What is BIPA (Biometric Information Privacy Act)?
Illinois' groundbreaking 2008 biometric privacy law that requires companies to obtain informed consent before collecting fingerprints, facial scans, or other biometric data — and allows individuals to sue for violations, resulting in billions of dollars in settlements.
Also known as: Biometric Information Privacy Act, Illinois BIPA, Illinois Biometric Law
BIPA is the most powerful privacy law in the United States — not because of what it regulates, but because it lets ordinary people sue companies directly for violating their biometric privacy. This private right of action has produced billions in settlements.
What It Requires
- Informed consent before collecting biometric data (fingerprints, facial geometry, iris scans, voiceprints)
- Written notice explaining why the data is being collected and how long it will be stored
- A retention schedule — companies must publish a policy on when they'll destroy biometric data
- No selling or profiting from biometric data
- Reasonable security measures to protect stored biometrics
What Makes BIPA Unique
Private Right of Action
Unlike most US privacy laws, BIPA allows individual lawsuits — you don't need the attorney general to sue on your behalf. Damages:
- $1,000 per negligent violation
- $5,000 per intentional or reckless violation
- When multiplied by millions of users, this creates massive liability
Landmark Settlements
| Company | Settlement | Year | Issue |
|---|---|---|---|
| $650 million | 2021 | Photo tag suggestions using facial recognition | |
| $100 million | 2023 | Google Photos face grouping | |
| TikTok/ByteDance | $92 million | 2022 | Facial feature collection |
| Clearview AI | $50 million (injunction) | 2024 | Scraping facial images |
| BNSF Railway | $228 million | 2023 | Fingerprint scans of truck drivers |
Why Biometric Data Is Different
- You cannot change your fingerprints, face, or iris if they're compromised
- Biometric data is uniquely identifying — it's literally who you are
- Unlike a password breach, a biometric breach is permanent
- Biometric databases are high-value targets for identity thieves and governments
Influence on Other States
BIPA has inspired biometric privacy laws in:
- Texas (CUBI Act — but no private right of action)
- Washington (biometric provisions in state privacy law)
- New York City (biometric privacy ordinance for businesses)
- Several other states with proposed legislation
The private right of action is the key — without it, companies face little real consequence for biometric data misuse.
Related Terms
Biometric Authentication
Using physical characteristics like fingerprints, face geometry, iris patterns, or voice to verify identity.
Biometric Database
A centralized collection of biometric data (fingerprints, face scans, iris patterns) that once breached cannot be remediated because biometric data cannot be changed.
Biometrics
Authentication using unique physical or behavioral characteristics like fingerprints, facial features, iris patterns, or voice. While convenient, biometrics have a fundamental problem: you can't change them if compromised.
Facial Recognition
Technology that identifies or verifies individuals by analyzing facial features from photos or video footage, increasingly used for mass surveillance.
GDPR
The General Data Protection Regulation is a comprehensive data protection law in the European Union that gives individuals control over their personal data. It establishes strict requirements for how organizations collect, process, store, and transfer personal information.
Have more questions?
Use our guided flow to get the right next privacy step for BIPA (Biometric Information Privacy Act).
Open Guided Flow