RatedWithAI

RatedWithAI

Accessibility scanner

Biometric PrivacyJune 28, 2026

BIPA Liability for AI SaaS Vendors: What Software Companies Must Know (2026)

Illinois BIPA class actions have moved upstream from employers to software vendors. If your AI product processes facial geometry, voiceprints, or other biometric identifiers of Illinois residents, your company may be directly in the crosshairs — not just your customers.

$5,000
Statutory damages per intentional BIPA violation (multiplied per-scan by courts)
Per Scan
Illinois Supreme Court: each collection event is a separate violation
No Cap
BIPA class actions have no statutory damage cap — exposure scales with user count

Why Software Vendors Are Now BIPA Defendants

Illinois BIPA was originally understood as a law for employers who use fingerprint time-clocks or facial recognition for employee authentication. Plaintiffs' lawyers quickly expanded that reading. Illinois courts have consistently held that BIPA's definition of "private entity" covers any company — including software vendors — that collects, captures, or obtains biometric data, regardless of whether that company employs the affected individuals.

The cases that matter for AI SaaS companies: courts have refused to dismiss BIPA claims against facial recognition API providers, AI-powered video analysis platforms, and workforce analytics tools on the grounds that the vendor was just a processor acting on behalf of an employer. If your software touches biometric data, your company can be named as a direct defendant — in addition to or instead of your customer.

This shift fundamentally changes how AI SaaS companies need to think about biometric data. "Our customers consented their employees" is not a complete defense for the vendor.

What AI Features Trigger BIPA

BIPA covers biometric identifiers — data based on biological characteristics used to identify individuals. For AI products, the most common triggers are:

Facial Geometry / Facial Embeddings
Risk: Very High

Any AI feature that analyzes a face to extract measurements, feature vectors, or geometric data for identification, verification, or matching. This includes liveness detection, emotion analysis systems that identify the individual, and face matching. Courts have found that generating a facial embedding from a photo constitutes collection of biometric data even if the photo itself isn't retained.

Voiceprints
Risk: High

AI voice verification or speaker identification features that create a biometric template based on voice characteristics. Passive voiceprint collection during calls processed for AI analytics may also qualify. Transcription without speaker identification is generally not a BIPA trigger, but combining transcription with speaker diarization that creates a profile of an identified individual is riskier.

Iris / Retinal Scans
Risk: High

Less common in SaaS applications but present in identity verification and physical access integrations. If your product integrates with physical security or identity systems that use retinal scanning, assess whether you receive or process the biometric template.

Emotion AI and Face-Based Analytics
Risk: Contested

AI that analyzes facial expressions, head pose, or attention for purposes like proctoring, interview analysis, or engagement measurement. Whether this constitutes biometric data collection under BIPA is actively litigated. The safer assumption is that any feature analyzing the geometry of an identified person's face is in scope.

The Four BIPA Requirements Your Product Must Enable

BIPA imposes four core requirements on any private entity collecting biometric data. For AI SaaS vendors, meeting these requirements means both complying yourself and designing your product so your customers can comply.

1

Written Retention and Destruction Policy

You must have a publicly available written policy establishing a retention schedule and guidelines for permanent destruction of biometric data. For SaaS products: your privacy policy or a standalone biometric data policy must cover retention periods, and you must actually delete biometric data on schedule. Many class actions are filed on this requirement alone — because the company collected data without a published policy.

2

Informed Written Consent Before Collection

Before collecting biometric data, you must inform the subject in writing: (a) that biometric data is being collected; (b) the specific purpose for collection; and (c) the length of time it will be retained. Then you must receive a written release signed by the subject. For AI SaaS, this means either you or your customer must collect affirmative, informed consent — click-through acceptance of terms is not enough if biometric data collection wasn't specifically disclosed.

3

Prohibition on Profit from Biometric Data

You cannot sell, lease, trade, or profit from a person's biometric data. For AI SaaS, using individual biometric data to train models without consent and compensation may violate this. Aggregating biometric data for product improvement, benchmarking, or selling model outputs derived from individual biometrics has created liability for SaaS vendors.

