Does BIPA apply to AI hiring tools that analyze video interviews?

Yes. Illinois BIPA covers any technology that collects, captures, or otherwise obtains biometric identifiers, including facial geometry derived from video interviews and voiceprints generated by AI screening tools. If your AI interview platform scans a candidate's face to measure engagement or analyze voice patterns to score responses, BIPA applies. The Illinois AI Video Interview Act (820 ILCS 42) also applies separately, requiring disclosure before any AI analysis of video interview footage. Both statutes can apply to the same interaction.

What is the penalty for a BIPA violation per incident?

BIPA provides a private right of action with statutory damages of $1,000 per violation for negligent violations and $5,000 per violation for intentional or reckless violations, plus attorneys' fees. Courts have interpreted each collection of biometric data as a separate violation, not each affected individual, which is why class actions under BIPA have produced nine-figure settlements. The Illinois Supreme Court ruled in Cothron v. White Castle (2023) that each scan generates a separate, actionable violation.

Can a vendor agreement transfer BIPA liability to the AI tool vendor?

No, not fully. BIPA places obligations directly on the private entity that collects or possesses biometric data. Even if your AI vendor is contractually responsible for the collection mechanism, the employer as the data controller remains subject to BIPA's requirements. A vendor contract can allocate indemnification costs, but it cannot transfer the statutory obligation to obtain written consent, publish a retention policy, or comply with the destruction schedule. Employers should verify vendor compliance independently, not rely on contract language to substitute for their own BIPA obligations.

Is a verbal disclosure sufficient for BIPA consent?

No. BIPA Section 15(b) requires that the subject (or their legally authorized representative) sign a written release before or at the time of collection. Verbal disclosures, checkbox acknowledgments embedded in a general employment application, or implied consent from participation in the interview process do not satisfy the statute. The written release must specifically authorize the collection of the specific biometric identifier being collected (e.g., facial geometry, voiceprint), state the purpose, and state the duration for which it will be held.

Does BIPA apply to out-of-state employers interviewing Illinois candidates?

Illinois courts have generally held that BIPA applies based on where the individual is located when the biometric data is collected, not where the employer is headquartered. If a remote video interview captures biometric data of a candidate physically located in Illinois at the time of the interview, BIPA likely applies even if the employer and AI vendor are based outside Illinois. Several federal courts have reached this conclusion, and the risk of BIPA class actions for remote hiring has led most national employers to apply BIPA procedures to all candidates regardless of location.

BIPA AI Hiring Compliance Checklist for Ill…

Legal compliance checklist on a desk with a pen

At a glance: Illinois BIPA (740 ILCS 14) requires written consent, a public biometric data retention policy, and a destruction schedule before collecting any biometric identifier, including facial geometry and voiceprints generated by AI interview tools. Violations carry $1,000-$5,000 per incident with a private right of action. The Illinois AI Video Interview Act (AIVIA) adds a separate disclosure requirement for video interview AI analysis. This checklist covers both statutes.

Tick each item as you verify it. Your progress is saved in your browser.

Part 1, Does BIPA apply to your hiring process?

Before working through the full checklist, confirm whether your tools actually collect biometric data as defined by BIPA.

BIPA defines biometric identifier as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric information means any information based on a biometric identifier. Both are covered.

AI hiring tools that trigger BIPA coverage include:

Video interview platforms that analyze facial expressions, eye contact, or emotion to generate candidate scores
Voice analysis tools that measure speaking patterns, cadence, or vocal qualities
Facial recognition used for identity verification during assessments
Liveness detection using face geometry to confirm a candidate is present during a remote test

AI tools that do NOT collect biometric data (and do not trigger BIPA): resume parsers, keyword-based screening tools, personality assessments that don't use biometrics, reference check automation.

If your AI hiring tools collect any of the above: proceed to Part 2.

HR team reviewing compliance documentation at a conference table

Part 2, Written policy (Section 15(a))

BIPA Section 15(a) requires that any private entity in possession of biometric data develop a written, publicly available policy establishing a retention schedule and destruction guidelines.

We have a written biometric data retention and destruction policy
The policy is publicly available (on our website, in an employee handbook, or otherwise accessible without a login)
The policy states the specific biometric identifiers we collect (e.g., facial geometry, voiceprint)
The policy states the purpose for which each identifier is collected
The policy states the length of time each identifier is retained
The policy states when and how each identifier will be destroyed (e.g., "within 3 years of collection or within 1 year of the individual's last interaction with us, whichever comes first")
The policy has been reviewed by legal counsel familiar with BIPA

BIPA Section 15(b) prohibits collecting, capturing, purchasing, receiving through trade, or otherwise obtaining biometric identifiers or information without first:

Informing the subject in writing of the collection and purpose
Informing the subject in writing of the length of term for which the data will be held
Obtaining a written release

Critically: this must happen before or at the time of collection. Consent obtained after collection does not cure a BIPA violation.

