What biometric data does BIPA cover?

BIPA covers biometric identifiers and biometric information derived from them. Biometric identifiers include retina and iris scans, fingerprints, voiceprints, and scans of hand or face geometry. Biometric information means any information based on a biometric identifier that is used to identify an individual. Photographs themselves are excluded, but facial recognition templates derived from photographs are not. AI systems that extract facial geometry from video or images to create a template for matching purposes collect biometric information subject to BIPA.

Does a facial recognition system used only for access control trigger BIPA?

Yes. BIPA applies to any private entity in Illinois that collects, stores, or uses biometric identifiers or information. Access control systems using facial recognition, fingerprint readers for door entry, and biometric time clocks all fall under BIPA. The law does not distinguish between security and employment use cases. If the system derives a template from a biometric identifier and stores or uses it for matching, BIPA applies.

What are the BIPA statutory damages?

BIPA provides for statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorney's fees and costs. The Illinois Supreme Court held in Cothron v. White Castle that each separate collection or disclosure of biometric data constitutes a distinct violation. This means that a time-and-attendance system scanning employees at the start and end of each shift could generate two violations per day per employee, creating enormous cumulative exposure. The 2023 amendment capped certain repeated violations if the employer had a written policy in place.

How does BIPA apply to AI video interview tools?

AI video interview tools that analyze facial expressions, head movements, or facial geometry to score candidate traits collect biometric information under BIPA. If those tools are used in Illinois, the employer (not just the vendor) must have a written biometric data policy, a retention and destruction schedule, and written consent from the candidate before the interview. Vendors like HireVue have faced class action litigation under BIPA. Employers cannot outsource their BIPA compliance obligations to vendors; they must independently satisfy each statutory requirement.

What states have biometric privacy laws similar to BIPA?

Texas has the Capture or Use of Biometric Identifier Act (CUBI), which requires written notice and consent before collecting biometric identifiers and prohibits sale of biometric data. Unlike BIPA, CUBI is enforced by the Texas Attorney General rather than through private rights of action. Washington has the My Health MY Data Act, which covers biometric data as health data and requires consent. California's CPRA treats biometric data as sensitive personal information requiring opt-in consent. Several other states have bills pending or limited biometric provisions within broader privacy laws.

How should developers audit AI tools for BIPA compliance risk?

Start by reviewing the AI vendor's data processing agreement and technical documentation to determine exactly what data is extracted from inputs. For video-based tools, ask specifically whether the tool creates facial geometry templates or other biometric templates. Review where those templates are stored and for how long. Confirm the vendor's subprocessor list for any secondary biometric data processing. If the tool is deployed for Illinois users or employees, conduct a BIPA compliance review before deployment, including consent workflow design and policy publication. Do not rely solely on the vendor's representations.

BIPA and facial recognition AI: compliance…

Digital facial recognition grid pattern over a person's face

TL;DR: Illinois BIPA requires a written biometric data policy, a published retention schedule, written consent before collecting any biometric identifier, and a prohibition on selling or profiting from biometric data. Class action exposure is severe. AI tools that process video interviews, manage biometric time-and-attendance, or analyze voice in customer service may trigger BIPA. Audit every AI tool in your stack for biometric data collection before deployment.

Illinois's Biometric Information Privacy Act has produced more litigation than any other US privacy law. The settlements speak for themselves: $100 million from Facebook (now Meta), $92 million from TikTok, $228 million from Clearview AI, and dozens of smaller settlements from employers who used biometric time clocks or AI video interview tools without proper consent processes.

The law is not obscure. It was enacted in 2008. But AI systems have expanded the range of tools that trigger BIPA far beyond what employers and developers initially anticipated. A video interview platform that analyzes facial expressions. A customer service tool that identifies callers by voiceprint. A time-and-attendance system that uses facial geometry for clock-in. All of these collect biometric information as defined by BIPA.

This guide covers what BIPA requires, how AI tools trigger it, the current litigation environment, what similar laws in other states require, and what a practical compliance program looks like.

What BIPA covers

The Illinois Biometric Information Privacy Act (740 ILCS 14) applies to private entities that collect, capture, purchase, receive through trade, or otherwise obtain the biometric identifiers or biometric information of any person.

