BIPA applies beyond facial recognition. Device fingerprinting and behavioral biometrics are in litigation.
The Illinois Biometric Information Privacy Act is one of the most litigated privacy statutes in the US, with thousands of class actions filed since 2017. While BIPA is widely known for facial recognition claims, plaintiffs'attorneys have expanded its application to behavioral biometrics, device fingerprinting, and voice print analysis used on websites and in call centers.
Full Name
Illinois Biometric Information Privacy Act
Jurisdiction
Illinois
Penalties
BIPA provides liquidated damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys' fees and costs. The Illinois Supreme Court held in Cothron v. White Castle that each unlawful scan or transmission constitutes a separate violation. At $5,000 per transmission, per class member, aggregate exposure in BIPA class actions has reached hundreds of millions of dollars.
What It Is
Overview of BIPA
BIPA (740 ILCS 14) regulates the collection, storage, and use of biometric identifiers and biometric information. Biometric identifiers include retina scans, fingerprints, voiceprints, scans of hand or face geometry, and "biometric information" derived from these identifiers. BIPA requires written consent before collection, a publicly available retention and destruction policy, and prohibits selling or profiting from biometric data. It provides a private right of action without requiring actual harm.
Who It Covers
Scope and private right of action
Private entities that collect, purchase, receive through trade, or otherwise obtain biometric identifiers or information from Illinois residents. This covers employers using fingerprint time clocks, retailers using facial recognition, and increasingly, websites that use behavioral biometric tools that analyze typing patterns, mouse movements, and device characteristics.
Exposure Triggers
What website technologies create BIPA exposure
BIPA is expanding beyond traditional biometric devices. Websites that use behavioral analytics or fraud detection tools may be collecting biometric-adjacent data about Illinois residents.
Device fingerprinting for fraud detection
Tools that collect and analyze a combination of device characteristics (screen resolution, installed fonts, GPU behavior, browser API responses) to generate a persistent device identifier may be characterized as collecting biometric information when used to identify individuals across sessions.
Behavioral biometrics (typing rhythm, mouse dynamics)
Behavioral biometric tools that analyze how a user types, moves their mouse, or interacts with a touchscreen to build an identity model are increasingly cited in BIPA complaints. These tools are used in fraud detection, account security, and UX analytics.
Voice analysis in customer-facing chat or telephony
Voiceprint analysis used in IVR systems, customer authentication, or AI-powered customer service applications is a biometric identifier under BIPA. Illinois residents interacting with these systems may have BIPA claims if written consent was not obtained.
Demand Letter Response
BIPA demand letters and class actions
BIPA claims are filed in Illinois state court and do not require agency exhaustion. Plaintiffs' firms have developed BIPA class action practice extensively since 2019. A demand letter will typically identify the specific biometric technology, allege that the plaintiff did not provide the required written consent, and assert per-violation damages. Because BIPA does not require actual harm, plaintiffs do not need to show they suffered any injury beyond the statutory violation. Preserve all documentation of your technology stack, vendor contracts, and any consent mechanisms for the period identified in the demand.
Evidence Support
Technical documentation for BIPA defense
BIPA defenses often turn on whether the tool actually collected "biometric information" as defined in the statute, whether written consent was obtained, and whether the defendant is a private entity in scope. Technical documentation of what data the tool collected is central.
Fingerprinting tool detection and payload analysis
Lokker identifies device fingerprinting and behavioral analytics scripts on your site and documents what data they collect and transmit, which is the core factual issue in a BIPA biometric claim.
Consent mechanism documentation
Privacy Edge and Consent Validator document whether and how consent was disclosed and collected at the time a user's biometric data was processed.
Frequently Asked Questions
Common questions about BIPA
Does BIPA apply to websites, or only to physical devices like fingerprint scanners?
BIPA applies to any private entity that collects biometric identifiers from Illinois residents, regardless of the collection method. Courts have extended BIPA to software-based collection, including behavioral biometrics and voice prints.
Is there a facial recognition exemption for security cameras or access control?
BIPA does not have a broad security or operational exemption. Some courts have recognized narrow exceptions for government actors or specific employment contexts, but website operators do not benefit from a general security exemption.
Defense Counsel Network
Received a BIPA demand letter or are under investigation?
Lokker works alongside defense counsel who handle BIPA-related website privacy cases. We provide the technical evidence documentation your attorneys need and can make the right introduction to law firms that specialize in this area. Contact us now.