BIPA for Employers Using AI with Face Recognition (2026)
Published June 24, 2026 · 10 min read
Illinois BIPA (Biometric Information Privacy Act) is the most consequential biometric privacy law in the United States — and its intersection with AI is generating a wave of employer class-action lawsuits. If your company uses an AI tool that scans employees' faces, analyzes their voices, or otherwise captures biometric identifiers in Illinois, BIPA's strict requirements apply regardless of whether you built the technology or bought it from a vendor.
The damages are statutory and per-violation. Unlike most privacy laws, where plaintiffs need to prove actual harm, BIPA lawsuits succeed on procedural violations alone — failure to get written consent before collecting a scan, or failure to post a public data retention policy. Here's what employers need to understand.
What BIPA Covers: Biometric Identifiers in AI Tools
BIPA's definition of "biometric identifier" is technology-neutral. It covers any scan of hand or face geometry, retina or iris scans, voiceprints, and fingerprints — the underlying biological data points, not just their downstream use. AI systems that derive or process these data types are covered.
Covered by BIPA
- •AI timeclocks using face geometry to verify employee identity
- •Voice authentication systems that build a voiceprint
- •AI proctoring software capturing facial geometry during exams
- •Emotion AI tools that analyze facial movements in video interviews
- •AI hiring tools that use facial or voice analysis to score candidates
- •Biometric attendance systems (fingerprint + hand scan)
- •AI security systems that use face recognition to grant facility access
Not Covered (Key Exclusions)
- •Photographs and video where no biometric identifier is extracted
- •Biological samples (blood, saliva) held under HIPAA or other health law
- •AI text analysis tools that never process voice or face data
- •Demographic or behavior analytics not derived from biometric identifiers
- •AI tools used on contractors or vendors outside the employment relationship (separate analysis required)
BIPA's Four Employer Obligations
Section 15 of BIPA imposes four distinct obligations on any private entity that collects or handles biometric data. All four must be satisfied — missing any one creates independent liability.
Written Retention and Destruction Policy
A publicly available written policy that establishes a retention schedule for biometric data and guidelines for permanently destroying biometric identifiers and information. The policy must specify: (a) when the purpose for collection expires, and (b) that data will be destroyed within three years of collection, whichever comes first. Posting this on your intranet or employee handbook qualifies — it does not need to be on a public website for internal employee data.
Written Disclosure to the Individual
A written disclosure informing the employee that (a) biometric data is being collected or stored, (b) the specific purpose for which it's being collected, and (c) the length of time it will be stored. This must be a separate document — buried terms in an employment contract generally do not satisfy this requirement.
Written Release (Consent)
A written release signed by the employee authorizing the collection and any third-party disclosures. This is a voluntary, informed consent — courts have found that mandatory enrollment as a condition of employment doesn't necessarily violate BIPA, but the written release is still required before any scan happens. For third-party vendors, the release must specifically authorize disclosing data to that vendor.
No Profit, Sale, or Unauthorized Disclosure
Biometric data may not be sold, leased, traded, or profited from. It may not be disclosed to third parties without a written release, unless required by law or as part of a financial transaction the individual authorized. This means your AI vendor cannot use your employees' biometric data to train their model without a specific written release permitting that use.
The Damages Math: Why Employers Settle
BIPA's private right of action doesn't require proving actual harm. Procedural violations — missing written consent, no posted policy — are sufficient. The statutory damages are:
Illinois courts have confirmed that each separate biometric capture can constitute a distinct violation — meaning an AI timeclock that scans 500 employees twice daily, without proper consent, accumulates violations at 1,000 per day. At $1,000 each for negligence, a six-month delay in getting consent forms signed generates $180 million in potential statutory exposure. That math explains why employers settle early even when they believe the underlying claim is contestable.
No Cap on Aggregate Damages
Unlike some state privacy laws that cap aggregate class-action damages, BIPA has no statutory aggregate cap. Every unconsented biometric capture is a separate, uncapped violation. This is the reason BIPA class actions have produced some of the largest privacy settlements in US history — including nine-figure settlements against technology companies and employers.
