US-IL

Illinois Biometric Information Privacy Act (BIPA): AI Compliance Requirements

Illinois BIPA (740 ILCS 14, effective 2008, amended 2024) is the nation's strongest biometric privacy law and directly affects AI systems that collect or analyze facial geometry, voiceprints, fingerprints, hand scans, or iris/retina scans. Any business using AI facial recognition (for hiring, attendance, or identity verification), voice authentication, or biometric time-clocks in Illinois must comply. The 2024 amendment (SB 2979) limits cumulative violations to one per person per recipient. With over 1,000 class actions filed, BIPA has the highest active litigation risk of any US AI privacy law.

Check your compliance — freeDownload checklist

Key Facts

Effective Date

October 3, 2008

Maximum Penalty

$1,000 per negligent violation; $5,000 per intentional/reckless violation (private right of action)

What Your Business Must Do

3 compliance requirements identified. Critical requirements carry the highest risk of enforcement action.

Biometric Data Retention & Destruction Policy

Critical

Publish a written, publicly available policy establishing a retention schedule and guidelines for permanently destroying biometric data. Policy must specify: what biometric data is collected, why it is collected, and when it will be destroyed — no later than 3 years after collection or when the purpose is complete, whichever is first.

Informed Written Consent Before Biometric Collection

Critical

Before collecting ANY biometric data through AI or automated systems: (1) Notify the individual in writing of what is being collected and stored. (2) State the specific purpose and duration of collection/storage. (3) Obtain a written or electronic release. This applies to employees, job applicants, and customers. No biometric collection without explicit prior consent.

No Sale or Profit from Biometric Data

High Priority

Never sell, lease, trade, or profit from any individual's biometric data. Do not disclose or disseminate biometric data to third parties without written consent — except to complete a financial transaction authorized by the individual, or as required by law.

Frequently Asked Questions

Does Illinois Biometric Information Privacy Act (BIPA) apply to my business?

Illinois BIPA (740 ILCS 14, effective 2008, amended 2024) is the nation's strongest biometric privacy law and directly affects AI systems that collect or analyze facial geometry, voiceprints, fingerprints, hand scans, or iris/retina scans. Any busine. Use ComplianceIQ's free scanner to get a personalized assessment in under 5 minutes.

What is the penalty for non-compliance?

The maximum penalty under Illinois Biometric Information Privacy Act (BIPA) is: $1,000 per negligent violation; $5,000 per intentional/reckless violation (private right of action). Fines are typically scaled by company size, severity of violation, and whether violations were willful or accidental.

How do I comply with Illinois Biometric Information Privacy Act (BIPA)?

The 3 requirements above cover the core obligations. The fastest path to compliance is: (1) conduct an AI risk assessment, (2) document your AI systems, (3) implement transparency disclosures where required. ComplianceIQ generates all required documents automatically.

Official Source

https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

Last updated: 2026-04-12 — verify at source before relying on this information.

Don't leave compliance to chance

ComplianceIQ scans your AI tools, tells you exactly which regulations apply, and generates all required documents — in 30 minutes.

Start your free compliance scan