Illinois maintains some of the most stringent biometric privacy protections in the United States, primarily through the Illinois Biometric Information Privacy Act (BIPA). Enacted in 2008, the law requires private entities to obtain informed consent before collecting or storing biometric identifiers—such as fingerprints, retina scans, or facial geometry—and provides a private right of action for individuals to sue for violations.
Understanding the Illinois Biometric Information Privacy Act
The Illinois Biometric Information Privacy Act, or BIPA, serves as a foundational data protection statute. Unlike many state laws that focus on general data breaches, BIPA specifically regulates the lifecycle of biometric data. According to the American Civil Liberties Union (ACLU), the law mandates that private companies must inform individuals in writing that biometric data is being collected or stored and must receive a written release from the individual.

The statute defines biometric identifiers as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Under the law, companies are prohibited from profiting from this data and must establish a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers when the initial purpose for collection has been satisfied.
Legal Stakes and Private Right of Action
What distinguishes Illinois from most other states is the ability for individuals to seek legal recourse directly. Under 740 ILCS 14/20, any person aggrieved by a violation of the act has a right of action against an offending party.
This provision has led to significant litigation. As reported by the Illinois Supreme Court, the court clarified in the 2023 Cothron v. White Castle System, Inc. decision that BIPA claims accrue each time a company scans or transmits an individual’s biometric identifier without prior informed consent. This ruling underscored the potential financial liability for companies that fail to implement compliant data collection practices, as damages can be calculated on a per-violation basis.
Compliance Requirements for Businesses
For companies operating in Illinois, compliance is not optional. The Illinois Chamber of Commerce has frequently highlighted the necessity for businesses to audit their technology stacks to ensure any software utilizing facial recognition or fingerprint authentication meets the following criteria:

- Informed Consent: Obtaining a clear, written release before any biometric data is captured.
- Data Minimization: Collecting only the data necessary for the specific business purpose.
- Destruction Protocols: Ensuring that biometric data is permanently deleted within three years of the individual’s last interaction with the entity or when the purpose for collection is fulfilled, whichever occurs first.
- Public Disclosure: Maintaining a written policy that outlines the retention and destruction schedule.
Comparison of Biometric Privacy Frameworks
While Illinois remains at the forefront of biometric regulation, the landscape is shifting. Other states have begun to pass biometric privacy legislation, though many lack the same level of enforcement power found in Illinois.
| State | Statutory Focus | Private Right of Action |
|---|---|---|
| Illinois | BIPA (Strict) | Yes |
| Texas | Capture or Use of Biometric Identifier Act | No (Enforced by Attorney General) |
| Washington | Biometric Privacy Law | No (Enforced by Attorney General) |
In Texas and Washington, for instance, the authority to enforce biometric privacy violations generally rests with the state Attorney General rather than the individual consumer. This contrast highlights why Illinois remains the primary venue for biometric privacy litigation in the United States, as the ability for individuals to initiate lawsuits creates a higher threshold for compliance among tech providers and employers.
Worth a look