4

Prohibition on Disclosure Without Consent

You cannot disclose, redisclose, or disseminate biometric data without the subject's consent — or without a complete set of required exceptions (required by law, financial transaction requested by the subject, or biometric identifier required to complete the transaction). Sharing data with subprocessors without written agreements and consent creates liability. Your AI model API calls transmitting biometric data to third-party providers need to be evaluated against this requirement.

Damages: Why BIPA Exposure Is Existential for AI Startups

BIPA's damages structure is uniquely dangerous for technology companies with large user bases. Statutory damages are $1,000 per negligent violation and $5,000 per intentional or reckless violation. The Illinois Supreme Court ruled in Cothron v. White Castle that each separate scan or transmission constitutes a separate violation.

The math is brutal: a SaaS product that processes facial data for 50,000 Illinois users, each using a facial authentication feature 100 times, faces theoretical exposure of up to $25 billion in statutory damages at the $5,000 intentional rate. Courts retain discretion to reduce awards in class actions, and Cothron preserved that discretion, but the leverage it creates in settlement negotiations has driven nine-figure class action settlements against technology companies.

There is no statutory cap, no insurance product that fully covers BIPA exposure at scale, and no "we're a startup" defense. The risk is real and the settlements are real — get compliance right before you scale Illinois users.

BIPA Compliance Checklist for AI SaaS Vendors

Product and Legal

  • Audit every AI feature for biometric data collection: facial geometry, voiceprints, fingerprints, iris scans
  • Publish a biometric data retention and destruction policy on your website before collecting any data
  • Implement a pre-collection consent flow: written disclosure of what, why, and for how long
  • Ensure biometric data is deleted on schedule — build automated deletion into your data lifecycle
  • Review whether AI model training uses individual biometric data and add consent if so
  • Prohibit internal teams from selling, trading, or profiting from individual biometric data

Contracts and Subprocessors

  • Add BIPA-specific language to customer agreements: consent obligations, data handling, indemnification
  • Conduct written agreements with all subprocessors who receive biometric data (AI API providers, cloud storage)
  • Limit subprocessor use of biometric data to the specific purpose disclosed to users
  • Require subprocessors to delete biometric data on your instruction
  • Assess whether AI API calls transmit biometric templates and get written data-handling commitments
  • Include BIPA compliance reps and warranties in enterprise SaaS agreements

Frequently Asked Questions

Our customers handle consent for their employees — aren't we covered?

Not necessarily. Courts have held software vendors directly liable under BIPA even when the employer-customer was also sued. Your customer's consent flow protects your customer; it doesn't automatically protect you. You need to ensure your product is designed so that valid BIPA consent (written, specific, signed by the individual) is obtained before your system collects biometric data — and you should document that the consent process meets BIPA's requirements.

We process facial data to verify identity once, then discard it. Are we still at risk?

Yes, for two reasons. First, the consent and policy requirements apply regardless of retention period. You must have a published retention policy (even if it says 'deleted immediately after verification') and must have obtained written consent before the single collection event. Second, courts have found that each collection event is a separate BIPA violation — a single-verification feature used by thousands of Illinois residents creates thousands of potential claims.

Does BIPA apply to AI products used entirely remotely with no Illinois office?

BIPA protects Illinois residents. It doesn't require you to have an Illinois office or employees. If an Illinois resident's biometric data is collected through your product — even via a browser or app accessed remotely — BIPA applies. Courts have consistently rejected jurisdictional arguments based on the vendor's physical location when the biometric data belongs to an Illinois resident.

Can we contract out of BIPA liability with our customers?

You can include indemnification provisions in your customer contracts, which can shift some financial risk to your customers who control the consent process. However, courts have generally found that private entities cannot waive Illinois residents' BIPA rights by contract — so indemnification shifts liability between your company and your customer, but does not eliminate the underlying exposure to class action plaintiffs.

Get Compliance Right Before You Scale Illinois Users

BIPA exposure scales directly with user count and usage frequency. The time to implement biometric data compliance is before you have 50,000 Illinois users and five years of unconsented facial scans in your logs. Retroactive BIPA remediation is either impossible (you can't uncollect historical data) or extremely expensive (settling claims from a period without a published policy or proper consent).

Immediate priorities: publish a biometric retention and destruction policy, audit every AI feature that touches facial or voice data, implement pre-collection consent flows for Illinois users, and review your subprocessor agreements. These aren't optional if you're in this space — they're the price of operating with biometric AI.