RatedWithAI

RatedWithAI

Accessibility scanner

AI RegulationJuly 11, 2026

BIPA and AI Photo-Organizing Apps 2026: The Facial-Grouping Legal Risk

"Find every photo of this person" is a beloved AI feature — and one of the clearest BIPA fact patterns there is. Facial-grouping and auto-tagging tools scan the face geometry of everyone in a photo, including people who never opened the app. Here's why that's already produced the largest BIPA settlement on record, and what photo, social, and dating apps need to fix.

$650M
Settlement against a major platform's photo-tagging facial recognition
Non-users too
BIPA claims have covered people who never created an account
Per-scan
Courts have allowed damages calculated per biometric scan, not per person

A Feature Everyone Ships, A Risk Few Price In

Facial grouping is one of the most requested features in any product with a photo library: cluster faces so a user can pull up "every photo of Mom" or "every photo of my dog's vet." Dating apps use similar matching to verify a profile photo is a real, consistent person. Social apps use it to suggest tags. It's genuinely useful — and it works by running a biometric scan on every face the system detects.

That's precisely the fact pattern that produced BIPA's largest settlement to date, when a major social platform's photo-tagging facial-recognition feature was found to have scanned face geometry without the written consent Illinois law requires. The $650 million resolution reset how seriously product and legal teams treat this feature category — and the exposure hasn't gone away just because the headline case settled.

Why This Feature Is Uniquely Risky Under BIPA

It scans people who never agreed to anything

A user uploads a group photo; the app's facial-grouping model scans every face in it — including friends, coworkers, and strangers in the background who have no relationship with the app and never saw a consent screen.

It creates a persistent biometric template

Facial grouping typically works by converting a face into a mathematical template that's stored and compared across future uploads. That stored template is itself a biometric identifier under BIPA — the retention, not just the initial scan, carries obligations.

It runs by default, not by request

Many apps enable facial grouping automatically to make the feature useful out of the box. Opt-out (rather than opt-in) consent design is a recurring theme in BIPA litigation against consumer apps.

It scales instantly with photo volume

Because courts have allowed per-scan damages theories, an app that processes millions of photos can accumulate exposure far faster than a single-scan use case like a office time clock.

The Non-User Problem

Most privacy compliance programs are built around the people who signed up — the account holder who clicked through a privacy policy and terms of service. Facial-grouping features break that model. The uploader consented to using the app; the other faces in their photos did not. Illinois courts have been willing to let claims proceed from people in exactly that position — scanned by a product they never joined. For any app with a social or sharing component, that means your consent flow needs to account for people who will never see your onboarding screens.

Dating Apps: A Related but Distinct Risk

Dating and identity-verification apps that use facial matching to confirm a profile photo belongs to a real, consistent user run a related but more direct version of this risk — here, the person scanned usually is the user. That narrows the non-user exposure but doesn't reduce the underlying consent, notice, and retention-policy obligations, and identity-verification vendors used by multiple apps face aggregated exposure across every client's user base.

Compliance Checklist for Facial-Grouping Features

Build consent and retention controls before shipping or expanding any face-scanning feature — retrofitting after a demand letter is far more expensive.

Inventory every feature that detects, clusters, or matches faces in stored or uploaded photosStart here
Make facial grouping opt-in, not on-by-default, wherever product design allowsEssential
Provide written notice and obtain written consent before generating a face templateEssential
Publish a retention and destruction schedule specific to biometric templatesEssential
Build a path to identify and honor deletion requests from non-users who appear in others' photosHigh risk area
Restrict access to raw face templates — treat them as sensitive data, not ordinary metadataSecurity
Review any third-party facial-recognition vendor's BIPA compliance and indemnification termsVendor risk
Geofence or disable the feature for Illinois users if full compliance isn't readyInterim mitigation

Don't let a beloved feature become your biggest liability

Compliance gaps compound across your whole product, not just one feature. RatedWithAI scans your web properties for the issues that turn into complaints and lawsuits. Start with a free scan.

Scan Your Site for Free →

Frequently Asked Questions

Do we need consent from everyone in a group photo, or just the uploader?

BIPA's consent requirement attaches to the person whose biometric identifier is collected, not just the account holder who uploaded the photo. Practically, most apps cannot obtain individual written consent from every person in every uploaded photo, which is exactly why facial-grouping features carry outsized BIPA risk and why some companies limit or disable them for Illinois-linked users.

Does converting a face to a numeric vector avoid BIPA?

No. BIPA's definition of biometric identifier has been read broadly to cover face-geometry data regardless of the technical format used to store or represent it. Calling it a 'vector' or 'embedding' rather than a 'faceprint' doesn't change the underlying legal analysis.

Are dating-app photo-verification features exposed the same way?

The risk profile differs slightly because the person scanned is usually the app's own user, which narrows the non-user consent problem. But written notice, consent, and retention-policy requirements still apply, and vendors serving many apps can face aggregated exposure.

Can we retroactively fix consent for a feature already in production?

You can add compliant consent flows going forward, but past collection without proper consent remains a completed violation under BIPA's strict-liability structure. Retroactive fixes reduce ongoing exposure; they don't erase historical claims, which is why legal counsel should assess existing exposure before any public feature change.

Related Guides