The Illinois Biometric Information Privacy Act (BIPA) is one of the most stringent privacy laws in the United States. It governs how organizations collect, use, store, share, and destroy biometric identifiers and biometric information.
Unlike many privacy laws, BIPA allows private individuals to sue directly, with statutory damages for each violation. This has made BIPA a major source of class-action lawsuits for businesses of all sizes—not just large enterprises.
If your organization collects or uses biometric data in Illinois—or from Illinois residents—BIPA compliance is not optional.
BIPA regulates biometric identifiers and biometric information, including:
Biometric identifiers
Fingerprints
Voiceprints
Retina scans
Iris scans
Face geometry (used in facial recognition)
Biometric information
Any data derived from biometric identifiers used to identify an individual
Common examples include time-clock fingerprint scanners, facial recognition for building access, voice authentication systems, and biometric features embedded in HR, security, or customer-facing applications.
BIPA applies to any private entity that:
Collects biometric data from Illinois residents
Operates in Illinois or
Uses biometric systems that involve Illinois employees, customers, or users
This includes:
Employers using biometric timekeeping or access controls
Healthcare providers and clinics
Manufacturers and warehouses
Retailers and hospitality businesses
Technology companies using facial recognition or voice authentication
SaaS providers whose customers operate in Illinois
Importantly, company size does not matter. Small and mid-sized businesses are frequent BIPA defendants.
BIPA is unique because:
There is no requirement to prove actual harm
Statutory damages can reach $1,000–$5,000 per violation
Each biometric scan can be treated as a separate violation
Class-action lawsuits are common
Most BIPA violations are not caused by hackers—they result from missing documentation, unclear consent, poor retention practices, or unsecured biometric systems.
From an IT and cybersecurity perspective, BIPA compliance focuses on governance, consent, security, and lifecycle management of biometric data.
At a minimum, organizations must:
Before collecting biometric data, individuals must be informed:
What data is collected
Why it is collected
How long it will be retained
Explicit, written consent must be obtained before collection.
Organizations must:
Define how long biometric data is kept
Securely destroy biometric data when no longer needed
Biometric data must be protected using:
Strong access controls
Encryption
Secure storage
Logging and monitoring
Least-privilege access
Biometric data cannot be sold or shared except under limited, documented circumstances.
BIPA is often misunderstood as a “legal” problem—but compliance fails or succeeds in IT systems.
Key IT responsibilities include:
Identifying where biometric data exists across systems
Securing biometric databases and integrations
Enforcing access control and MFA
Monitoring access and usage
Supporting audit trails and documentation
Ensuring secure deletion at end of retention periods
Managing third-party vendors that process biometric data
If your IT environment can’t demonstrate these controls, BIPA exposure increases dramatically.
Most BIPA requirements are not exotic or unreasonable.
They align with cybersecurity best practices that every organization should already follow to protect employees, customers, and partners—even if BIPA didn’t exist.
Strong access controls, encryption, clear policies, and documented processes protect your business and reduce legal risk at the same time.
Our cyber risk and compliance assessments help organizations:
Identify biometric data exposure
Evaluate security controls against BIPA requirements
Close documentation and technical gaps
Reduce litigation and regulatory risk
Prepare clear, defensible compliance evidence
We focus on practical, real-world controls—not checklists that look good but don’t protect you.
Here is a practical, high-impact roadmap.
Document:
Ensure:
Implement or validate:
Confirm third-party providers:
Employees handling biometric data should understand:
Know where you stand. Know what to fix. Reduce risk before it becomes a lawsuit.
Talk to an Executive Advisor Today