Biometric identifiers are specifically defined: retina or iris scans, fingerprints, voiceprints, scans of hand geometry, and scans of face geometry. The statute explicitly excludes writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, and physical descriptions such as height and weight. The photograph exclusion is narrow: photographs themselves are not biometric identifiers, but templates derived from photographs, such as facial geometry maps created by an AI system for matching purposes, are biometric information.

Biometric information means any information regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier, used to identify an individual. This is broad. A facial recognition embedding stored in a database is biometric information. A voiceprint template used for authentication is biometric information.

Who must comply: any private entity in Illinois that collects, stores, or uses biometric data. The entity does not need to be headquartered in Illinois. Courts have held that the relevant question is whether the data collection affects Illinois residents, not whether the company is based there.

How AI systems trigger BIPA

The original BIPA use cases were fingerprint readers for door access and time clocks. The AI-era use cases are broader and often less obvious to the people deploying them.

AI video interview analysis is the highest-profile current category. Tools like HireVue analyze video of job candidates during recorded interviews. The original marketing pitch for these tools emphasized analysis of micro-expressions, eye contact, and facial movement patterns as predictors of job performance and personality traits. These tools extract facial geometry from video frames. That extraction produces biometric information under BIPA. Several Illinois class actions have targeted employers who used these tools without consent. HireVue has faced litigation directly. Employers who deploy these tools are responsible for their own BIPA compliance, not just the vendor's.

Biometric time-and-attendance systems are a steady source of BIPA litigation. Employers who deploy fingerprint readers or facial recognition clock-in systems for employees in Illinois must satisfy all four of BIPA's core requirements. Many employers have deployed these systems, obtained consent at some point in the past, and then failed to comply with the retention and destruction requirements when employees leave. The Cothron v. White Castle ruling, which held that each scan is a separate violation, has made the damages exposure in these cases particularly high.

Emotion detection and sentiment analysis AI is a less settled category but carries clear risk. Tools that claim to analyze emotional state from facial expressions or voice tone are, at minimum, analyzing facial geometry and voice characteristics. Whether the specific template extraction involved constitutes collection of a biometric identifier is a fact-specific question, but the safer assumption is that BIPA applies to any tool processing facial images or voice for identification or characterization purposes.

Security camera mounted on a wall

Voice biometric authentication in customer service AI is increasingly common. Systems that identify callers by voiceprint to authenticate their identity collect voiceprints, which are explicitly enumerated biometric identifiers under BIPA. If your customer service platform uses voiceprint authentication and you have Illinois callers, BIPA applies.

Workplace safety AI using cameras to detect whether employees are wearing safety equipment, or to monitor movement patterns in a facility, may process facial geometry as part of its computer vision pipeline even if the stated purpose is not identification. Audit the underlying data processing, not just the stated use case.

Statutory requirements: the four obligations

BIPA creates four core obligations for any entity subject to the law.

First, a publicly available written policy. The entity must have a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the entity, whichever occurs first.

Second, retention and destruction. Data must actually be destroyed on the schedule described in the policy. This is where many employers fail: they have a policy but never implement the deletion workflow, particularly for departed employees.

Third, written informed consent before collection. Before collecting, capturing, purchasing, or obtaining biometric identifiers or information, the entity must inform the subject in writing that biometric data is being collected or stored, inform the subject of the specific purpose and length of term for which such biometric data is being collected, stored, and used, and receive a written release signed by the subject or their authorized representative. Consent must precede collection. Retroactive consent does not satisfy BIPA.

Fourth, no sale or profit. Private entities may not sell, lease, trade, or otherwise profit from biometric data. This prohibition is absolute. Sharing biometric data with third parties is permitted only with the subject's consent, as a requirement of a contract with the subject, or if required by law or valid warrant.

The litigation environment

BIPA carries a private right of action, which is the reason it has generated so much litigation. Any "aggrieved person" may bring a claim. Courts have held that a technical violation of BIPA (failure to obtain consent or publish a policy) is itself actionable without additional harm, making class actions straightforward to plead.

The major settlements illustrate the scale: Facebook paid $650 million in 2021 for using facial recognition on uploaded photos without Illinois user consent. TikTok paid $92 million for similar claims. Clearview AI, which scraped billions of photos to build a facial recognition database, settled for $228 million with Illinois users. Numerous employer class actions involving biometric time clocks have settled for $3 million to $30 million.

The 2023 amendment to BIPA reduced but did not eliminate per-violation damages for employers who have a written policy in place. For negligent violations, the amendment allows a court to limit damages to $1,000 per person (not per scan) if the entity has a compliant written policy. Intentional or reckless violations still face $5,000 per person. The amendment does not help entities that had no policy at all.

Other state biometric laws

BIPA is the most litigated, but it is not the only biometric privacy law.

Texas CUBI (Capture or Use of Biometric Identifier Act) requires written notice and consent before collecting biometric identifiers, prohibits sale of biometric data, and requires deletion within a reasonable time. The key difference from BIPA is enforcement: CUBI is enforced by the Texas Attorney General, not through a private right of action. The AG has begun bringing enforcement actions under CUBI. Meta settled a Texas case for $1.4 billion in 2024 under CUBI for its facial recognition practices.

Washington My Health MY Data Act treats biometric data as consumer health data, requiring consumer authorization before collection and prohibiting sale without authorization. This law has a private right of action under Washington's Consumer Protection Act.

California CPRA treats biometric information as sensitive personal information. Businesses collecting biometric data from California residents must provide explicit notice and the right to limit use of sensitive personal information. The CPRA does not have a specific biometric consent requirement comparable to BIPA, but the sensitive data framework adds compliance obligations.

Federal proposals: no comprehensive federal biometric privacy law has passed as of mid-2026. The FTC has used Section 5 authority against unfair or deceptive practices involving biometric data, including enforcement against firms that failed to disclose biometric data collection.

Compliance checklist for employers

If your organization deploys or is considering deploying any AI tool that may process biometric data, work through this checklist before deployment.

Determine whether the tool collects, stores, or uses any of the enumerated biometric identifiers: fingerprints, face geometry, hand geometry, iris or retina scans, voiceprints. Ask the vendor in writing and review the technical documentation.
Identify all jurisdictions where the tool will be used. For Illinois: full BIPA compliance is required. For Texas: CUBI compliance. For Washington and California: assess under state-specific frameworks.
Draft or update your written biometric data policy. The policy must state the purpose of collection, the retention period, and the destruction schedule. Publish it on your website or in a location accessible to the individuals affected.
Design and implement a consent workflow. Written consent must be obtained before any collection occurs. For employees, this typically means adding a BIPA consent form to the onboarding process. For job candidates, it means providing consent before the first use of the tool.
Implement a deletion workflow for departed employees and for data that has reached its retention limit. Confirm that biometric templates are actually deleted, not merely inaccessible.
Confirm no sale or transfer of biometric data to third parties except as permitted by statute. Review vendor subprocessor agreements to confirm the vendor is not sharing biometric data in ways that create secondary liability.
Train HR and operations staff on BIPA requirements and on the consent workflow.
Document the compliance steps taken and maintain records of consent.

What developers should audit

For developers building or integrating AI tools that may process video, images, or audio, a BIPA audit has a specific technical scope.

Review the model architecture for face detection, face geometry extraction, or facial embedding generation steps in the pipeline. A computer vision model that is described as "pose estimation" or "expression analysis" may include facial geometry extraction as an intermediate step even if the output does not look like a biometric template.

Review data retention for all intermediate representations. If a facial embedding is generated and then discarded before the final output is produced, the temporary storage of that embedding is still regulated if it occurs in Illinois.

Confirm that biometric data processed on behalf of clients is covered by your data processing agreements and that clients are informed of the data collected so they can satisfy their own consent obligations.

BIPA and facial recognition AI: compliance guide for employers and developers 2026

What BIPA covers

How AI systems trigger BIPA

Statutory requirements: the four obligations

The litigation environment

Other state biometric laws

Compliance checklist for employers

What developers should audit

BIPA and facial recognition AI: compliance guide for employers and developers 2026

What BIPA covers

How AI systems trigger BIPA

Statutory requirements: the four obligations

The litigation environment

Other state biometric laws

Compliance checklist for employers

What developers should audit