The Biometric Information Privacy Act (BIPA): An Ultimate Guide

LEGAL DISCLAIMER: This article provides general, informational content for educational purposes only. It is not a substitute for professional legal advice from a qualified attorney. Always consult with a lawyer for guidance on your specific legal situation.

Imagine you use your fingerprint to clock in at your new job. It seems simple and futuristic. But what happens to that fingerprint data? Who owns it? Can your employer sell it? What if their system gets hacked, and a perfect, unchangeable copy of your fingerprint—something you can never reset like a password—is now for sale on the dark web? These are not science fiction questions; they are the exact concerns that led the state of Illinois to pass a groundbreaking law in 2008 called the Biometric Information Privacy Act, or BIPA. BIPA is a pioneering state law that gives individuals powerful rights over their unique biological characteristics. Think of it as a digital bill of rights for your body. It forces companies to be transparent and get your explicit permission before they can collect, use, or store your biometric data. It was born from the fear that, unlike a stolen credit card number, you can't cancel and replace your face or your fingerprints. This guide will walk you through what BIPA is, how it protects you, what businesses need to do to comply, and why this single Illinois law has sent shockwaves through the entire country.

• Key Takeaways At-a-Glance:
• Your Biometrics, Your Rules: The Biometric Information Privacy Act establishes that you have a right to control your unique biological data, such as fingerprints, face scans, and iris scans, treating them as your personal property. biometric_identifier.
• Consent is King: The law's most powerful feature is its requirement for informed consent. A company cannot collect your biometric data without first informing you in writing why they want it, for how long they'll keep it, and getting your express written permission. informed_consent.
• The Right to Sue: BIPA gives ordinary people the power to sue companies for violations, with penalties of $1,000 to $5,000 per violation. This “private_right_of_action” is the engine that has driven thousands of lawsuits and multi-million dollar settlements. statutory_damages.

To understand BIPA, you have to go back to the mid-2000s. Biometric technology was rapidly moving from spy movies into everyday life. At the same time, a company named Pay By Touch was aggressively rolling out a system allowing consumers to pay for groceries with a simple fingerprint scan. It was convenient, but it also raised a chilling question: what was this company doing with a massive database of millions of fingerprints? The answer came in 2008 when Pay By Touch abruptly declared bankruptcy. Suddenly, the fate of its invaluable fingerprint database was in question. Could it be sold to the highest bidder as a corporate asset? This scenario terrified privacy advocates and Illinois lawmakers. They realized that while you can change a compromised password, you can't change your fingerprint. A breach of biometric data is a permanent identity theft. In response, the Illinois General Assembly unanimously passed the Biometric Information Privacy Act in 2008. It was a law far ahead of its time. It wasn't a response to a specific disaster but a proactive measure to prevent one. The legislature declared that the public was “wary of the use of biometrics” and that regulation was needed to build public trust. They built the law on one simple, powerful idea: individuals should be in control of their own unique, permanent identifiers.

The official citation for BIPA is `740_ilcs_14`. Unlike many dense legal texts, its core principles are direct and surprisingly clear. The law governs how private entities—meaning businesses and organizations, but not the government—can handle “biometric identifiers” and “biometric information.”

• Biometric Identifier: This means a retina or iris scan, fingerprint, voiceprint, or a scan of hand or face geometry.
• Biometric Information: This refers to any information, regardless of how it's stored, that is based on a biometric identifier used to identify an individual.

The law lays out several key obligations for any company operating in Illinois that handles this kind of data. A critical passage from Section 15(b) of the Act states:

“No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first:

(1) informs the subject… in writing that a biometric identifier or biometric information is being collected or stored;

(2) informs the subject… in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and

(3) receives a written release executed by the subject…”

In plain English, this means a company can't just start scanning your face or fingerprints. They must first hand you a written notice explaining what they are collecting, why they are collecting it, and how long they plan to keep it. Then, you must sign a separate consent form—a “written_release“—giving them explicit permission.

For many years, Illinois stood alone. However, as biometric technology has become ubiquitous, other states have followed its lead, though often with much weaker protections. The most critical difference is BIPA's private right of action, which allows individuals to sue. Most other states leave enforcement up to their Attorney General.

BIPA is built on five core requirements that create a comprehensive framework for protecting biometric data. For businesses, understanding and implementing these five pillars is the only path to avoiding costly litigation.

This is the heart of BIPA. Before a company can even think about collecting a fingerprint or face scan, it must complete a two-step process:

1. Develop a Public Policy: The company must create and make publicly available a written policy that establishes a retention schedule and guidelines for permanently destroying biometric data. For an employer, this policy should be readily available to all employees.
2. Informed Written Consent: The company must inform the person in writing about what data is being collected and why. They must also specify how long the data will be kept. After providing this information, they must obtain a signed, written release from the individual. A hypothetical example: A gym wants to use a fingerprint scanner for member check-in. Before a new member's first scan, the gym must provide them with a clear, one-page document explaining they are collecting a fingerprint scan to be used only for gym access and that it will be destroyed when their membership ends. The member must then sign this form.

