BIPA Class Action Settlements in AI: Costs, Trends, and Prevention (2026)
Illinois's Biometric Information Privacy Act has become the most expensive privacy statute in the US for AI companies. Facebook paid $650 million. Google paid $100 million. TikTok paid $92 million. The statute's per-violation damages and class action eligibility make it uniquely dangerous for any AI product that touches faces, voices, or fingerprints from Illinois residents.
Why BIPA Hits AI Companies So Hard
BIPA was enacted in 2008, long before modern AI. But the statute's definitions — biometric identifiers include "retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry" — map directly onto what AI computer vision systems extract. Every time an AI system processes a face to extract facial geometry for recognition, comparison, or tracking, it potentially collects a biometric identifier under BIPA.
The structural reason AI companies face outsized liability is the per-violation damages. BIPA doesn't require plaintiffs to prove actual harm — the statutory damages are $1,000 per negligent violation and $5,000 per intentional or reckless violation per person. When an AI system processes the faces of millions of Illinois residents without consent, the math becomes catastrophic before you account for class certification.
The Illinois Supreme Court's 2023 ruling in Cothron v. White Castle made it worse: each individual scan generates a separate violation, not one violation per person. An AI attendance system that clock-scans a face daily for five years creates a new BIPA violation with each scan. The theoretical damages in a single workplace system became astronomical.
Major BIPA Settlements Involving AI (What Companies Actually Paid)
Facebook (Meta) — $650 million
2021Tag Suggestions facial recognition feature
Facebook's DeepFace technology automatically suggested tags on uploaded photos by extracting facial geometry to identify individuals. The class covered Illinois users whose faces were scanned without written consent or the required retention/destruction policy.
Google — $100 million
2022Google Photos facial recognition grouping
Google Photos automatically groups photos by face using AI to extract facial geometry. Illinois plaintiffs alleged Google collected biometric identifiers without the written consent and retention schedule BIPA requires.
TikTok — $92 million
2021Facial recognition in user videos and biometric data in app
Settlement covered allegations that TikTok collected facial geometry from user videos and shared biometric and other personal data without required disclosures.
Clearview AI — multiple settlements
OngoingFacial recognition database built from scraped images
Clearview scraped billions of photos to build a facial recognition database and sold access to law enforcement and private customers. BIPA suits alleged collection of biometric identifiers of Illinois residents without consent.
AI Features That Commonly Trigger BIPA
These are the AI capabilities most frequently named in BIPA litigation. If your product includes any of these and serves Illinois residents, a BIPA compliance audit is overdue:
Facial recognition / face matching
CriticalCore BIPA trigger. Requires written consent, retention schedule, and prohibition on sale.
Face detection and geometry extraction
CriticalEven without identification, extracting facial geometry = collecting a biometric identifier.
Voiceprint AI (speaker identification)
CriticalVoiceprints are explicitly listed as biometric identifiers in BIPA.
Liveness detection
HighAnalyzed in Rosenbach-era cases; liveness scans that extract face data may qualify.
Emotion AI from facial expressions
MediumDisputed; some courts have analyzed whether emotion inference from face scan = biometric data.
Photo/video content analysis for faces
HighProcessing user-uploaded content at scale to extract facial data — even for grouping — has generated BIPA suits.
What BIPA Actually Requires — The Four Obligations
BIPA's requirements are specific and procedural. They're easy to meet — or miss — depending on how carefully your legal and product teams have read the statute:
Written Policy with Retention Schedule
Before collecting biometric data, you must establish and make publicly available a written policy establishing retention schedules and guidelines for permanently destroying biometric identifiers and information. This is not a privacy policy paragraph — it's a specific biometric data retention and destruction schedule.
Written Informed Consent Before Collection
You must inform the person in writing that biometric data is being collected or stored, explain the specific purpose and length of term for which it will be collected, stored, and used, and receive a written release. 'By using this app you consent to our privacy policy' is not sufficient — the consent must be specific to biometric data collection.
No Sale or Profit From Biometric Data
You cannot sell, lease, trade, or otherwise profit from biometric identifiers or biometric information. This prohibition catches data licensing agreements, model training data sales, and third-party AI platform integrations where you receive consideration in exchange for biometric data access.
No Disclosure Without Consent or Legal Requirement
Biometric data cannot be disclosed to third parties without consent or as required by law. Sending facial geometry to a cloud API provider, sharing voiceprints with a third-party verification service, or including biometric data in an analytics pipeline without explicit consent violates BIPA regardless of the recipient's own privacy practices.
BIPA Risk Reduction Checklist for AI Companies
Legal and Documentation
- ☐Publish a standalone biometric data retention and destruction policy
- ☐Update privacy policy to explicitly address biometric data collection
- ☐Create written consent flow specific to biometric data (not bundled in ToS)
- ☐Document the purpose and retention period for each biometric data type
- ☐Audit all third-party services that receive biometric data
- ☐Review data processing agreements for BIPA compliance provisions
Technical and Product
- ☐Implement automatic deletion when retention period expires
- ☐Add Illinois-resident detection to geofence or trigger separate consent flow
- ☐Remove biometric processing from features where it isn't core functionality
- ☐Build consent revocation mechanism and associated data deletion pipeline
- ☐Audit model training pipelines for biometric data inclusion
- ☐Log all biometric data collection events for audit trail
Frequently Asked Questions
We process faces in memory only — no persistent storage. Are we still liable under BIPA?
Courts have found that the 'collection' of biometric data under BIPA can occur at the moment facial geometry is extracted — not only when it's stored to disk. Processing faces to extract geometry in RAM and then discarding the image may still constitute collection. The law is still developing here, but 'no storage' is not a reliable defense. Getting a legal opinion on your specific implementation is advisable.
We have BIPA consent language in our terms of service. Is that enough?
Probably not. Courts have repeatedly held that biometric consent buried in general terms of service does not satisfy BIPA's requirement for specific, informed, written consent for biometric collection. The consent must specifically inform the person that biometric data is being collected, explain the purpose, and state the retention period — before collection occurs.
What's the statute of limitations for BIPA claims?
Illinois courts have applied a five-year statute of limitations for BIPA claims. This means that biometric collections made years before a lawsuit — including collections your product made before you knew BIPA existed — can still generate current liability. Early AI products that collected facial data without BIPA compliance in the 2019-2021 period are still potentially exposed.
We operate in multiple states. Does BIPA apply outside Illinois?
BIPA itself only covers Illinois residents. However, Texas, Washington, and other states have their own biometric privacy laws with varying requirements and remedies. Texas's CUBI statute allows the AG to seek civil penalties up to $25,000 per violation. Washington's My Health MY Data Act intersects with biometric health data. Illinois remains the most litigated, but a compliance program should address all state biometric laws.
The Practical Takeaway for AI Product Teams
BIPA doesn't care whether your facial AI is a core product feature or a convenience feature you added to improve UX. It doesn't care whether you're based in California or New York. It applies the moment your AI extracts biometric data from an Illinois resident — and the five-year statute of limitations means past collections create present risk.
The consent and policy requirements are genuinely not hard to implement. The companies that paid nine-figure settlements were caught by the gap between building a biometric AI feature and updating their legal compliance to match. If your product processes faces, voices, or fingerprints, BIPA compliance is a one-time documentation and engineering task — much cheaper than defending a class action.