Biometric data is the most expensive data you hold.

What BIPA actually requires

BIPA (740 ILCS 14) governs how private entities handle biometric identifiers — fingerprints, retina or iris scans, voiceprints, and face or hand geometry — and the information derived from them. The core obligations are consent and transparency: before collecting biometric data, an entity must inform the person in writing of what is being collected and why, state how long it will be kept and when it will be destroyed, and obtain a written release. The entity must also maintain a publicly available retention-and-destruction schedule, must not sell or profit from biometric data, and must not disclose it without consent or another statutory basis. These requirements have been in place since 2008, and they apply regardless of whether the entity meant any harm — BIPA is a strict framework, which is exactly why it has generated so much litigation.

The 2024 amendment: real relief, not a repeal

For years, BIPA's exposure was amplified by the “per-scan” theory — the idea, endorsed by the Illinois Supreme Court in Cothron v. White Castle (2023 IL 128004), that a separate violation accrued every single time biometric data was collected, which for something like a daily fingerprint timeclock multiplied damages to staggering levels. In 2024, the legislature responded: SB 2979 (Public Act 103-0769, effective August 2, 2024) limited recovery so that repeated collection of the same biometric identifier from the same person by the same method of collection supports at most a single recovery, and applied a parallel single-recovery limit to repeated disclosures of the same biometric data involving the same person, same recipient, and same method — and it confirmed that an electronic signature counts as a valid written release. This is genuine relief and changes the damages math significantly. But it is not a repeal — the private right of action remains, the consent and retention obligations are unchanged, and an entity that never obtained proper consent is still exposed. As always, the current statute and any later developments should be confirmed, because this area continues to move.

Why AI deployments raise BIPA squarely

BIPA is not only a timeclock-and-door-scanner issue anymore. AI systems increasingly process exactly the kind of data BIPA governs: facial-recognition and face-matching tools, voice systems that create voiceprints, video analytics, and identity-verification features all may capture biometric identifiers. An organization deploying an AI product or vendor tool that touches faces or voices can walk into BIPA without recognizing it, because the biometric collection is buried inside the technology. This is where understanding how the systems actually work — not just the statute — matters: Adam advises from operational experience building and governing AI systems, holds the AIGP credential, and can evaluate where in an AI deployment biometric data is actually being captured, which is the question that determines BIPA exposure.

BIPA compliance audits and vendor exposure

Practical BIPA compliance is auditable. The work is identifying every point where biometric data is collected (including inside vendor tools and AI features), confirming that proper written consent and disclosures exist before collection, publishing and following a retention-and-destruction schedule, and locking down disclosure. Vendor relationships deserve particular attention, because a biometric device or AI service provided by a third party can create exposure for the business using it — which is one reason BIPA review and AI vendor-contract review often go together. A defensible BIPA posture is one where the organization can show, for each biometric touchpoint, that consent was obtained and the data is handled under a stated policy.

How the firm helps

This practice handles BIPA as a defined, deliverable scope: a biometric-data audit to map where collection happens, review and remediation of consent and disclosure practices, a compliant retention-and-destruction policy, and review of the vendor contracts behind any biometric or AI tools. Engagements are hourly, on a retainer, or flat-fee for a defined BIPA audit. Given how much BIPA exposure depends on whether proper consent existed at the moment of collection, the value is overwhelmingly in getting compliant before a claim, not after.

What usually goes wrong

The most damaging failure is collecting biometric data with no proper written consent and no retention policy — because BIPA liability turns on that consent existing at the time of collection, and there is no way to retroactively fix a missing consent after the data was already taken. A close second is assuming the 2024 single-recovery amendment made BIPA a minor concern; the private right of action and the consent and retention duties are fully intact, and an entity that never complied is still meaningfully exposed. The third is the hidden biometric capture inside an AI or vendor tool — face-matching, voiceprints, video analytics — that the organization never identified as biometric collection, so it never obtained consent it legally needed.

Related

• AI Vendor & Procurement Contract Review →
• AI & Data Privacy →
• AI Governance Frameworks & Policy →