Common Employer Compliance Gaps with AI Tools
Employers who buy AI tools from vendors often assume the vendor handles compliance. They don't. BIPA obligations run with the entity that collects biometric data — and employers almost always are the collectors when their employees use the vendor's AI tool.
Vendor rollout before consent forms are signed
CriticalThe most common gap. HR deploys an AI timeclock or video interview platform, employees start using it, and written consent forms are distributed weeks later. Every scan before the forms were signed is a BIPA violation.
No public retention policy
CriticalBIPA requires a publicly available written policy before any collection begins. Many employers have internal policies but never post them — or post a generic privacy notice that doesn't specify biometric retention timelines.
Consent that doesn't name the vendor
HighIf the consent release doesn't specifically authorize disclosure to the AI vendor processing the data, the disclosure to that vendor is an independent BIPA violation even if you got signed consent for collection.
No destruction schedule or process
HighBIPA requires destroying biometric data when the purpose expires or within three years — whichever comes first. Employers who keep biometric data indefinitely in vendor systems are violating retention limits even if they got perfect consent at collection.
Assuming vendor T&C covers BIPA obligations
HighVendor software license agreements and terms of service are not a substitute for the written disclosure and release required directly from employees. The employer must collect signed releases independently of whatever the vendor's terms say.
Employer Compliance Checklist
- ☐Audit every AI tool used by Illinois employees for biometric data collection
- ☐Post a written biometric data retention and destruction policy before any collection
- ☐Prepare individualized written disclosures: purpose, storage period, what is collected
- ☐Obtain signed written releases from each employee before their first biometric scan
- ☐Ensure releases explicitly name every third-party vendor that will receive the data
- ☐Confirm vendor agreement prohibits use of your employees' biometric data for model training
- ☐Build a biometric data destruction workflow triggered by employment termination
- ☐Set calendar reminders for three-year maximum retention and purge data on schedule
- ☐Include BIPA compliance representations in AI vendor contracts
- ☐For remote/hybrid employees: check if they work from Illinois even if HQ is elsewhere
Frequently Asked Questions
Does BIPA apply to employers using AI face recognition for timekeeping?
Yes. AI timeclocks that use face geometry to verify employee identity are among the most litigated BIPA use cases. All four BIPA obligations apply: public retention policy, written disclosure, written consent before first scan, and no unauthorized third-party disclosure.
What are BIPA damages for employers?
$1,000 per negligent violation or actual damages (greater); $5,000 per intentional or reckless violation. Each biometric capture without proper consent can be a separate violation. There is no aggregate cap — large employers with hundreds of unconsented employees face eight-figure exposure.
Can employers be liable for AI tools their HR software vendors use?
Yes. Employers are the collectors of employee biometric data even when it flows through a vendor's AI system. The employer must obtain and hold the written consent — the vendor's terms of service don't substitute for signed employee releases.
Does BIPA apply outside Illinois?
BIPA applies to private entities collecting biometric data from Illinois residents, regardless of where the company is headquartered. An employer based in California with a warehouse in Illinois must comply with BIPA for Illinois-based employees.
Is verbal consent enough for BIPA?
No. BIPA requires a written release — a signed document. Oral consent, email confirmation without a signed form, and standard employment agreement clauses that don't specifically address biometrics have all been found insufficient by Illinois courts.
Act Before the Scan, Not After
BIPA's damage structure means there is no cost-effective way to remediate after biometric collection has begun without consent. By the time a class action is certified, the per-violation count is often in the millions. The only practical risk management is preemptive: written policy, signed releases, and documented vendor restrictions in place before the first employee interaction with any AI tool that touches biometrics.
For employers evaluating new AI tools — video interviewing platforms, AI-powered performance monitoring, emotion detection, or any HR technology that analyzes faces or voices — make BIPA compliance a procurement requirement, not a post-launch checklist item.