The Illinois Biometric Information Privacy Act (740 ILCS 14) — the most consequential US state biometric-privacy law, regulating collection, storage, use, and destruction of biometric identifiers with statutory damages up to $5,000 per intentional violation and a private right of action that has driven massive class-action verdicts.
BIPA (Biometric Information Privacy Act) is the Illinois state law (740 ILCS 14, enacted 2008) that regulates how private entities collect, use, store, and destroy biometric identifiers — fingerprints, face geometry, voiceprints, retina or iris scans, hand or palm geometry — and biometric information derived from those identifiers. BIPA applies to any private entity operating in Illinois, including out-of-state employers with Illinois employees, making it broadly applicable to multistate organisations. With statutory damages, a private right of action, and class-certification-friendly procedural posture, BIPA has produced some of the largest privacy-related verdicts and settlements in US history. For HR teams operating biometric attendance, BIPA compliance is a critical concern.
**Why BIPA matters more than other biometric laws.** Several states have enacted biometric-privacy laws — Texas's Capture and Use of Biometric Identifiers Act (CUBI), Washington's HB 1493, recent enactments in Maryland, New York, Colorado, Virginia, and others. But BIPA stands out for several reasons. (1) **Private right of action** — individuals can sue directly without going through a state agency, enabling class actions. (2) **Statutory damages** — $1,000 per negligent violation, $5,000 per intentional or reckless violation, eliminating the need to prove actual damages. (3) **Per-scan violation rule** — the Illinois Supreme Court's 2023 Cothron decision held that each separate biometric scan constitutes a separate violation, multiplying potential damages enormously for employers using biometric attendance daily. (4) **Class certification** — Illinois courts have certified BIPA class actions involving thousands of employees. (5) **Attorneys' fees** — successful plaintiffs recover attorneys' fees, incentivising plaintiffs' bar to pursue BIPA claims aggressively. The combined effect has been verdicts and settlements in the tens or hundreds of millions of dollars — White Castle settled a BIPA class action for over $9 million; the BNSF Railway BIPA verdict reached $228 million.
**BIPA requirements.** Employers using biometric data on Illinois employees must (1) **Maintain a written policy** — establishing the specific purpose for collection, the length of retention, and the destruction guidelines. The policy must be made available to the public. (2) **Obtain a written, signed release** — before collecting biometric data, the entity must inform the subject in writing about the collection, the specific purpose, and the term over which the data will be used; obtain a written release signed by the subject. (3) **Refrain from sale or profit** — biometric data cannot be sold, leased, traded, or otherwise profited from. (4) **Protect data appropriately** — biometric data must be stored, transmitted, and protected from disclosure using the reasonable standard of care within the industry, and at least as protectively as the entity stores other confidential information. (5) **Destroy when purpose is satisfied** — biometric data must be destroyed when the initial purpose for collection has been satisfied, or within 3 years of the last interaction with the subject, whichever is sooner.
**The Cothron decision and per-scan damages.** In Cothron v. White Castle System, Inc. (2023), the Illinois Supreme Court held that BIPA violations accrue with each separate scan or use of biometric data — not just at the initial collection. For a workplace using biometric clock-in twice a day (clock-in, clock-out) over multiple years across thousands of employees, the per-scan damage multiplier creates astronomical potential exposure. White Castle's exposure was estimated at $17 billion before settlement. The decision has materially shifted employer behaviour toward minimising BIPA exposure through compliance discipline, biometric alternatives, or limiting Illinois biometric deployments.
**Best-practice BIPA compliance.** Employers running biometric attendance with Illinois employees should (1) **Audit current practice** — identify all biometric data uses (clock-in/out devices, security cameras with face recognition, voice biometrics, etc.). (2) **Issue compliant releases** — written, signed BIPA releases for every Illinois employee using biometric systems, before any data collection. (3) **Publish written policy** — purpose, retention, destruction; publicly available. (4) **Vendor diligence** — biometric-system vendors should provide BIPA-compliant data handling, with templates stored on devices rather than central servers where possible. (5) **Data minimisation** — collect only what's needed, store for only as long as needed. (6) **Storage segregation** — biometric data isolated from other systems with stricter access controls. (7) **Regular destruction** — automated destruction of biometric data per the 3-year rule. (8) **Training** — HR and managers trained on BIPA requirements. (9) **Insurance review** — confirm BIPA coverage in EPLI policies; many policies have specific BIPA exclusions or sub-limits.
**Architectural protection through templates.** A particularly important BIPA-compliance pattern is storing biometric templates on the local device rather than transmitting raw biometric data to central servers. ZKTeco devices, for example, extract a mathematical template from each fingerprint scan and store the template on the device; only the template (not the original biometric image) is used for subsequent matching. The HR system receives only hashed punch events with timestamps, device IDs, and user IDs — not the underlying biometric data. This architecture minimises BIPA exposure by reducing the scope of biometric data the employer 'collects' and stores.
**Multi-state implications.** Texas's CUBI imposes similar requirements but lacks BIPA's private right of action, with enforcement only by the state attorney general. Washington's HB 1493 has narrower scope. Maryland, New York, Virginia, Colorado, and other states have enacted or are considering biometric laws with varying scope. Multi-state employers should map biometric-data uses against each applicable state's law and apply the most stringent requirements consistently.
**Remediation when discovered.** Employers discovering BIPA non-compliance should (1) Cease ongoing biometric collection until compliant. (2) Issue retroactive BIPA releases (though pending claims may persist). (3) Document policy and release status for ongoing operations. (4) Consult specialised counsel on litigation exposure. (5) Consider switching to non-biometric alternatives for Illinois employees if compliance burden exceeds benefits. The Cothron decision's per-scan rule makes early remediation critically important.
**Common BIPA pitfalls.** First, deploying biometric systems without BIPA-compliant releases. Second, failing to issue or publish the written retention policy. Third, treating biometric data with same protections as ordinary employment data rather than the heightened standard required. Fourth, retaining biometric data beyond the 3-year limit. Fifth, transmitting biometric data to vendors or cloud servers without BIPA-compliant data-processing agreements. Sixth, conflating BIPA with other state biometric laws and applying weaker requirements.
**Automation through Peoplifi.** Peoplifi's biometric integrations store templates on the device (ZKTeco, Suprema), never on Peoplifi servers. Punch events are hashed timestamps with device-and-user references, minimising the scope of biometric data Peoplifi processes. BIPA-release workflows ensure Illinois employees sign compliant releases before biometric enrolment. Retention policies enforce the 3-year destruction rule. Audit logs document compliance for any future BIPA inquiry.
Before enrolling Illinois employees in fingerprint clock-in, we obtained signed BIPA releases and updated our biometric retention policy.
Peoplifi unifies HR, payroll, time tracking, and performance into one modern platform — so concepts like BIPA stay handled, not stuck in spreadsheets.
Start free 14-day trial