Illinois has the most aggressive biometric privacy law in the United States, and it is not even close. The Biometric Information Privacy Act (BIPA), enacted on October 3, 2008, was the first law of its kind in the country and remains the strongest. Combined with the Illinois Personal Information Protection Act (PIPA) and the Student Online Personal Protection Act (SOPPA), the state gives residents a level of data protection that few others match. Here is what Illinois residents need to know in 2026.
BIPA: The Nation's Toughest Biometric Privacy Law
BIPA was groundbreaking when it passed in 2008, and it remains the gold standard for biometric data protection nearly two decades later. The law applies to any private entity that collects, captures, purchases, receives through trade, or otherwise obtains a person's biometric identifier or biometric information. This includes fingerprints, retina and iris scans, voiceprints, scans of hand or face geometry, and any data derived from those identifiers.
What makes BIPA exceptional is its combination of strict requirements and real enforcement teeth.
What BIPA Requires
Before collecting any biometric data, a private entity must satisfy all of the following:
- Written notice: The entity must inform the subject in writing that biometric data is being collected or stored, and specify the purpose and length of time for which it will be used.
- Written consent: The entity must receive a written release from the subject authorizing the collection and storage of the data.
- Disclosure of retention schedule: The entity must publish a publicly available written policy establishing a retention schedule and guidelines for permanently destroying biometric data. Data must be destroyed when the original purpose is fulfilled or within three years of the individual's last interaction with the entity, whichever comes first.
BIPA also flatly prohibits selling, leasing, or trading biometric data, regardless of consent. You cannot sign away this protection even if you wanted to.
Private Right of Action: Why BIPA Has Real Teeth
Unlike nearly every other state privacy law in the country, BIPA includes a private right of action. This means individual Illinois residents can sue companies directly for violations without waiting for the state attorney general to act. This single provision has made BIPA the most actively litigated privacy law in the United States and has driven billions of dollars in settlements.
Penalties for Violations
The financial consequences of BIPA violations are severe:
- $1,000 per violation for negligent violations (the company failed to comply but did not act intentionally)
- $5,000 per violation for intentional or reckless violations
In class action lawsuits involving thousands of individuals, these per-violation penalties can add up to enormous sums. Facebook settled a BIPA class action for $650 million. Clearview AI, TikTok, Google, and dozens of other major companies have faced significant BIPA litigation.
The 2024 Amendment: Clarifying "Per Violation"
For years, one of the most contested questions in BIPA litigation was how to count violations. If a company scanned an employee's fingerprint every day at a time clock, was each scan a separate violation, or was the entire course of conduct a single violation per person? In some cases, the per-scan interpretation produced damages in the hundreds of millions or even billions of dollars.
In 2024, the Illinois legislature settled the question with Senate Bill 2979, signed into law as Public Act 103-769. The amendment clarified that repeated identical collections of the same biometric data from the same person constitute a single violation. In other words, damages are calculated per person, not per scan.
This was a significant win for businesses, but BIPA's core requirements remain unchanged. Companies still need written notice, written consent, and a published retention policy. They still cannot sell biometric data. And individuals can still sue.
April 2026: Retroactive Application Confirmed
In April 2026, the Seventh Circuit Court of Appeals ruled in Clay v. Union Pacific that the 2024 amendment applies retroactively to pending cases. This means that even lawsuits filed before the amendment was enacted are now subject to the per-person (rather than per-scan) damages calculation. The ruling significantly reduced potential exposure for defendants in ongoing litigation, while reaffirming that BIPA violations still carry meaningful penalties.
BIPA Applies to Employers Too
Many BIPA lawsuits have targeted employers who use fingerprint-based time clocks or facial recognition systems without providing proper written notice and obtaining written consent. If your employer scans your fingerprint or face in Illinois, they must comply with BIPA. If they have not given you written notice and obtained your written release, they may be in violation of the law.
Illinois Personal Information Protection Act (PIPA)
Beyond biometrics, Illinois also protects residents through the Personal Information Protection Act, the state's data breach notification law. PIPA requires any data collector that owns, licenses, or maintains personal information of Illinois residents to notify affected individuals in the event of a security breach.
Under PIPA, personal information includes combinations of your name with Social Security numbers, driver's license numbers, financial account numbers, medical information, or biometric data. If a breach exposes any of these, the company must notify you without unreasonable delay and must also notify the Illinois Attorney General if the breach affects more than 500 residents.
PIPA does not include a private right of action, but the Attorney General can enforce it. Violations can result in penalties under the Illinois Consumer Fraud and Deceptive Business Practices Act.
Student Online Personal Protection Act (SOPPA)
Illinois also leads on student data privacy through the Student Online Personal Protection Act. SOPPA regulates how ed-tech companies and schools handle the personal data of K-12 students. The law prohibits operators of educational technology services from selling student data, using it for targeted advertising, or building non-educational profiles of students.
Schools must maintain a list of all ed-tech vendors with access to student data and publish it publicly. Parents and guardians have the right to inspect and correct their child's data. SOPPA is one of the most protective student privacy laws in the country and serves as a model for other states considering similar legislation.
How to Exercise Your Privacy Rights in Illinois
- Know what biometric data is being collected. If any business, employer, or service provider is scanning your fingerprint, face, iris, or voice, they must give you written notice and get your written consent first. If they have not, they may be violating BIPA.
- Request information about data breaches. If you receive a breach notification, take it seriously. Change passwords, monitor your accounts, and consider a credit freeze.
- Review your children's school data practices. Ask your school district for the list of ed-tech vendors with access to student data. Review the privacy policies and exercise your right to inspect and correct data under SOPPA.
- File complaints or consult an attorney. Because BIPA has a private right of action, you can consult a lawyer directly if you believe your biometric data has been collected without proper consent. For PIPA violations, file complaints with the Illinois Attorney General.
Removing Your Personal Information From Data Brokers
Illinois privacy laws are strong on biometrics and breach notification, but they do not directly address the hundreds of people-search sites that publish your name, home address, phone number, email, and family connections. Sites like Spokeo, BeenVerified, TruePeopleSearch, and Whitepages aggregate public records data and make it freely available to anyone who searches for you.
Opting out of these sites one at a time is tedious and temporary. Most brokers re-scrape public records on a regular cycle, so your information reappears within weeks or months of a successful removal.
PrivacyOn automates this process for Illinois residents. We submit opt-out requests to more than 100 data brokers, track every removal, and continuously re-file when your data resurfaces. This ongoing monitoring is what separates real protection from a one-time effort that fades within months. Combined with the strong legal protections BIPA provides for your biometric data, using a removal service ensures that both your digital and physical identity stay under your control.
The Bottom Line
Illinois residents have some of the strongest privacy protections in the country, anchored by BIPA's unique combination of strict requirements and a private right of action. The 2024 amendment and the 2026 Seventh Circuit ruling have brought more clarity to how damages are calculated, but the fundamental rights remain intact: companies must get your written consent before collecting biometric data, they cannot sell it, and you can sue if they violate the law. Pair those legal protections with proactive data removal, and you have a genuinely strong privacy posture.