Biometric Data Compliance for AI Hiring
Illinois BIPA (740 ILCS 14) and Texas CUBI (Tex. Bus. & Com. Code § 503.001) regulate biometric data in hiring — including facial geometry and voiceprints collected by AI video interview tools like HireVue and Paradox.
EmployArmor manages consent workflows, retention schedules, and destruction logs for biometric data compliance — before a class action forces the issue.
Biometric Compliance Requirements for AI Hiring
BIPA, CUBI, and Washington's biometric law each create distinct obligations. Here are the four compliance areas every employer must address.
What Counts as Biometric Data
Under 740 ILCS 14 (BIPA) and Tex. Bus. & Com. Code § 503.001 (CUBI), biometric data includes fingerprints, voiceprints, facial geometry scans, retina scans, and hand geometry. AI video tools that analyze facial expressions or voice patterns during interviews collect biometric data — even if the employer never sees the raw scan.
Consent Requirements
Both BIPA and CUBI require written consent before collection. Employers must inform applicants of the purpose, explain the retention period, and obtain signed authorization. Video interview platforms collecting biometric data on behalf of an employer do not eliminate the employer's consent obligations.
Retention Limits
BIPA requires destruction when the original purpose is met or after 3 years (whichever is first). CUBI requires destruction within 1 year of last interaction or when the purpose expires. Washington's Wash. Rev. Code § 19.375 requires annual security audits of biometric data systems used in employment.
Destruction Obligations
Employers must have a published written policy on biometric data destruction and follow it. Permanent destruction means data cannot be recreated. Deletion from active systems is insufficient if backup copies exist — all copies must be destroyed within the required timeframe.
Biometric compliance automation for every AI hiring tool
BIPA class actions don't require a data breach — just proof of unconsented collection. EmployArmor closes the gap between your video interview vendor's collection and your legal consent obligations.
- Biometric consent workflow with per-applicant tracking
- Retention schedule tracker with automated destruction reminders
- Destruction log with audit trail for BIPA/CUBI compliance
- BIPA policy generator with required public disclosure
- Vendor biometric audit — flags which tools collect biometric data
- Class action risk assessment by state and headcount
Biometric Data Laws by State
Illinois BIPA is the highest-risk law due to its private right of action. Texas CUBI and Washington's law add AG enforcement on top.
| State | Status | Risk |
|---|---|---|
| Illinois | In effect — private right of action | High |
| Texas | In effect — AG enforcement | High |
| Washington | In effect — AG enforcement | Medium |
| Arkansas | Limited scope — monitor | Low |
Updated March 2026. EmployArmor monitors all 50 states for biometric and AI employment legislation.
Why AI Video Tools Trigger BIPA
View AI hiring lawsuits tracker →Most HR teams assume biometric laws only apply to fingerprint scanners. They don't. HireVue, Paradox, and similar AI video tools that analyze facial expressions or voice patterns during interviews collect biometric data under 740 ILCS 14 (BIPA).
The HireVue/Intuit case highlighted how AI video interview tools expose employers to biometric liability even when the employer never directly accesses the raw biometric data. Under BIPA, the employer is responsible for the consent obligations — not just the vendor. BIPA class actions have resulted in settlements exceeding $100M for large employers.
The EEOC's guidance on AI hiring and the OFCCP both note biometric collection risks. EmployArmor's biometric compliance tool integrates with your vendor risk assessment to flag which tools in your stack collect biometric data. Review our AI hiring compliance checklist for a full pre-deployment review.
Frequently Asked Questions
What biometric data is regulated under Illinois BIPA in hiring?
Illinois BIPA (740 ILCS 14) covers any biometric identifier collected from a job applicant, including fingerprints, retina scans, voiceprints, and facial geometry derived from AI video interview analysis. HireVue and similar video interview platforms that use facial analysis or voice AI to evaluate candidates collect biometric data under BIPA's definition, even if the underlying imagery is video rather than a dedicated scan.
What are the BIPA consent requirements before collecting biometric data?
Under 740 ILCS 14, employers must: (1) inform the subject in writing that biometric data is being collected, (2) explain the specific purpose and length of time for which the data will be collected, stored, and used, (3) obtain a written release signed by the subject before collection. Consent after collection does not cure a violation. Penalties run $1,000 per negligent violation and $5,000 per intentional or reckless violation, per person.
What is the Texas CUBI law and how does it differ from BIPA?
Texas CUBI (Tex. Bus. & Com. Code § 503.001) covers biometric identifiers including retina or iris scans, fingerprints, voiceprints, and facial geometry records. Unlike BIPA, CUBI allows the Texas Attorney General to bring civil enforcement actions (not private class actions), with penalties up to $25,000 per violation. CUBI has a 3-year retention limit and requires destruction when the purpose for collection expires or within 1 year of the last interaction with the individual.
Does my video interview tool collect biometric data under BIPA?
If your video interview tool uses facial analysis, emotion detection, or voice pattern analysis to evaluate candidates, it almost certainly collects biometric data under 740 ILCS 14. HireVue, Paradox, and other AI video tools that analyze facial geometry or voiceprints during interviews trigger BIPA consent requirements for all Illinois applicants. The employer is responsible for BIPA compliance even if the collection happens through a vendor's platform.
How long can biometric data be retained under BIPA?
Under 740 ILCS 14/15, biometric data must be destroyed when the initial purpose for collection has been satisfied, or within 3 years of the last interaction with the subject — whichever comes first. Employers must have a publicly available written policy for retention schedules and guidelines for permanent destruction. Failure to maintain or follow a retention schedule is an independent BIPA violation.
More questions? See our full biometric compliance FAQ.
Close Your Biometric Compliance Gap Before a Class Action Does
BIPA class actions don't require a data breach — unconsented collection is enough. EmployArmor automates consent, retention, and destruction for every AI hiring tool in your stack.