BIPA and AI Facial Recognition in Apartments 2026: Property Manager Lawsuit Risk
"Smart" apartment buildings selling AI facial-recognition entry as a security amenity are walking straight into Illinois's toughest privacy statute — and the claimant pool isn't just tenants. Every guest, delivery driver, and visitor scanned at the lobby door is a potential plaintiff.
Why "Smart Building" Amenities Are a BIPA Trap
Multifamily property managers have adopted AI facial-recognition entry systems fast — marketed as a keyless, contactless security upgrade for lobbies, elevators, parking garages, and package rooms. The pitch is convenience and security. The legal reality is that every one of those cameras is a biometric collection point under Illinois law.
Unlike a workplace time clock, where the population scanned is a defined, employed workforce, an apartment building's facial-recognition system scans a rotating population: tenants, their guests, food delivery couriers, movers, contractors, and prospective renters touring the property. Few of these systems collect informed written consent from anyone beyond the leaseholder — if they collect it at all.
That gap between who's actually scanned and who actually consented is exactly the fact pattern that has driven BIPA class actions in other industries, and it's now showing up in residential real estate.
Who Counts as a Claimant
Property managers often assume their exposure is limited to residents who signed a lease. BIPA doesn't work that way — the statute protects anyone whose biometric identifier is collected, regardless of their relationship to the property:
Compliance Checklist for Property Managers and Landlords
- ☐Publish a written policy covering every facial-recognition or biometric touchpoint in the building — lobby, elevator, garage, package room, amenity spaces
- ☐State the specific security purpose and define a retention and destruction schedule
- ☐Make the policy accessible, not buried in an internal management portal
- ☐Obtain informed written consent from every leaseholder and co-occupant before their first scan — not a buried lease clause
- ☐Build a visitor/guest consent workflow (e.g., a consent screen at a guest kiosk or intercom) for anyone scanned who isn't a resident
- ☐Require the same for recurring service providers and delivery partners with regular building access
- ☐Offer a genuinely equivalent non-biometric alternative (fob, code, key) for anyone who declines
- ☐Confirm whether facial matching happens on-device or via a cloud API operated by the access-control vendor
- ☐Get written confirmation of the vendor's retention and deletion practices, and prohibit use of resident biometric data for model training
- ☐Require prompt breach notification from the vendor for any incident involving biometric data
- ☐Delete a former tenant's facial template within the timeframe stated in your written policy after move-out
- ☐Confirm deletion on the vendor's side, not just in the local property management system
- ☐Document deletion so you can demonstrate compliance if challenged
Frequently Asked Questions
Our building only uses facial recognition for the leasing office, not resident entry. Are we still exposed?
Yes, if the leasing office system scans prospective tenants or visitors touring the property, those individuals are still protected under BIPA. Limiting the deployment reduces scale, but the same consent and disclosure obligations apply to whoever is scanned, however limited the use case.
Can we require facial recognition as the only entry method, with no opt-out?
Requiring it without a non-biometric alternative doesn't eliminate BIPA's consent requirement — the individual can still refuse consent, and forcing biometric collection as a condition of access without a genuine alternative creates additional legal risk beyond BIPA itself, including potential fair-housing and habitability arguments in a residential context.
Does a property management company or the individual landlord bear BIPA liability?
Both can be named defendants. The entity that actually collects and controls the biometric data — often the property management company operating the access-control system — typically bears the primary compliance obligation, but ownership structures should confirm this contractually and ensure both parties are covered by the same compliant consent process.
We're outside Illinois — does any of this apply to us?
BIPA itself only applies to Illinois-based collection, but Texas (CUBI) and Washington have biometric statutes with attorney-general enforcement, and other states are actively considering BIPA-style private-right-of-action laws. Multistate property portfolios should build to Illinois's stricter written-consent standard as the baseline rather than assuming other states are risk-free.
Audit the Guest Path First
Most property managers who've thought about BIPA at all have thought about tenant consent. Almost none have built a consent workflow for guests, delivery drivers, and prospective tenants — and that's precisely the population with no contractual relationship to fall back on and the clearest claim that no consent was ever obtained.
Start there: map every person type your facial-recognition system actually scans, then check which of them have a documented, informed, written consent on file.