Illinois Biometric Information Privacy Act (BIPA)
Citation: 740 ILCS 14/
Effective: October 3, 2008
Jurisdiction: Illinois — applies when employees or applicants are located in Illinois
Enforced by: Private right of action (civil courts); Illinois Attorney General
Official Source: Illinois Compiled Statutes – 740 ILCS 14/
Overview
The Illinois Biometric Information Privacy Act (BIPA) is the nation's most stringent biometric privacy law and a critical compliance requirement for any employer using AI hiring tools that capture or analyze biometric data. While BIPA predates the AI hiring boom, it applies directly to AI-powered video interview platforms, facial recognition tools, and any technology that collects biometric identifiers from job applicants or employees in Illinois.
Why BIPA matters: BIPA provides a private right of action — any individual whose biometric data was collected without proper consent can sue directly, without demonstrating actual harm. This has made BIPA the source of the largest class action verdicts in U.S. employment law history.
Bottom line for employers: If any AI hiring tool you use captures facial geometry or voiceprints from Illinois applicants, BIPA compliance is mandatory — in addition to Illinois AIVIA compliance.
What Is "Biometric Data" Under BIPA?
BIPA defines biometric identifiers as:
- Retina or iris scans
- Fingerprints
- Voiceprints
- Scans of hand or face geometry
- Any other unique biological characteristic
Biometric information means any information based on a biometric identifier, regardless of how captured or stored.
How AI Hiring Tools Collect Biometric Data
Modern AI hiring tools frequently capture biometric data without employers realizing it:
| AI Tool Type | Biometric Data Collected |
|---|---|
| AI video interview platforms (HireVue, Spark Hire) | Facial geometry, voiceprints |
| Identity verification / proctoring software | Face geometry scans |
| Emotion AI / affective computing tools | Facial geometry (micro-expressions) |
| Voice analysis AI | Voiceprints |
If your AI hiring tool processes any of these data types for applicants located in or applying to Illinois jobs, BIPA compliance is mandatory.
Key BIPA Requirements
1. Written Retention and Destruction Policy
Before collecting biometric data, employers must:
- Establish a publicly available written policy governing biometric data retention
- Include a retention schedule and destruction guidelines
- Destroy data when the collection purpose is fulfilled, or within 3 years — whichever comes first
2. Informed Written Consent (Separate from AIVIA)
Before collecting biometric data, employers must:
- Inform the individual in writing that biometric data is being collected or stored
- Inform them of the specific purpose and length of time data will be used
- Receive a written release (signed consent) from the individual
This is separate from AIVIA consent. Both are required when your AI video tool captures biometric data.
3. Prohibition on Sale or Profit from Biometric Data
Employers cannot sell, lease, trade, or profit from a person's biometric data. This prohibition extends to AI vendors — review contracts to ensure vendors are not monetizing biometric data collected during hiring.
4. Reasonable Data Security
Biometric data must be protected with reasonable security measures at least as protective as those used for other sensitive information (e.g., Social Security numbers, financial data).
5. No Third-Party Disclosure Without Consent
Biometric data cannot be shared with third parties unless:
- The individual has given written consent, or
- Disclosure is required by law, or
- Disclosure is necessary to complete a financial transaction authorized by the individual
BIPA Penalties
BIPA's penalty structure is among the most severe in U.S. privacy law:
| Violation Type | Penalty Per Violation |
|---|---|
| Negligent violation | $1,000 OR actual damages (whichever is greater) |
| Intentional or reckless violation | $5,000 OR actual damages (whichever is greater) |
| Attorney's fees | Recoverable by prevailing plaintiff |
| Injunctive relief | Court may halt biometric data practices |
There is no cap on aggregate damages. Each individual whose data was collected without proper consent represents a separate violation. In large hiring operations, this can reach tens or hundreds of millions of dollars.