BIPA makes it illegal for companies to sell, lease, trade, or otherwise profit from your biometric data. This is a bright-line rule. Your fingerprint cannot be sold to a data broker or a marketing company. This provision ensures that your unique identifiers are not treated as a corporate commodity to be bought and sold.

A company holding your biometric data cannot share it with anyone else unless one of a few narrow exceptions applies:

1. The person themselves consents to the disclosure.
2. The disclosure is required to complete a financial transaction authorized by the person.
3. The disclosure is required by federal, state, or local law.
4. The disclosure is required by a valid subpoena or warrant.

This rule prevents the casual sharing of highly sensitive data between corporate partners or affiliates without your knowledge.

This pillar mandates that companies protect the biometric data they hold with a reasonable standard of care. Furthermore, the security measures must be at least as protective as the measures the company uses for its other confidential and sensitive information. In practice, this means using measures like data encryption, access controls, and regular security audits. If a company stores fingerprints in an unencrypted spreadsheet on a public server, it is flagrantly violating this duty.

• The Plaintiff: This can be a single individual or, more commonly, a group of people (a “class”) who have had their BIPA rights violated. This is often an employee or customer whose biometric data was collected without proper notice and consent.
• The Defendant: This is the private entity—typically a business, employer, or corporation—accused of violating BIPA. Defendants range from small businesses using biometric timeclocks to tech giants like Google and Facebook who use facial recognition technology.
• Plaintiff's Attorneys: These are typically lawyers who specialize in class_action litigation. They represent the group of individuals and are often paid a percentage of the final settlement or judgment, meaning there is no upfront cost to the plaintiffs.
• Defense Counsel: These lawyers are hired by the defendant company (or its insurance carrier) to defend against the BIPA lawsuit. Their goal is to have the case dismissed, minimize the financial payout, or argue that the company's practices were, in fact, compliant with the law.
• Illinois Courts: Because BIPA is an Illinois state law, these cases are heard in Illinois state or federal courts. The rulings from these courts, especially the Illinois Supreme Court, shape how the law is interpreted and applied.

If you live or work in Illinois and a company has collected your fingerprint, face scan, or voiceprint, you have powerful rights. Here's what to consider if you believe a violation occurred.

Ask yourself these questions:

1. Did the company ask me to use my fingerprint, face, or voice to identify myself? (e.g., for clocking in/out, accessing a device, or using a service)
2. Before they did this for the first time, did they give me a written document to read and sign?
3. Did that document clearly explain *why* they were collecting my data and *how long* they would keep it?

If the answer to the second or third question is “no,” you may have a potential BIPA claim. The most common violation is an employer requiring employees to use a biometric timeclock without first getting their informed written consent.

You don't need a mountain of evidence, but any information is helpful.

1. Note the date you first started using the biometric system.
2. Keep any employee handbooks or new-hire paperwork you received. These documents may (or may not) contain the required BIPA policy.
3. Write down the name of the company that makes the biometric scanner or software, if you know it (e.g., Kronos, ADP).

A statute_of_limitations is a legal deadline to file a lawsuit. The Illinois Supreme Court has ruled that the statute of limitations for BIPA claims is five years. This means you generally have five years from the date of the violation to bring a claim.

BIPA cases are complex and are almost always handled as class actions. You should look for a law firm in Illinois that specializes in BIPA or consumer class action litigation.

1. No Upfront Cost: These attorneys almost always work on a contingency fee basis, meaning they only get paid if they win the case. You will not have to pay them out of pocket.
2. Initial Consultation is Free: A reputable firm will speak with you about your situation for free to determine if you have a valid case.

For any business operating in Illinois, BIPA compliance is not optional—it is a critical risk management issue. The following is a practical checklist.

• 1. Conduct a Biometric Data Audit:
  • Identify all systems that collect, store, or use biometric data. This includes timeclocks, security scanners, point-of-sale systems, or even software features that scan facial geometry.
• 2. Draft a Publicly Available BIPA Policy:
  • Create a formal, written policy. This is non-negotiable.
  • State the Purpose: Clearly define the business reason for collecting the data (e.g., “for employee timekeeping and workplace security”).
  • Create a Retention Schedule: Define how long you will keep the data. The law requires you to destroy it when the initial purpose for collecting it has been satisfied, or within 3 years of the individual's last interaction with the company, whichever comes first.
  • Detail Your Destruction Protocol: Explain that the data will be permanently destroyed from all systems according to the retention schedule.
  • Make it Public: For employees, include it in the employee handbook. For customers, post it on your website and at any location where data is collected.
• 3. Implement a Written Consent Protocol:
  • Create a separate consent form. Do not bury this in a long employment contract or a stack of onboarding paperwork.
  • This ”written_release” must be signed by the individual before you collect any biometric data.
  • The form should reference your public BIPA policy and reiterate the purpose and retention schedule.
  • Maintain secure records of all signed consent forms.
• 4. Secure Your Biometric Data:
  • Treat biometric data with your highest level of data_security.
  • Use encryption for data both at rest (in a database) and in transit (across a network).
  • Strictly limit which employees can access the data.
• 5. Review Vendor Contracts:
  • If you use a third-party vendor for your timeclock or security system, review your contract. Ensure the vendor is also BIPA compliant and establish who is responsible in the event of a data breach or lawsuit.

