Illinois's BIPA has generated billion-dollar verdicts. If you collect fingerprints, facial scans, or voiceprints—even for time clocks—you need compliance now.
The Illinois Biometric Information Privacy Act (740 ILCS 14/) is the strictest biometric privacy law in the nation—and the most litigated.
Note: Even if data seems excluded, the way it's processed may still trigger BIPA. Photo tagging systems that extract facial geometry are covered.
Most BIPA lawsuits stem from these six compliance failures. Each can result in statutory damages per affected individual.
Failing to create and make publicly available a written policy for retention and destruction of biometric data
Collecting biometric data without first obtaining written informed consent from the individual
Not informing individuals in writing of the specific purpose and length of time data will be stored
Keeping biometric data longer than necessary or failing to destroy it within required timeframes
Selling, leasing, trading, or otherwise disclosing biometric data to third parties
Failing to store and protect biometric data using reasonable security measures
In August 2024, Illinois amended BIPA to address the Cothron v. White Castle ruling. Now, multiple collections or disclosures using the same method constitute a single violation per person, rather than a violation per scan. This significantly reduces (but doesn't eliminate) potential damages.
Important: You still need proper consent and policies. The amendment only limits how violations accrue—not whether you're liable.
These cases demonstrate the massive financial exposure employers face under BIPA.
Cothron v. White Castle
Illinois Supreme Court ruled each fingerprint scan was a separate violation
Rogers v. BNSF Railway
Jury awarded damages for fingerprint collection without proper consent
Patel v. Facebook
Photo tagging facial recognition without consent
Comprehensive BIPA compliance services for Illinois employers using any form of biometric technology.
Comprehensive assessment of all biometric data collection points, policies, and consent processes
Creation of compliant written retention/destruction policies and consent forms tailored to your operations
Training programs for HR, IT, and managers on proper biometric data handling and consent procedures
Systems to track retention periods and automate destruction of biometric data when no longer needed
Our streamlined process gets you compliant quickly without disrupting your operations.
We identify all biometric data collection points—time clocks, security systems, apps, and third-party vendors
Review existing policies, consent forms, and data handling practices against BIPA requirements
Develop compliant policies, implement consent workflows, and establish retention schedules
Continuous monitoring, employee training updates, and vendor management to maintain compliance
Illinois has the most aggressive privacy laws in the nation. Combine BIPA with GIPA for complete biometric and genetic information protection.