Illinois Biometric Information Privacy Act – AI Provisions

Applies To

Overview

The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008 as 740 ILCS 14, predates the modern AI era but has become one of the most consequential US privacy statutes for enterprise AI deployments due to its broad definition of biometric data, its private right of action, and its statutory damages structure. BIPA defines 'biometric identifier' to include retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, and any biometric data derived therefrom. 'Biometric information' is defined separately to include any information based on a biometric identifier used to identify an individual. These definitions directly implicate AI systems performing facial recognition, emotion detection, speaker identification, gait analysis, and related biometric inference tasks. BIPA imposes four primary obligations on private entities: (1) a written policy and retention schedule must be publicly available; (2) informed written consent must be obtained prior to collection or possession of biometric data; (3) a prohibition on profiting from biometric data; and (4) restrictions on disclosure to third parties absent consent, legal requirement, or completion of a financial transaction for which the biometric data was provided. The statute provides statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys' fees, without requiring proof of actual harm, a structure that has generated class action litigation exceeding billions of dollars in aggregate settlements. The Illinois Supreme Court's 2023 decision in Cothron v. White Castle System, Inc. held that a separate claim accrues each time biometric data is collected or transmitted without authorization, substantially expanding per-violation exposure. A 2024 legislative amendment (Public Act 103-0769) introduced a cap on damages in class actions, limiting aggregate class damages to the greater of the actual damages sustained by all class members or $1,000 per class member per violation type (negligent) or $5,000 per class member per violation type (intentional/reckless). For AI governance purposes, BIPA intersects with enterprise deployments of facial recognition for physical access control, workforce monitoring AI tools, customer-facing biometric authentication, AI-powered emotion analytics, and synthetic media or deepfake detection systems that process real biometric inputs. Covered entities must assess whether their AI vendor agreements include adequate data processing terms, whether consent workflows satisfy BIPA's written informed consent standard, and whether biometric retention and destruction schedules are operationalized.

Key Requirements

• •Publish a publicly available written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information
• •Obtain a written release (informed written consent) from individuals before collecting or otherwise obtaining biometric identifiers or information
• •Inform individuals in writing of the specific purpose and length of time for which biometric data is being collected, stored, and used prior to collection
• •Prohibition on selling, leasing, trading, or otherwise profiting from biometric data
• •Prohibition on disclosing biometric data to third parties without written consent, unless disclosure completes a financial transaction requested by the individual, is required by law, or is required by valid warrant or subpoena
• •Permanent destruction of biometric data when the initial purpose for collection is fulfilled or within three years of the individual's last interaction with the covered entity, whichever occurs first
• •Storage, transmission, and protection of biometric data using a reasonable standard of care within the industry, and in a manner at least as protective as confidential and sensitive information

What Your Organization Must Do

• →Audit all AI systems enterprise-wide to identify any processing of facial geometry, voiceprints, iris scans, fingerprints, or derived biometric data, and map each system to Illinois-resident or Illinois-employee touchpoints before onboarding any new biometric AI tool.
• →Draft and publish a written biometric data retention and destruction policy on your public-facing website or employee handbook, specifying that biometric identifiers will be destroyed within three years of an individual's last interaction or upon fulfillment of the collection purpose, whichever is sooner; assign the Privacy or Compliance Officer as the responsible owner for annual review.
• →Implement a pre-collection written consent workflow for every biometric AI use case, ensuring each notice specifies the exact purpose of collection, the specific retention period, and the identity of any third parties who will receive the data; obtain signed releases before any biometric data is captured.
• →Review and update all AI vendor and data processing agreements to include explicit BIPA-compliant provisions covering prohibition on vendor profiting from biometric data, third-party disclosure restrictions, security standards no less protective than those applied to confidential information, and contractual destruction obligations aligned with your retention schedule.
• →Establish a per-violation exposure tracking mechanism in light of the Illinois Supreme Court's Cothron ruling, treating each unauthorized collection or transmission event as a discrete claim; brief legal counsel on the 2024 class action damages cap (Public Act 103-0769) and model residual litigation exposure under both negligent ($1,000 per member) and intentional/reckless ($5,000 per member) thresholds.
• →Train HR, IT, and procurement teams annually on BIPA obligations, with particular focus on workforce monitoring tools, access control systems, and any emotion analytics or speaker identification features embedded in third-party SaaS platforms used in Illinois operations.

Playbook Guidance

Step-by-step implementation guidance for compliance teams.

Frequently Asked Questions

Does Illinois BIPA apply to out-of-state companies that process biometric data of Illinois residents or employees?

Yes. BIPA applies to any private entity that collects, stores, uses, or discloses biometric data of Illinois residents or employees, regardless of where the company is headquartered. A vendor whose platform processes facial geometry or voiceprints of Illinois workers is exposed even if the vendor has no physical presence in Illinois.

What are the statutory damages under BIPA for AI systems that collect biometric data without consent?

BIPA provides $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys fees, with no requirement to prove actual harm. Following the 2024 amendment under Public Act 103-0769, class action aggregate damages are capped at $1,000 or $5,000 per class member per violation type, depending on culpability.

How did the Cothron v. White Castle ruling change BIPA exposure for AI systems that repeatedly scan biometrics?

The Illinois Supreme Court held in 2023 that a separate BIPA claim accrues each time biometric data is collected or transmitted without authorization. For AI systems that scan employee or customer biometrics repeatedly, such as daily timekeeping or continuous access control, this ruling means per-violation exposure multiplies with every unauthorized scan or transmission event.

Does BIPA require written consent before an AI facial recognition or voiceprint system captures data, or can consent be obtained after the fact?

Consent must be obtained before collection. BIPA requires a written release that informs the individual of the specific purpose, the retention period, and any third parties receiving the data, all prior to any biometric capture. Retroactive or post-collection consent does not satisfy the statute.

What BIPA obligations apply specifically to AI vendors and SaaS providers processing biometric data on behalf of Illinois clients?

Vendors that possess or process biometric data on behalf of clients are subject to BIPA's prohibition on profiting from that data, third-party disclosure restrictions, and security standards at least as protective as those applied to confidential information. Data processing agreements should explicitly address destruction timelines, disclosure limits, and the prohibition on biometric data monetization.

How does BIPA's biometric data destruction requirement apply to AI systems with ongoing or indefinite data retention?

BIPA requires permanent destruction of biometric identifiers and information when the original collection purpose is fulfilled or within three years of the individual's last interaction with the entity, whichever comes first. AI systems with indefinite or rolling retention schedules are non-compliant unless a documented destruction protocol is operationalized and enforced.