We obtain written consent from every candidate before any AI biometric analysis begins
The consent form specifically names the biometric identifier being collected (not just "personal information")
The consent form states the purpose of collection
The consent form states the retention period
The consent form is a standalone document or clearly labeled section, not buried in a general employment application
Consent is obtained before the AI tool analyzes the candidate's video or voice (not at the end of the interview)
We have a process for candidates who decline consent (i.e., an alternative interview path that does not use biometric AI)
We retain signed consent forms for the duration of the retention period plus a reasonable litigation hold period

Part 4, Data storage, transfer, and profit (Sections 15(c)-15(e))

We do not sell, lease, trade, or otherwise profit from biometric data
We do not disclose or disseminate biometric data to anyone other than:
- The candidate themselves
- The AI vendor (under a valid data use agreement)
- A party to which the candidate has consented in writing
- A party required by a valid court order or law enforcement request
Every third party (including AI vendors) that receives biometric data has signed a data use agreement that prohibits them from further sharing the data
Biometric data is transmitted using an encryption or security standard that meets or exceeds the standard generally accepted in our industry for the same category of personal information
We store biometric data using the reasonable standard of care applicable to our industry

Part 5, Destruction schedule (Section 15(a))

Biometric data must be permanently destroyed when the initial purpose for collection is complete or within 3 years of collection, whichever is first.

We have a documented destruction schedule for biometric data collected during hiring
The destruction schedule specifies what triggers destruction (e.g., candidate rejected, position filled, 3-year maximum term)
We have a technical process to actually delete or destroy the data on schedule (not just a policy statement)
We verify destruction actually occurs, someone confirms deletion, it is not just assumed
We retain records of destruction (date, type of data, confirmation)
If we use a third-party AI vendor to store biometric data, the vendor contract requires the vendor to destroy data on our schedule, not their own default schedule

Part 6, Illinois AI Video Interview Act (AIVIA) requirements

The Illinois AI Video Interview Act (820 ILCS 42), effective January 1, 2020, applies whenever an employer uses AI to analyze video interview recordings. AIVIA requirements are in addition to BIPA, not a substitute for it.

Before any AI-analyzed video interview, we notify the candidate that AI will be used to analyze the video
Before any AI-analyzed video interview, we explain what characteristics the AI will evaluate
Before any AI-analyzed video interview, we obtain the candidate's consent to AI analysis
We do not share video interviews with anyone other than persons who evaluate whether the candidate possesses qualifications the position requires, persons necessary to make or improve the AI product, and persons the candidate consents to in writing
We destroy video interviews within 30 days of a candidate's request to have their interview deleted
We can produce documentation of each of the above if requested by the candidate or in litigation

Part 7, Vendor due diligence

If you use an AI hiring tool vendor for biometric analysis, the vendor relationship does not remove your BIPA obligations, it adds them.

We have reviewed the vendor's privacy policy and data processing agreement for BIPA-specific terms
The vendor contract explicitly addresses biometric data and includes a prohibition on secondary use for the vendor's own model training purposes
The vendor contract states the vendor's retention and destruction schedule for our candidates' biometric data
The vendor contract requires the vendor to notify us within a specified period if they experience a data breach affecting biometric data
We have confirmed the vendor does not share biometric data with sub-processors beyond what we have approved
We conduct at least annual review of vendor compliance with these contractual terms

Penalty reference

Violation type	Statutory damages	Attorneys' fees
Negligent violation	$1,000 per violation	Yes
Intentional or reckless violation	$5,000 per violation	Yes
Prevailing party	Litigation costs	Yes

The Illinois Supreme Court's 2023 ruling in Cothron v. White Castle held that each biometric data collection generates a separate, accruing violation, not one violation per plaintiff. Class actions under BIPA regularly reach eight and nine figures as a result.

Policy language: sample Section 15(a) disclosure

The following template language is a starting point. Have legal counsel review it before publishing.

Biometric Data Retention and Destruction Policy

[Company Name] collects biometric identifiers and biometric information (collectively, "biometric data") as defined under the Illinois Biometric Information Privacy Act (740 ILCS 14) in connection with [describe specific use: e.g., "AI-assisted video interview analysis for employment candidates"].

Retention: We retain biometric data for [X period, not to exceed 3 years] from the date of collection, or until the purpose for collection is fulfilled, whichever occurs first.

Destruction: At the expiration of the retention period, or once the purpose for collection is complete (e.g., a position is filled or a candidate is no longer under consideration), we will permanently destroy all biometric data using [describe method: e.g., "secure deletion meeting NIST SP 800-88 standards"].

This policy is made publicly available in accordance with 740 ILCS 14/15(a). Questions may be directed to [privacy contact / email].

BIPA AI Hiring Compliance Checklist for Illinois Employers (2026)

Part 1, Does BIPA apply to your hiring process?

Part 2, Written policy (Section 15(a))

Part 4, Data storage, transfer, and profit (Sections 15(c)-15(e))

Part 5, Destruction schedule (Section 15(a))

Part 6, Illinois AI Video Interview Act (AIVIA) requirements

Part 7, Vendor due diligence

Penalty reference

Policy language: sample Section 15(a) disclosure

BIPA AI Hiring Compliance Checklist for Illinois Employers (2026)

Part 1, Does BIPA apply to your hiring process?

Part 2, Written policy (Section 15(a))

Part 4, Data storage, transfer, and profit (Sections 15(c)-15(e))

Part 5, Destruction schedule (Section 15(a))

Part 6, Illinois AI Video Interview Act (AIVIA) requirements

Part 7, Vendor due diligence

Penalty reference

Policy language: sample Section 15(a) disclosure