What Is BIPA — and Could a Company Owe You Money for Scanning Your Face or Fingerprint?

What is BIPA and why does Illinois have it?

The Biometric Information Privacy Act was signed into law in Illinois on October 3, 2008 — one of the first U.S. laws to give people a private right to sue over biometric privacy violations. It was passed unanimously in both chambers and was designed to regulate how private companies collect, store, use, and eventually destroy people's biometric data.

The core premise is straightforward: biometric identifiers are permanent. If your Social Security number is compromised, it can be changed. Your fingerprint cannot. That permanence is exactly what makes biometric data valuable to companies — and exactly what makes an unconsented collection something the legislature decided required specific legal guardrails.

What made BIPA different from other privacy laws, then and now, is its private right of action. You do not need a government agency to investigate or sue on your behalf. If a company violates BIPA, you can take them to court yourself — and collect statutory damages without having to prove that you were actually harmed. The Illinois Supreme Court confirmed this in 2019, holding that a technical violation of the law is enough to sue. The requirement that companies must post a biometric data retention and deletion policy is one of BIPA's most basic compliance standards. It also became one of the most commonly alleged violations in class action filings.

What counts as biometric data under BIPA?

The statute defines "biometric identifier" to include retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry. "Biometric information" means any data derived from those identifiers that is used to identify an individual.

What the law does not cover is equally important. Photographs are excluded — as are writing samples, written signatures, physical descriptions like height, weight, hair color, and eye color, and demographic data. Medical images used for diagnosis or treatment (X-rays, MRIs, CT scans, PET scans, mammography) are excluded, as is information collected in a health care setting or governed by HIPAA. Biological materials regulated under Illinois's Genetic Information Privacy Act, donated organs and tissues, and certain other categories are also excluded, among other exclusions specified in the statute.

Practical upshot: a photo of your face is not a biometric identifier under BIPA. A facial geometry scan derived from that photo — the kind used to identify you across multiple images — is.

Does BIPA apply to me if I live or work in Illinois?

BIPA applies to private entities that collect, capture, purchase, receive, possess, or disclose biometric identifiers or biometric information of people in Illinois. It is not limited to employers — consumer-facing companies, apps, retailers, and other private entities can all be covered if they collect biometric data from Illinois residents.

Illinois workers are covered even if their employer is headquartered outside the state. If you work in Illinois and your employer uses a fingerprint time clock or facial recognition access system, BIPA's requirements apply to that collection regardless of where the company is incorporated.

What BIPA does not cover: state and local government agencies, Illinois courts and court officials, and financial institutions and their affiliates that are subject to Title V of the Gramm-Leach-Bliley Act. Contractors, subcontractors, or agents acting on behalf of state or local government agencies are also excluded when operating in that capacity.

Important limitation: BIPA is an Illinois law. If you live and work entirely outside Illinois and your employer is not collecting data in Illinois, BIPA does not apply. Several other states have enacted similar laws, but none yet with the same combination of statutory damages and a private right of action that has made Illinois BIPA so consequential.

What are companies legally required to do before collecting your biometric data?

Before collecting any biometric identifier or biometric information, a covered private entity must do three things: inform the individual in writing that biometric data is being collected and the specific purpose and duration of that collection; obtain a written release from the individual (the 2024 amendment to BIPA updated the definition of "written release" to include an electronic signature); and make publicly available a written policy establishing a retention schedule and guidelines for permanently destroying biometric data — either when the original purpose has been satisfied, or within three years of the individual's last interaction with the entity, whichever comes first.

Companies are also prohibited from selling, leasing, trading, or otherwise profiting from biometric data. Disclosure to third parties requires the individual's consent, completes a financial transaction requested or authorized by the individual, is required by state or federal law, or is required by a valid warrant or subpoena. Biometric data must be stored and transmitted with protections at least as strong as those the company applies to other sensitive or confidential information.

These requirements describe steps that most people assume any company handling their fingerprints or face scans would follow as a matter of course. Under BIPA, assuming is not enough.

How much have companies actually paid out for BIPA violations?

The numbers are large enough that the individual settlements warrant their own sentences. Facebook paid $650 million in 2021 to settle a class action alleging its tag suggestion feature — which identified faces in uploaded photos to suggest who to tag — collected Illinois users' facial geometry without consent. Facebook described the feature as a convenience for organizing photos. A federal judge called the resulting settlement a "landmark result."

Google paid $100 million in 2022 to resolve claims that its Google Photos face grouping tool, which sorted photos by facial similarity, violated BIPA by collecting facial geometry without consent. TikTok's parent company settled for $92 million the same year over allegations of collecting face and voice data from users. Snapchat settled for $35 million. Meta's Instagram settled for $68.5 million in 2023 over its facial recognition feature. Clearview AI resolved biometric privacy litigation through a settlement valued at approximately $51.75 million, structured as a 23% equity stake rather than a cash fund.

It is not only technology platforms. Employers across Illinois have faced BIPA class actions for using biometric time clocks and access control systems without BIPA-compliant policies. Speedway settled a case involving roughly 7,700 current and former Illinois employees for $12.1 million in 2025. In 2025 alone, at least 100 new putative BIPA class actions were filed.

What did the April 2026 federal court ruling change about BIPA damages?

On April 1, 2026, a unanimous panel of the U.S. Court of Appeals for the Seventh Circuit held in Clay v. Union Pacific Railroad Co. that BIPA's 2024 damages amendment applies retroactively to cases that were pending in federal court when the amendment was enacted. The ruling significantly limits per-scan damages theories in federal BIPA cases — though it does not bind Illinois state courts, and the Illinois Supreme Court has not yet addressed retroactivity directly.

To understand why the ruling mattered, some background: In 2023, the Illinois Supreme Court held in Cothron v. White Castle System, Inc. that a new BIPA claim accrues each time biometric data is collected or transmitted without consent — not just at the first collection. Because BIPA allows up to $5,000 per violation, a single employee who scanned their fingerprint daily for several years could represent exposure in the millions. White Castle estimated its class-wide exposure could exceed $17 billion for approximately 9,500 employees. The Illinois Supreme Court acknowledged this and invited the legislature to clarify.

The legislature clarified in August 2024, amending BIPA to specify that repeated collection of the same biometric identifier from the same person using the same method constitutes a single violation, entitling a plaintiff to at most one recovery. What remained open was whether that cap applied to cases already filed. Clay answered: in federal court, it does. A plaintiff who alleged 1,500 fingerprint scans can no longer multiply statutory damages scan by scan for repeated collection of the same biometric data using the same method, at least in federal cases governed by Clay.

The Illinois Supreme Court used the phrase "annihilative liability" to describe the per-scan damages model and invited the legislature to act. The legislature acted. The Seventh Circuit then confirmed the action applied retroactively. That word appears, in some form, in all three proceedings.

What has not changed: all of BIPA's substantive duties — the written notice, the written consent, the publicly posted retention and destruction policy — remain fully intact. The ruling limits the multiplication of damages in federal court. It does not eliminate liability.