EffectiveIllinois

Biometric Information Privacy Act

Illinois BIPA

Data last verified: March 23, 2026

Effective Date
October 3, 2008
Enforcement Date
Not specified in statute

Summary

Illinois BIPA regulates the collection and use of biometric data (facial geometry, voiceprints, fingerprints). Requires informed consent (15(b)), written policies (15(a)), no sale/profit (15(c)), disclosure restrictions (15(d)), safeguards (15(e)), and retention limits. Provides a private right of action with statutory damages. SB 2979 (2024) clarified per-person accrual.

Who It Applies To

Not specified in statute

Penalties

Penalty Range
$1,000$5,000per violation
Cure Period
Not specified in statute
Private Right of Action
Yes — private right of action available
Enforcement Body
Private right of action (individuals can sue directly); no specific government agency
Notes
One of the most litigated privacy laws in the US. SB 2979 (chaptered Aug 2, 2024) clarified damages accrue per person, not per scan (legislative response to Cothron v. White, 2023).

Requirements (6)

  • Record-Keeping740 ILCS 14/15(a)

    This law requires entities collecting biometric data to publish a written retention schedule and destruction guidelines.

  • Consent740 ILCS 14/15(b)

    This law requires entities to inform individuals of the specific purpose and duration of biometric data collection and obtain written release before collecting biometric data.

  • Sharing Restriction740 ILCS 14/15(c)

    This law prohibits entities from selling, leasing, trading, or otherwise profiting from biometric data.

  • Retention Limit740 ILCS 14/15(a)

    This law requires entities to destroy biometric data when the initial purpose is satisfied or within 3 years of last interaction, whichever comes first.

  • Sharing Restriction740 ILCS 14/15(d)

    This law prohibits entities from disclosing, redisclosing, or otherwise disseminating biometric data without consent, except for authorized financial transactions or as required by law.

  • Record-Keeping740 ILCS 14/15(e)

    This law requires entities to store, transmit, and protect biometric data using a reasonable standard of care and in a manner at least as protective as for other confidential and sensitive information.

Claire tracks 31 state and local AI laws across 23 US states. No prescriptive federal AI compliance statutes have been enacted. EU AI Act and sector-specific regulations are not covered.

Check if this law applies to your business