled to at most one recovery.
Electronic signatures accepted: The amendment added a definition of "electronic signature" and confirmed that a "written release" under Section 15(b) may be obtained through an electronic signature. This eliminated ambiguity about whether digital consent forms satisfied BIPA's written consent requirement.
Retroactive application: The single-violation rule applies to all actions filed on or after the effective date, regardless of when the underlying conduct occurred.
Major BIPA Settlements and Verdicts
BIPA has produced the largest biometric privacy settlements in United States history. The following cases illustrate the law's financial impact:
| Company | Settlement Amount | Year | Biometric Data at Issue |
|---|---|---|---|
| Meta (Facebook) | $650 million | 2021 | Facial recognition (Tag Suggestions) |
| BNSF Railway | $75 million (after $228M jury verdict) | 2023 | Fingerprint scans |
| $100 million | 2022 | Face grouping in Google Photos | |
| TikTok/ByteDance | $92 million | 2022 | Facial and voice data |
| Clearview AI | $51.75 million (equity) | 2025 | Facial recognition database |
| Snapchat | $35 million | 2022 | Facial filters/lenses |
| Topgolf | $50 million | 2024 | Fingerprint check-in systems |
| Speedway | $12.1 million | 2025 | Employee fingerprint timekeeping |
The Clearview AI settlement was notable as the first BIPA case resolved through an equity stake rather than cash. A federal court approved a deal granting the plaintiff class a 23% ownership stake in Clearview AI, valued at approximately $51.75 million based on a $225 million company valuation.
Employer Obligations Under BIPA
BIPA litigation has disproportionately targeted employers, particularly those using fingerprint-based timekeeping systems. Employers in Illinois must take the following steps to comply with BIPA:
Before Collecting Any Biometric Data
- Create a written biometric data policy that establishes your retention schedule and destruction guidelines. Make this policy publicly available.
- Provide written notice to each employee explaining what biometric data you will collect, why you are collecting it, and how long you will retain it.
- Obtain written consent from each employee before the first scan. An electronic signature on a digital form satisfies this requirement after the 2024 amendment.
During Employment
- Never share biometric data with third-party vendors (such as timekeeping software providers) without employee consent or unless a statutory exception applies.
- Protect biometric data with at least the same level of security you use for Social Security numbers and financial account information.
- Do not sell or profit from employee biometric data under any circumstances.
After Employment Ends
- Destroy biometric data when the purpose for collecting it has been satisfied or within three years of the employee's last interaction with your organization, whichever comes first.
Current BIPA Litigation Landscape (2025-2026)
Despite the 2024 amendment reducing potential damages exposure, BIPA litigation remains active. Over 100 new BIPA class actions were filed in 2025, though that number represents a decline from the 427 filings in 2024.
Key trends shaping current BIPA litigation include:
AI and facial recognition targets. Courts have examined whether artificial intelligence systems that create voice clones or provide skincare assessments using facial data violate BIPA. One court held that "receiving advice from AI was not medical treatment" and therefore the healthcare exemption did not apply.
Mass arbitration. BIPA has become a staple of mass arbitration claims, with plaintiffs' firms using individual arbitration demands rather than class actions to pressure settlements.
Expanding industry targets. Recent cases have targeted cosmetics retailers using virtual try-on technology, photo storage platforms licensing images for AI training, and education technology companies collecting student voice and face data.
Class certification success. Both state and federal courts in Illinois have continued granting contested motions to certify BIPA class actions, finding that common questions about an entity's consent and notice practices predominate over individual issues.
Total BIPA class action settlements in 2025 reached approximately $136.6 million, a decline from 2024's $206 million total, reflecting the single-violation amendment's impact on damages calculations.
How BIPA Compares to Other State Biometric Laws
Several states have enacted biometric privacy laws following Illinois's lead, but none match BIPA's enforcement power:
Texas has a biometric privacy statute (Tex. Bus. & Com. Code Chapter 503) but enforcement rests solely with the attorney general. There is no private right of action. The Texas AG secured a $1.4 billion settlement from Meta in 2024.
Washington passed a biometric identifier law (RCW 19.375) but it also lacks a private right of action and has produced minimal litigation.
Colorado, Connecticut, and Virginia include biometric data protections within their comprehensive consumer privacy laws but do not provide private rights of action for biometric violations specifically.
Illinois's private right of action remains the single feature that makes BIPA the most consequential biometric privacy law in the country.
More Illinois Laws
- Illinois Data Privacy Laws
- Illinois Recording Laws
- Illinois Recording Laws
- Illinois Recording Laws
- Illinois Recording Laws
- Illinois Recording Laws
- Illinois Recording Laws
- Illinois Hit and Run Laws
For more on how BIPA fits within Illinois's broader privacy framework, see the parent guide on [Illinois Data Privacy Laws](/us-laws/data-privacy-laws/illinois-data-privacy-laws).
This article provides general legal information about the Illinois Biometric Information Privacy Act and is current as of March 2026. It is not legal advice. Consult a licensed Illinois attorney for guidance on your specific situation.
Sources and References
- Biometric Information Privacy Act full text(ilga.gov).gov
- 740 ILCS 14/15 consent and disclosure requirements(ilga.gov).gov
- 740 ILCS 14/20 right of action and damages(ilga.gov).gov
- Public Act 103-0769 (2024 BIPA amendment)(ilga.gov).gov
- SB 2979 bill status (103rd General Assembly)(ilga.gov).gov
- Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186(illinoiscourts.gov).gov
- Cothron v. White Castle System, Inc., 2023 IL 128004(law.justia.com)