BIPA Compliance for AI Tools 2026: Illinois Biometric Privacy and Facial Recognition Risk
Illinois BIPA is the most litigated biometric privacy law in the US — and it has no cap on aggregate damages. If your AI product processes facial geometry, voiceprints, or fingerprint data involving Illinois residents, the per-violation exposure is real and the class action bar is active.
What Is BIPA and Why Does It Matter for AI?
The Illinois Biometric Information Privacy Act (740 ILCS 14/) was passed in 2008 — before modern AI and deep learning made facial recognition cheap and ubiquitous. Today, BIPA has become the primary legal framework governing AI tools that process biometric data in the US.
BIPA regulates the collection, storage, use, and disclosure of biometric identifiers and biometric information. The definitions are broad:
Biometric Identifiers
A retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. This is the key category — note 'scan of face geometry' encompasses facial recognition embeddings, face templates, and faceprints generated by AI models.
Biometric Information
Any information based on a biometric identifier (above) used to identify an individual — including AI-derived representations, feature vectors, and embedding models trained on biometric data.
Excluded
Writing samples, written signatures, photographs (a flat photo alone is not a biometric identifier — but AI processing that photograph to extract facial geometry IS), demographic data, and information derived from items not listed above.
The photograph exclusion is a common source of confusion. A photograph itself is not a biometric identifier under BIPA. But when your AI model processes that photograph to extract a 128-dimensional face embedding — that embedding IS a biometric identifier under BIPA. Courts have consistently held that the AI processing step triggers BIPA, not just the raw photograph.
Which AI Tools Are Covered by BIPA?
Any AI product that processes biometric identifiers from Illinois residents is in scope. Common AI use cases that trigger BIPA:
Face Recognition & Identity Verification
HIGH RISKEmployee time-and-attendance systems using face scanning, customer identity verification at point of sale, building access control with face ID, AI-powered KYC verification, social media face tagging
Video Interview & HR AI
HIGH RISKAI video interview platforms that analyze facial expressions or facial geometry, emotion AI tools used in HR screening, AI proctoring software that uses facial monitoring
Voice Biometric Authentication
HIGH RISKVoice authentication systems for banking/finance, AI call center tools that create voiceprint profiles, speaker identification/diarization that builds persistent voice identifiers
Fingerprint Scanning
HIGH RISKAI-enhanced fingerprint access systems, biometric payroll systems, fingerprint-based time tracking
Retail Analytics & Surveillance
HIGH RISKFacial recognition for repeat customer identification, loss prevention AI using face matching, in-store behavior analysis that tracks identified individuals
Emotion AI / Sentiment Analysis
MEDIUM RISKAI that infers emotional states from facial expressions (Affectiva-style), customer sentiment detection from facial cues, market research tools using face response analysis
BIPA's Four Core Requirements
Written Public Policy
Before collecting biometric data, a company must establish and make publicly available a written policy that sets out: (a) a retention schedule for biometric data, and (b) a destruction schedule — specifying when biometric data will be permanently destroyed.
In practice:
Post a BIPA-specific data retention and destruction policy on your website. Specify retention periods (typically 3 years or when the business purpose ends, whichever comes first). Specify destruction timeline after that period. This must be done before collection begins.
Written Notice Before Collection
Before collecting biometric data, a company must inform the subject (in writing): (a) that biometric data is being collected, (b) the specific purpose for collection, and (c) the length of time it will be stored and used.
In practice:
Add a specific BIPA consent notice to your onboarding, data collection, or feature setup flow. Generic privacy policies are insufficient — courts have held that BIPA requires specific, clear notice about biometric data collection, distinct from general data collection notices.
Written Release / Consent
Before collecting biometric data, a company must obtain a written release (consent) from the individual — or from their legally authorized representative. Consent must be obtained for the specific collection and purpose.
In practice:
Add an explicit consent checkbox or signature to your biometric data collection flow. Consent buried in Terms of Service may not be sufficient — courts expect specific, affirmative consent for biometric collection.
No Sale or Profit From Biometric Data
BIPA categorically prohibits selling, leasing, trading, or otherwise profiting from biometric identifiers or information. This applies even with consent.
In practice:
Review your business model. If any revenue stream involves monetizing biometric data — selling insights, licensing face templates, providing biometric analytics to third parties — that is a per se BIPA violation regardless of consent.
BIPA Penalties and Class Action Exposure
BIPA's penalty structure makes it uniquely dangerous for tech companies. Unlike GDPR or CCPA — which are enforced by regulators with discretion over aggregate fines — BIPA gives a private right of action to every individual affected. Anyone whose biometric data was collected without proper BIPA compliance can sue.
$1,000
Per negligent violation (each person, per collection event)
$5,000
Per intentional or reckless violation
Attorneys' fees
Prevailing plaintiffs recover attorneys' fees and litigation costs
No aggregate cap
Unlike CCPA ($750/consumer), BIPA has no statutory cap on total exposure
The combination of per-violation damages and no aggregate cap creates massive exposure for AI companies with large user bases. Consider: an AI tool with 100,000 Illinois users that collected biometric data without consent faces potential exposure of $100M–$500M — just on the statutory damages alone.
