Illinois Biometric Privacy Law (BIPA): What Companies Operating in Illinois Must Do

In effect Primary law: BIPA · 740 ILCS 14/1 et seq.

If your business collects fingerprints, face scans, retina or iris scans, or voiceprints from anyone in Illinois — employees clocking in by fingerprint, customers verified by face, or users of an AI tool that builds a face template — the Illinois Biometric Information Privacy Act (BIPA) almost certainly applies to you. BIPA is the strongest biometric privacy statute in the United States, it has been in effect since 2008, and it is the only one that lets individuals sue you directly. It has produced some of the largest privacy settlements on record.

What the law requires

Get written consent first. Before you collect or capture a biometric identifier, you must inform the person in writing of (a) that biometrics are being collected/stored and (b) the specific purpose and length of term, and get a written release. For employees this can now include an electronic signature.
Publish a retention and destruction schedule. You must have a publicly available written policy with a retention schedule and guidelines for permanently destroying biometric data — generally within 3 years of the individual's last interaction.
Never sell or profit from biometric data. A private entity may not sell, lease, trade, or otherwise profit from a person's biometric identifiers or information.
Protect and limit disclosure. Store, transmit, and protect biometric data using the reasonable standard of care for your industry, and do not disclose it without consent (with narrow exceptions).

Who must comply

Any private entity — companies, not government agencies — that collects, captures, stores, or uses biometric identifiers or biometric information of an individual in Illinois. There is no revenue or headcount threshold: a small business that uses fingerprint time clocks is covered just as a large platform that runs facial recognition is. Employers are squarely covered, which is why BIPA litigation has clustered around timekeeping, and any AI vendor whose product generates a face or voice template from an Illinois resident can be on the hook.

Penalties & enforcement

BIPA carries a private right of action — individuals (not just the Attorney General) can sue. Statutory damages are $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys' fees, costs, and injunctive relief. A 2024 amendment (P.A. 103-0769) limits claims to a single accrual per person per collection method, which reduced exposure but did not eliminate it.

How to comply: a practical checklist

Inventory every place you capture biometrics: time clocks, security/badging, customer verification, voice systems, and any AI feature that builds a face/voice template.
Put a written BIPA consent and release in front of each person BEFORE the first capture — for employees, fold it into onboarding; for customers/users, into account creation.
Publish a written retention + destruction schedule (max ~3 years from last interaction) and actually destroy data on schedule.
Confirm in writing that no vendor sells, leases, or profits from the biometric data, and lock that down in your contracts.
Audit any third-party AI/biometric vendor for their own BIPA posture — you can be liable for what they collect on your behalf.
If you offer AI video-interview screening, layer in the separate Illinois AI Video Interview Act requirements (notice, explanation, consent, deletion).

Get an alert the moment this changes

AI law moves fast — effective dates shift, rules get repealed and replaced, new bills pass. Create a free AI Laws USA account, watch the laws on this page, and get an email the moment one of them moves, takes effect, or is challenged. Free for the public, journalists, and students.

Create a free account & set alerts → See team plans

The laws this guide is built on

Every claim above traces to one of these verified entries in our index. Each links to its full record and its official source. Status labels reflect the live dataset as of 2026-06-17.

In effect Stronger protection

BIPA

Illinois · Effective 2008-10-03 · 740 ILCS 14/1 et seq.

The strongest US biometric privacy law: companies must get written consent before collecting fingerprints, face scans, voiceprints, or other biometrics, publish retention/destruction policies, and cannot sell biometric data. Individuals can sue directly and recover $1,000–$5,000 per violation, which has produced major settlements against facial recognition and AI companies.

View full entry → · Official source ↗
In effect Limited protection

AI Video Interview Act

Illinois · Effective 2020-01-01 · 820 ILCS 42/1 et seq.

Employers using AI to analyze video interviews of Illinois job applicants must tell applicants beforehand, explain how the AI works, get consent, limit video sharing, and delete videos on request within 30 days. Employers relying solely on AI screening must report applicant demographic data to the state.

View full entry → · Official source ↗
In effect Stronger protection

COPPA + 2025 Rule (childrens data)

United States · Effective 2025-06-23 · 15 U.S.C. §§ 6501–6506; 16 C.F.R. Part 312

COPPA requires online services aimed at children under 13 to get verifiable parental consent before collecting kids' personal data. The 2025 rule update — fully in effect since April 22, 2026 — adds biometric identifiers (like face templates and voiceprints, which matter for AI tools), requires separate parental consent before sharing children's data for targeted advertising, and tightens data retention limits.

View full entry → · Official source ↗

Browse all Illinois AI laws in the directory → · See the biometrics topic → · Illinois jurisdiction overview →

Frequently asked questions

Does BIPA apply to my company if I'm not based in Illinois?

BIPA protects individuals in Illinois. If you capture biometrics from Illinois residents — including remote employees or online users located in Illinois — you can be subject to it even if your company is headquartered elsewhere. See the full BIPA entry and its official statute text.

Is a fingerprint time clock really covered by BIPA?

Yes. Fingerprint-based timekeeping is the single most-litigated BIPA scenario. A fingerprint is a biometric identifier, so the written-consent, retention-schedule, and no-profit rules all apply before an employee first clocks in.

What are the penalties for a BIPA violation?

Statutory damages are $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys' fees and injunctive relief, and individuals can sue directly. The 2024 single-accrual amendment limits stacking to one accrual per person per collection method.

Does BIPA cover AI facial-recognition tools?

Yes — a face template (a faceprint) is a biometric identifier under BIPA. AI tools that scan faces to identify or verify people fall within the statute, which is why several facial-recognition companies have faced large BIPA settlements.

How is the Illinois AI Video Interview Act different from BIPA?

They can both apply to a hiring process. BIPA governs biometric data generally; the Illinois AI Video Interview Act separately requires notice, an explanation of how the AI works, consent, sharing limits, and deletion on request when employers use AI to analyze applicants' video interviews.