ConductAtlasRegulationsBIPA
740 ILCS 14/1 et seq.

Biometric Information Privacy Act

Statute — Illinois, USA
Effective: October 3, 2008 36 platforms tracked 1115 provisions indexed Enforced by: Illinois State Courts (private right of action), Illinois Attorney General Last reviewed May 9, 2026

Overview

The Illinois Biometric Information Privacy Act is the most consequential biometric privacy law in the United States, primarily because it provides a private right of action — allowing individuals to sue for statutory damages without proving actual harm. No other US biometric privacy law offers this combination of strong protections and individual enforcement power.

BIPA requires private entities to obtain informed written consent before collecting biometric identifiers (fingerprints, voiceprints, facial geometry, iris scans, retina scans) or biometric information. Entities must establish a publicly available written policy for retention and destruction of biometric data, and must destroy biometric data within 3 years of the last interaction or when the initial purpose for collection has been satisfied, whichever comes first.

BIPA has generated thousands of lawsuits against technology companies and platforms. Major settlements include Facebook/Meta ($650 million, 2021), Google ($100 million, 2022), TikTok ($92 million, 2022), and Snapchat ($35 million, 2022). The Illinois Supreme Court ruled in Rosenbach v. Six Flags (2019) that plaintiffs need not allege actual injury beyond the technical violation itself, making BIPA uniquely powerful among US privacy laws.

Penalties

Private right of action: $1,000 per negligent violation, $5,000 per intentional or reckless violation (per scan/collection). No aggregate cap. Plus reasonable attorneys fees and costs. Major settlements: Meta $650M (2021), Google $100M (2022), TikTok $92M (2022).

Key Articles & Sections

Platforms We Track Subject to BIPA

23andMe
34 relevant provisions
Adobe
21 relevant provisions
Amazon
12 relevant provisions
Ancestry
21 relevant provisions
Anthropic
71 relevant provisions
Apple
13 relevant provisions
Bumble
30 relevant provisions
Canva
18 relevant provisions
CVS Health
0 relevant provisions
Discord
23 relevant provisions
DoorDash
23 relevant provisions
Epic Games
3 relevant provisions
Fitbit
22 relevant provisions
Garmin
19 relevant provisions
Google
14 relevant provisions
Grindr
20 relevant provisions
Hinge
21 relevant provisions
LinkedIn
48 relevant provisions
Lyft
23 relevant provisions
Meta
49 relevant provisions
Microsoft
62 relevant provisions
Midjourney
38 relevant provisions
Nintendo
23 relevant provisions
OpenAI
134 relevant provisions
Oura
20 relevant provisions
Peloton
23 relevant provisions
PlayStation
0 relevant provisions
Roblox
66 relevant provisions
Snapchat
31 relevant provisions
Strava
25 relevant provisions
Showing 30 of 36 platforms. View all platforms →

Recent Changes Related to BIPA

ConductAtlas maps governance language to potentially relevant regulatory frameworks. Regulatory applicability and enforceability may vary by jurisdiction, enforcement context, and individual circumstances. This page is informational and does not constitute legal advice. Methodology

Provisions Governed by BIPA (1115 across 36 platforms)

DNA Relatives and Sharing Features Consent 23andMe
Medium
Separate Medical Record Privacy Notice for Telehealth 23andMe
Medium
Prohibition on Insurance Company and Employer Use 23andMe
Medium
Intellectual Property License 23andMe
Medium
Sample Storage Choice 23andMe
Medium
Restriction on Insurance Companies and Employers 23andMe
Medium
Telehealth and Medical Record Privacy Notice 23andMe
Medium
Age Restriction and Minimum Age Requirement 23andMe
Medium
International Data Transfers 23andMe
Medium
Account Deletion Right 23andMe
Medium
Terms Modification with Continued Use as Acceptance 23andMe
Medium
Account Deletion and Sample Discard 23andMe
Medium
California Consumer Privacy Rights 23andMe
Medium
Data Sharing with Third-Party Service Providers 23andMe
Medium
CCPA Rights for California Residents 23andMe
Medium
Genetic Data Research Use 23andMe
Medium
Sharing Features Participation (DNA Relatives and Connections) 23andMe
Medium
Telehealth Services and Separate Medical Record Privacy Notice 23andMe
Medium
Business Email Domain Account Takeover Adobe
Medium
Inferred Data and Third-Party Data Broker Sourcing Adobe
Medium
Generative AI Training Prohibition (with Adobe Stock Exception) Adobe
Medium
Cloud Content Analytics and Human Review Adobe
Medium
Legitimate Interests Legal Basis Adobe
Medium
Content Analytics Opt-Out Right Adobe
Medium
Social Media Integration and Data Sharing Adobe
Medium
Business Email Account Sharing with Employers Adobe
Medium
Children's Privacy Restrictions Adobe
Medium
Generative AI Training Carve-Out Adobe
Medium
Business Transfer and Merger Data Disclosure Adobe
Medium
GDPR Data Processing Agreement Adobe
Medium

Showing 30 of 1115 provisions. View all →

Related Regulations

CCPA/CPRA GDPR

Official Source

View official regulation text →

Get alerted when platforms change their policies — including BIPA-relevant provisions.

Subscribe to Monitor — $19/mo

Frequently Asked Questions

What does BIPA require?

Which platforms does BIPA apply to?

ConductAtlas tracks BIPA-relevant provisions across 36 platforms. Each platform's specific provisions are classified by severity and mapped to BIPA requirements.

How does ConductAtlas monitor BIPA compliance?

ConductAtlas captures policy documents daily, classifies provisions by regulatory framework, and flags changes that affect BIPA obligations. Every change is archived with cryptographic verification.