Notable BIPA Settlements in Hiring
- BNSF Railway: $228 million jury verdict (2022) — fingerprint scanning without proper policy
- TikTok: $92 million settlement (2021) — biometric data collection without consent
- Various HR/staffing companies: Multiple multi-million dollar class actions involving AI video interview platforms
AIVIA vs. BIPA: Side-by-Side Compliance
Illinois employers using AI video interview tools must comply with both BIPA and AIVIA (820 ILCS 42/):
| Requirement | AIVIA (820 ILCS 42/) | BIPA (740 ILCS 14/) |
|---|---|---|
| Pre-interview disclosure | ✓ Required | ✓ Required (if biometric data) |
| Written consent | ✓ Required | ✓ Required (written release) |
| Consent form | AI-focused disclosure | Biometric-specific written release |
| Data retention limits | 30-day deletion on request | Destroy when purpose fulfilled or 3 years |
| Alternative process | ✓ Required | Best practice |
| Vendor transparency | ✓ Required | ✓ Required (no third-party disclosure) |
| Penalties | $500–$2,500/violation | $1,000–$5,000/violation + private suits |
Practical takeaway: Create a combined consent form that explicitly addresses both AIVIA disclosure requirements and BIPA's written release requirements.
Employer Compliance Checklist
- Identify all AI hiring tools that capture biometric data (facial geometry, voiceprints)
- Draft and publish a BIPA-compliant biometric data retention and destruction policy
- Create a BIPA-specific written consent/release form (separate from AIVIA consent)
- Audit AI vendors: Do they capture biometric data? Do they have BIPA certifications?
- Ensure vendor contracts prohibit sale or profiting from biometric data
- Implement data destruction workflows to delete biometric data within required timeframes
- Train HR, IT, and legal teams on BIPA obligations
- Review and update policies annually
Vendor Due Diligence Questions
When evaluating AI hiring tools for BIPA compliance, ask vendors:
- Does your tool capture, store, or analyze facial geometry, voiceprints, or other biometric identifiers?
- Do you maintain a BIPA-compliant biometric data retention and destruction policy?
- Can you provide written confirmation of BIPA compliance?
- Do you share or sell biometric data to any third parties?
- What security measures protect biometric data in transit and at rest?
- Will you contractually indemnify us for BIPA claims arising from your tool's data practices?
2023–2026 BIPA Developments
| Development | Impact |
|---|---|
| Illinois Supreme Court (2023) | Each scan or transmission of biometric data is a separate violation — dramatically increasing per-plaintiff exposure |
| SB 2134 (2023) | Modified the limitations period for BIPA claims (procedural, not substantive) |
| Ongoing class actions 2025–2026 | AI video interview platforms remain a primary BIPA target |
How EmployArmor Helps
EmployArmor provides Illinois employers with:
- BIPA + AIVIA combined consent templates for AI video interviews
- Vendor compliance scorecards to assess biometric data practices
- Automated data deletion workflows to meet destruction deadlines
- Regulatory alerts for new BIPA court rulings and legislative changes
Get your Illinois Biometric Compliance Assessment →
Illinois Employer Resources
- Illinois Employment Law Compliance Hub
- Illinois AI Hiring Laws Overview
- Illinois AI Hiring Compliance Guide
- Illinois AIVIA Compliance Guide
Frequently Asked Questions
Does BIPA apply if we use a third-party AI video platform?
Answer: Yes. As the employer, you are responsible for ensuring proper consent is obtained before your vendor's tool collects biometric data — even if collection happens on the vendor's platform.
Is a general terms of service agreement sufficient for BIPA consent?
Answer: No. BIPA requires a separate, specific written release that clearly describes what biometric data is being collected, why, and for how long. A general ToS does not satisfy BIPA requirements.
What if our AI tool only analyzes word choice and response content — no facial analysis?
Answer: If the tool does not capture biometric identifiers (no facial geometry, no voiceprint analysis), BIPA may not apply. Verify this with your vendor in writing before relying on this exception.
How long can we keep biometric data collected during interviews?
Answer: Until the purpose for collection is fulfilled (typically once a hiring decision is made) or within 3 years — whichever comes first. For rejected candidates, data should be deleted shortly after the hiring decision.
Can each scan be a separate BIPA violation?
Answer: Yes. The Illinois Supreme Court ruled in 2023 that each individual scan or transmission of biometric data is a separate violation. This dramatically increases aggregate exposure for large-scale hiring operations.
What is the difference between AIVIA and BIPA?
Answer: AIVIA (820 ILCS 42/) covers all AI tools used to evaluate video interviews and, since 2025, resume screening and ranking AI. BIPA (740 ILCS 14/) covers biometric data collection specifically — facial geometry, voiceprints, fingerprints. Both can apply simultaneously if your AI tool captures biometric data.
Last updated: March 2026. This content is for informational purposes only and does not constitute legal advice. Consult qualified employment counsel for guidance specific to your organization.
Related Laws and Resources: