Illinois Biometric Information Privacy Act (BIPA)
Effective date
Penalty
$1,000 per negligent violation or $5,000 per intentional/reckless violation per person, plus attorney fees. Private right of action, no proof of injury requi…
Obligations mapped
7 obligations
Legislative update
Multiple amendment bills are pending in the Illinois 104th General Assembly: HB 2838 and HB 3667 would create exemptions for biometric time clocks and security systems. The Seventh Circuit ruled in April 2026 (Clay v. Union Pacific) that the 2024 damages cap applies retroactively.
Overview
If your company collects fingerprints, facial scans, voiceprints, iris scans, or hand geometry from employees, customers, or any individuals in Illinois, BIPA may apply. Before collecting any biometric data, where applicable you may need to provide written notice explaining what you are collecting, why, and for how long, and obtain written consent. Where applicable, you may need to publish a retention and destruction policy, and may be barred from selling or profiting from biometric data. BIPA has no cure period: any affected individual can sue for $1,000 to $5,000 per violation, plus attorney fees, without proving actual harm. Class action settlements have reached $650 million.
This is a biometric privacy law.
See if this regulation applies to your company with the free exposure scan.
Who this applies to
This regulation applies to the following roles:
- Developers of covered AI systems
- Deployers and users of covered AI systems
- Organizations operating in Illinois
This regulation applies to both companies that build AI products and companies that use AI tools from other vendors.
SB 2979
AI categories covered
- facial recognition
- voice biometrics
- fingerprint scanning
- iris retina scanning
- biometric timekeeping
- identity verification
Specific AI use cases:
- employee timekeeping
- physical access control
- customer identification
- age verification
- Fraud detection
- photo tagging
- facial biometric
- voice biometric
- fingerprint biometric
What this requires you to do
7 obligations identified from statutory analysis.
Section 15(e)
Section 15(b)(3)
Section 15(a)
Section 15(c)
Section 15(d)
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.
Enforcement and penalties
$1,000 per negligent violation or $5,000 per intentional/reckless violation per person, plus attorney fees. Private right of action, no proof of injury required. 2024 amendment caps one recovery per person per incident.
Private right of action: plaintiffs may bring direct claims in addition to government enforcement.
Penalty amounts are based on statutory text and may be subject to adjustment, judicial interpretation, or enforcement discretion.
Legislative history
enforcement action
Seventh Circuit rules SB 2979 applies retroactively to all pending cases (Clay v. Union Pacific, No. 25-2185). Dramatically reduces employer exposure in 1,500+ pending class actions.
amended
Governor signs SB 2979. Caps damages at one recovery per person per collection method. Allows electronic consent.
amended
IL Legislature passes SB 2979
enforcement action
IL Supreme Court rules claims accrue with each scan or transmission (Cothron v. White Castle), opening door to per-scan damages
enforcement action
IL Supreme Court rules no actual injury required for standing (Rosenbach v. Six Flags)
signed
BIPA enacted
Related regulations
- UpcomingPrivacy ADM
CCPA/CPRA Automated Decision-Making Technology Regulations
California's ADMT regulations require businesses using automated decisionmaking technology for significant decisions (employment, finance, housing, education, healthcare) to provide pre-use notices, offer opt-out rights, respond to access requests, and conduct risk assessments with annual CPPA filing under penalty of perjury.
Effective
- UpcomingAI-Specific
Colorado ADMT / AI Act (SB 26-189)
Colorado SB 26-189 repeals and reenacts SB 24-205 into an automated decision-making technology (ADMT) framework for consequential decisions. Starting January 1, 2027, covered developers may need to provide deployers with technical documentation and material-update notices. Covered deployers may need point-of-interaction notices, post-adverse-outcome disclosures, data-access and correction processes, human-review and reconsideration workflows, and three-year compliance records. SB 24-205 risk-management, impact-assessment, and reasonable-care artifacts remain useful governance evidence, but they are historical or reusable controls rather than standalone current-law duties under the new Colorado framework.
Effective
- In EffectAI-Specific
NYC Local Law 144 (Automated Employment Decision Tools)
NYC Local Law 144 requires employers and employment agencies using automated employment decision tools for hiring or promotion in New York City to conduct annual independent bias audits, publish results on their website, and notify candidates that an AEDT is being used.
Effective
- In EffectAI-Specific
Illinois AI Video Interview Act (820 ILCS 42)
Requires employers using AI to analyze video interviews to notify candidates, explain how AI is used, and obtain consent before the interview.
Effective
- In EffectAI-Specific
Illinois Human Rights Act (HB 3773 AI amendment)
Illinois HB 3773 amends the Illinois Human Rights Act to prohibit employers from using AI that has the effect of subjecting employees to discrimination on the basis of protected classes, including using zip codes as proxies. Where applicable, employers may need to notify employees and applicants when AI is used in employment decisions. IDHR draft implementing rules circulated December 2025. No safe harbors or affirmative defenses.
Effective
- In EffectAI-Specific
Illinois Right of Publicity Act, Digital Replica Amendment (HB 4875)
Prohibits unauthorized AI-generated digital replicas of individual voices, images, and likenesses. Holds liable anyone who distributes, transmits, or materially contributes to violations. Not contingent on commercial purpose.
Effective
- In EffectAI-Specific
Illinois Digital Voice and Likeness Protection Act (HB 4762)
Protects individual digital voice and likeness in contracts. Contract provisions for digital replica use are unenforceable unless the contract includes specific description of intended uses and the individual was represented by legal counsel or a labor union.
Effective
- In EffectAI-Specific
Illinois Digital Forgeries Act (HB 2123)
Extends nonconsensual intimate image protections to AI-generated deepfakes. Provides civil remedies including statutory and punitive damages for victims of sexually altered digital images.
Effective
- In EffectAI-Specific
Illinois AI-Generated Child Sexual Abuse Material (HB 4623)
Clarifies that Illinois child pornography laws encompass AI-generated images of minors in sexual acts. AI-generated CSAM treated identically to non-AI CSAM under existing criminal statutes.
Effective
- In EffectAI-Specific
Illinois HB 1806 / WOPRA - AI in Mental Health Therapy
Restricts AI use in mental health therapy contexts under Illinois WOPRA and related professional standards. Targets AI chatbot platforms marketed as mental health tools. Verification of enacted text details (including signed status, final effective date, and penalty structure) remains pending against the enrolled primary source.
Effective
Illinois AI regulation guide lists every tracked rule for this jurisdiction with timelines and obligation tallies.
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.