The interpretation of BIPA has been heavily shaped by a few key decisions from the Illinois Supreme Court. These cases have defined the law's power and reach.

• The Backstory: A mother took her teenage son to Six Flags Great America. The park required her son to scan his thumbprint to use his season pass. The mother sued, alleging Six Flags collected the print without providing the required written notices or obtaining consent.
• The Legal Question: Does a person need to suffer a real-world injury, like identity theft, to sue under BIPA? Or is the simple violation of their rights—the failure to get consent—enough?
• The Ruling: The Illinois Supreme Court sided with the mother. It ruled that a violation of the law itself is the injury. In the court's words, when a company violates BIPA, it “infringes upon the very right of privacy and control the Act was designed to protect.”
• Impact Today: rosenbach_v_six_flags_entertainment_corp opened the floodgates for BIPA litigation. It established that plaintiffs don't need to prove they were harmed; they only need to prove the company failed to follow the rules. This makes it much easier to bring a BIPA case.

• The Backstory: A long-time White Castle manager sued the company, alleging it required her to scan her fingerprint to access pay stubs and computers for years, all without her initial consent.
• The Legal Question: Does a BIPA violation occur only the first time a company scans a person's biometric data without consent? Or does a new violation occur with each and every subsequent scan?
• The Ruling: In a bombshell decision, the Illinois Supreme Court ruled that a new claim accrues with every single scan or transmission of biometric data.
• Impact Today: cothron_v_white_castle_system_inc exponentially raised the financial stakes of BIPA non-compliance. For a company with hundreds of employees clocking in and out twice a day, potential damages could skyrocket into the billions of dollars, as each scan could be considered a separate violation ($1,000 for a negligent one, $5,000 for a reckless one).

The massive financial exposure created by the *White Castle* ruling has led to a significant pushback from the business community in Illinois. Lobbying groups are actively pushing the Illinois General Assembly to amend BIPA. The main proposals include:

• Curing Violations: Allowing companies a “right to cure,” meaning a grace period to fix a violation after being notified, before a lawsuit can be filed.
• Changing the Damages Structure: Amending the law to calculate damages on a “per-person” basis rather than a “per-scan” basis to reduce the astronomical potential payouts.

Privacy advocates argue that these changes would gut the law, removing the very teeth that make it an effective deterrent. This legislative battle will determine the future power and scope of BIPA in its home state.

BIPA was written in 2008, long before the rise of generative AI, ubiquitous smart devices, and advanced surveillance technology. The future will test the law in new ways:

• Artificial Intelligence (AI): How does BIPA apply to AI systems that can identify people from their gait (the way they walk) or create photorealistic “deepfakes”? Is the data used to train these models “biometric information”?
• Emotional Recognition: Technology that claims to analyze facial expressions to determine a person's emotional state is being deployed in hiring and marketing. This could represent a new frontier for biometric privacy litigation.
• The Spread of BIPA-like Laws: The success and impact of BIPA have made it the gold standard for biometric privacy. More states are introducing and passing laws modeled after BIPA. While many lack the private right of action, the national trend is toward giving consumers more control over their biometric data, a movement started by this single, powerful Illinois law.

• biometric_identifier: A unique, measurable biological characteristic used for identification, such as a fingerprint, iris scan, or face scan.
• biometric_information: Any information based on a biometric identifier, regardless of how it is stored.
• class_action: A type of lawsuit where one person or a small group of people sue on behalf of a much larger group with similar claims.
• consent: Permission for something to happen or agreement to do something.
• data_breach: An incident where sensitive, protected, or confidential data is accessed, disclosed, or used by an unauthorized individual.
• data_security: The practice of protecting digital information from unauthorized access, corruption, or theft throughout its entire lifecycle.
• encryption: The process of converting information or data into a code, especially to prevent unauthorized access.
• informed_consent: Consent given by a person who has a clear appreciation and understanding of the facts, implications, and future consequences of an action.
• private_right_of_action: The right of an individual person to file a lawsuit to enforce a legal right, as opposed to enforcement by a government agency.
• statute_of_limitations: A law that sets the maximum time after an event within which legal proceedings may be initiated.
• statutory_damages: A specific amount of money a law allows a court to award for a violation, even if the plaintiff cannot prove actual financial harm.
• written_release: A signed legal document that relinquishes a right or claim; under BIPA, it's the required form for consenting to data collection.

• california_consumer_privacy_act_(ccpa)
• general_data_protection_regulation_(gdpr)
• data_privacy
• identity_theft
• employment_law
• civil_procedure