aigovernance.com

Global AI Regulation & Framework Directory

← Directory
RegulationUS

Illinois Biometric Information Privacy Act – AI Provisions

Illinois BIPA (AI Provisions) · Illinois General Assembly; administered and enforced through private right of action and the Illinois Attorney General

The Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14, restricts the collection, storage, use, and disclosure of biometric identifiers and information, with direct implications for AI systems that process facial geometry, voiceprints, iris scans, and similar biometric data. BIPA is among the most litigated biometric privacy statutes in the United States.

Overview

The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008 as 740 ILCS 14, predates the modern AI era but has become one of the most consequential US privacy statutes for enterprise AI deployments due to its broad definition of biometric data, its private right of action, and its statutory damages structure. BIPA defines 'biometric identifier' to include retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, and any biometric data derived therefrom. 'Biometric information' is defined separately to include any information based on a biometric identifier used to identify an individual. These definitions directly implicate AI systems performing facial recognition, emotion detection, speaker identification, gait analysis, and related biometric inference tasks. BIPA imposes four primary obligations on private entities: (1) a written policy and retention schedule must be publicly available; (2) informed written consent must be obtained prior to collection or possession of biometric data; (3) a prohibition on profiting from biometric data; and (4) restrictions on disclosure to third parties absent consent, legal requirement, or completion of a financial transaction for which the biometric data was provided. The statute provides statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys' fees, without requiring proof of actual harm, a structure that has generated class action litigation exceeding billions of dollars in aggregate settlements. The Illinois Supreme Court's 2023 decision in Cothron v. White Castle System, Inc. held that a separate claim accrues each time biometric data is collected or transmitted without authorization, substantially expanding per-violation exposure. A 2024 legislative amendment (Public Act 103-0769) introduced a cap on damages in class actions, limiting aggregate class damages to the greater of the actual damages sustained by all class members or $1,000 per class member per violation type (negligent) or $5,000 per class member per violation type (intentional/reckless). For AI governance purposes, BIPA intersects with enterprise deployments of facial recognition for physical access control, workforce monitoring AI tools, customer-facing biometric authentication, AI-powered emotion analytics, and synthetic media or deepfake detection systems that process real biometric inputs. Covered entities must assess whether their AI vendor agreements include adequate data processing terms, whether consent workflows satisfy BIPA's written informed consent standard, and whether biometric retention and destruction schedules are operationalized.

Key Requirements

  • Publish a publicly available written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information
  • Obtain a written release (informed written consent) from individuals before collecting or otherwise obtaining biometric identifiers or information
  • Inform individuals in writing of the specific purpose and length of time for which biometric data is being collected, stored, and used prior to collection
  • Prohibition on selling, leasing, trading, or otherwise profiting from biometric data
  • Prohibition on disclosing biometric data to third parties without written consent, unless disclosure completes a financial transaction requested by the individual, is required by law, or is required by valid warrant or subpoena
  • Permanent destruction of biometric data when the initial purpose for collection is fulfilled or within three years of the individual's last interaction with the covered entity, whichever occurs first
  • Storage, transmission, and protection of biometric data using a reasonable standard of care within the industry, and in a manner at least as protective as confidential and sensitive information

Who It Affects

Employers in Illinois using biometric timekeeping, access control, or workforce monitoring AI systemsRetailers and financial institutions deploying facial recognition for fraud prevention or customer identification in IllinoisAI vendors and SaaS providers whose platforms process biometric data on behalf of Illinois-based clients or Illinois residentsHealthcare organizations using voice or facial AI tools in patient-facing applicationsTechnology companies embedding facial geometry or voiceprint capabilities in consumer-facing products used in IllinoisEnterprise procurement and vendor management teams assessing third-party AI tools with biometric processing componentsLegal and privacy counsel structuring data processing agreements involving biometric AI functionality

Effective Date

2008-10-03

Official source →