The Illinois Biometric Information Privacy Act is the most consequential biometric privacy law in the United States, primarily because it provides a private right of action — allowing individuals to sue for statutory damages without proving actual harm. No other US biometric privacy law offers this combination of strong protections and individual enforcement power.
BIPA requires private entities to obtain informed written consent before collecting biometric identifiers (fingerprints, voiceprints, facial geometry, iris scans, retina scans) or biometric information. Entities must establish a publicly available written policy for retention and destruction of biometric data, and must destroy biometric data within 3 years of the last interaction or when the initial purpose for collection has been satisfied, whichever comes first.
BIPA has generated thousands of lawsuits against technology companies and platforms. Major settlements include Facebook/Meta ($650 million, 2021), Google ($100 million, 2022), TikTok ($92 million, 2022), and Snapchat ($35 million, 2022). The Illinois Supreme Court ruled in Rosenbach v. Six Flags (2019) that plaintiffs need not allege actual injury beyond the technical violation itself, making BIPA uniquely powerful among US privacy laws.
Get alerted when platforms change their policies — including BIPA-relevant provisions.
Subscribe to Watcher — $9.99/mo