The Illinois Supreme Court ruled in Cothron v. White Castle (2023) that every biometric scan is a separate violation — not just the initial collection. A fingerprint time-clock that scans employees daily generates a new BIPA violation for each scan if the original consent was defective.
Notable BIPA Settlements Involving AI and Tech
Facebook (Meta)
2021
$650M
Facial recognition feature (Tag Suggestions) that extracted facial geometry from photos of Illinois users without BIPA consent.
2022
$100M
Google Photos facial recognition grouping feature extracted facial geometry from photos including Illinois users.
TikTok
2021
$92M
Collection of face and voice data from Illinois users without proper BIPA consent or retention policy.
Clearview AI
2024
$52M
Collected billions of facial images from the web, created facial recognition database without consent. Also banned from selling to private entities under settlement.
BNSF Railway
2022
$75M
Fingerprint-based time-and-attendance system for Illinois employees without proper BIPA policy or consent.
Third-Party AI Processors and BIPA Liability
A common trap for AI companies: you're using a third-party model (Amazon Rekognition, Azure Face API, a facial recognition SDK) to process biometric data, and you assume the third-party vendor handles BIPA. This is incorrect.
If you are the company collecting biometric data from Illinois users — even if you're using a third-party AI model to process it — you are a BIPA obligor. You must:
- Get written consent from users before sending their biometric data to the third-party API
- Have a written contract with the third-party vendor that restricts how they process and store biometric data
- Ensure the third party does not retain, re-disclose, or profit from the biometric data they process on your behalf
- Include the third-party processing in your public BIPA policy
Courts have found that sending biometric data to a third-party processor — like an AWS API call with a face photo — constitutes "disclosure" under BIPA, which requires specific authorization beyond standard consent.
BIPA Compliance Checklist for AI Companies
Complete before deploying any AI feature that processes biometric data from Illinois users.
Other States With Biometric Privacy Laws
Illinois BIPA is the most litigated, but it is no longer alone. The biometric privacy legal landscape is expanding:
Texas
CUBI (Capture or Use of Biometric Identifier) — Ch. 503
No private right of action (AG enforces), but penalties up to $25,000 per violation. Similar consent and prohibition-on-sale requirements as BIPA.
Washington
RCW 19.375 (Biometric Identifiers)
No private right of action; AG enforcement. Requires consent, prohibits sale, requires deletion. Washington courts are active on this.
New York
NYC Biometric Identifier Law + pending state legislation
NYC Local Law 3 requires biometric data disclosure notices in commercial establishments. State-level BIPA-style law pending in Albany.
California
CCPA / CPRA — sensitive personal information
Biometric data is sensitive personal information under CCPA. Consumers can opt out of sale/sharing. Private right of action for data breaches involving biometric data.
EU
EU AI Act + GDPR
Biometric data is special category data under GDPR (requires explicit consent). EU AI Act adds restrictions on real-time biometric ID. Processing biometric data without a legal basis is a GDPR violation — fines up to 4% of global revenue.
Audit your AI product's compliance exposure
RatedWithAI helps tech teams understand their compliance posture across accessibility, privacy, and AI regulation requirements. Start with a free scan.
Scan Your Product for Free →Frequently Asked Questions
Does BIPA apply to companies outside Illinois?
Yes. BIPA applies to biometric data of Illinois residents — regardless of where the company collecting it is located. A California startup with an app used by Illinois residents that extracts facial geometry is subject to BIPA. The Illinois Supreme Court has repeatedly held that BIPA applies extraterritorially to protect Illinois residents.
Is a photo of a face covered by BIPA?
A photograph alone is excluded from BIPA. However, if an AI system processes that photograph to extract a face embedding, face template, or facial geometry measurement — that derived biometric identifier is covered by BIPA. Nearly all facial recognition systems work by extracting embeddings from photos, which means photos fed into facial recognition AI trigger BIPA even though the raw photo does not.
Does BIPA apply to employee data or just consumers?
Both. Illinois courts and the Illinois Supreme Court have confirmed that BIPA applies to employee biometric data. The Illinois legislature considered and rejected an employee exemption. Fingerprint time-clocks for employees, face-scanning access systems, and other workplace biometric applications are all subject to BIPA if used in Illinois workplaces — even if the employer is headquartered elsewhere.
Can BIPA consent be buried in a privacy policy?
No. Illinois courts have found that generic privacy policy consent is insufficient for BIPA. The law requires a written release — an affirmative, specific consent for biometric collection and use. The consent must inform the person what biometric data is being collected, why, and how long it will be stored. Courts have rejected arguments that accepting Terms of Service constituted BIPA consent.
What is the statute of limitations for BIPA claims?
The Illinois Supreme Court ruled in Tims v. Black Horse Carriers (2023) that claims under Section 15(a) (failure to maintain a retention policy) and 15(e) (failure to protect biometric data) have a 5-year statute of limitations, while claims under Section 15(b) (failure to obtain consent) and 15(d) (unlawful disclosure) have a 1-year statute of limitations. Plaintiffs typically plead both, so 5-year exposure is common in practice.