BIPA (the Illinois Biometric Information Privacy Act, 740 ILCS 14) is the strictest biometric-privacy law in the United States and the one that most shapes how face recognition and other biometrics are deployed there. It requires a private entity to obtain informed written consent before capturing a person's biometric identifiers (such as a face template), to publish a retention-and-destruction policy, and to limit disclosure — and crucially, it lets the individuals whose biometrics were taken sue directly.
That private right of action is what makes BIPA bite. The Illinois Supreme Court held in Rosenbach v. Six Flags (2019) that a person need not show actual harm to sue — a bare violation suffices — and in Cothron v. White Castle (2023) that a claim can accrue on every scan, with statutory damages of $1,000 per negligent and $5,000 per intentional/reckless violation. A 2024 amendment (SB 2979 / P.A. 103-769) limited recovery toward a single violation per person, but the exposure remains large: settlements include Facebook's $650M and a $1.4B Texas action under that state's analogous CUBI law.
The pitfall is deploying biometric capture in or touching Illinois without satisfying BIPA first — because here the cost of getting it wrong is litigation by the data subjects themselves, not just a regulator's fine. Treat consent, a published retention/destruction schedule, and disclosure limits as gating requirements before any face-recognition or biometric system goes live, and remember the damages doctrine is actively evolving. This is engineering guidance, not legal advice — confirm specifics with qualified counsel.
