1. Overview: Why BIPA Matters
The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, stands as the most stringent and impactful biometric privacy law in the United States. What makes BIPA uniquely powerful—and exam-critical—is its private right of action with statutory damages, a combination that has generated over 1,500 class action lawsuits and billions of dollars in settlements since 2019.
For CIPP/US candidates, BIPA represents a crucial intersection of privacy law, technology regulation, and litigation risk management. The August 2024 amendments fundamentally changed the damages calculation, making this an essential topic for the current exam.
BIPA questions appear in Domain II (Limits on Private Sector Collection and Use) and often test understanding of consent requirements, statutory damages, the private right of action, and comparison with other state biometric laws. The 2024 amendments are likely to appear on current exams.
What is Biometric Data?
BIPA defines biometric identifiers as data that can uniquely identify an individual based on biological characteristics. The statute specifically covers:
- Fingerprints – Most common in employment time-tracking systems
- Retina or iris scans – Used in security systems
- Voiceprints – Voice authentication and call center systems
- Scans of hand or face geometry – Facial recognition technology
Biometric information is defined more broadly as any information based on a biometric identifier used to identify an individual, regardless of how it is captured, converted, stored, or shared.
BIPA specifically excludes photographs, video or audio recordings, and data generated therefrom. This exclusion has been heavily litigated, particularly regarding whether facial geometry extracted from photos constitutes a "scan of face geometry."
2. BIPA Core Requirements
BIPA imposes five categories of obligations on private entities possessing biometric identifiers or information. Understanding each section is essential for CIPP/US success.
Section 15(a): Written Policy Requirement
Every private entity in possession of biometric data must develop and make publicly available a written policy establishing:
- A retention schedule for biometric data
- Guidelines for permanent destruction when the initial purpose has been satisfied or within three years of the individual's last interaction—whichever occurs first
Section 15(b): Notice and Consent Requirements
Before collecting biometric data, a private entity must:
- Inform the individual in writing that biometric data is being collected or stored
- Inform the individual of the specific purpose and length of term for collection, storage, and use
- Receive a written release from the individual (or their legally authorized representative)
The August 2024 amendments clarified that electronic signatures satisfy the "written release" requirement under Section 15(b). This aligns BIPA with the federal E-SIGN Act and Illinois's Uniform Electronic Transactions Act.
Section 15(c): Prohibition on Profiting
BIPA prohibits any private entity from:
- Selling biometric data
- Leasing biometric data
- Trading biometric data
- Otherwise profiting from biometric data
Section 15(d): Disclosure Restrictions
Biometric data may not be disclosed, redisclosed, or disseminated unless:
- The individual consents to the disclosure
- Disclosure completes a financial transaction authorized by the individual
- Disclosure is required by law or legal process
- Disclosure is required by valid warrant or subpoena
Section 15(e): Data Security
Entities must store, transmit, and protect biometric data using a standard of care that is:
- Reasonable within the industry, and
- At least as protective as the manner in which the entity protects other confidential and sensitive information
Exam questions often test the specific consent requirements. Remember: BIPA requires written notice AND written consent BEFORE collection. This is more stringent than many other privacy laws that allow implied consent or post-collection notice.
3. August 2024 Amendments (SB 2979)
On August 2, 2024, Illinois Governor J.B. Pritzker signed SB 2979 into law, representing the first amendment to BIPA since its enactment in 2008. This legislation directly responded to the Illinois Supreme Court's 2023 decision in Cothron v. White Castle, which had opened the door to potentially "ruinous" damages.
Key Changes in SB 2979
1. Per-Person Damages (Not Per-Scan)
The most significant change limits damages calculation. Under the amended law:
"A private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of [Section 15(b)] has committed a single violation... for which the aggrieved person is entitled to, at most, one recovery."
The same limitation applies to Section 15(d) disclosure violations.
Practical Impact: Damages Calculation
| Scenario | Before SB 2979 | After SB 2979 |
|---|---|---|
| Employee scans fingerprint 2x/day for 5 years | 2,600 violations × $5,000 = $13 million | 1 violation × $5,000 = $5,000 |
| 1,000 employees, same scenario | Potentially $13 billion | Maximum $5 million |
| Reduction | 99.8%+ reduction in potential liability | |
2. Electronic Signatures Permitted
The amendments clarify that the "written release" requirement under Section 15(b) includes electronic signatures. This aligns BIPA with modern business practices and federal law (E-SIGN Act).
Retroactivity Debate
A critical unresolved question is whether SB 2979 applies retroactively to violations that occurred before August 2, 2024. Federal courts in Illinois have reached conflicting conclusions:
Gregg v. Central Transport LLC (November 2024)
Judge Elaine E. Bucklo held that the amendment applies retroactively because it merely "clarifies" the original statute rather than substantively changing it.
Schwartz v. Supply Network, Inc. (November 2024)
Judge Georgia N. Alexakis reached the opposite conclusion, finding the amendment represents a substantive change that should not apply retroactively.
This split means ongoing litigation will determine how courts ultimately apply the amendments to pending cases.
4. Landmark Court Decisions
Three Illinois Supreme Court decisions have shaped BIPA litigation more than any others. Understanding these cases is essential for CIPP/US success.
Rosenbach v. Six Flags (January 2019)
Holding: A plaintiff need not allege actual injury or adverse effect beyond violation of statutory rights to qualify as "aggrieved" under BIPA.
Facts: A mother sued Six Flags after the amusement park collected her 14-year-old son's thumbprint for a season pass without providing required notice or obtaining written consent.
Significance: This decision opened the floodgates for BIPA litigation by eliminating the need to prove identity theft, monetary loss, or other actual harm. A mere "technical violation" of BIPA's requirements is sufficient to sue.
Cothron v. White Castle (February 2023)
Holding: A separate BIPA violation accrues each time a private entity scans or transmits biometric data without consent—not just upon initial collection.
Facts: White Castle required employees to scan fingerprints to access computers and paystubs. The company transmitted scans to a third-party vendor for verification. The employee clocked thousands of scans over many years without consent.
Significance: This "per-scan" ruling meant White Castle potentially faced $17 billion in damages from a single plaintiff. The decision prompted the legislature to pass SB 2979.
The Cothron court acknowledged the potential for "ruinous liability" but stated it was up to the legislature to address the issue—which it did 18 months later with SB 2979.
Tims v. Black Horse Carriers (February 2023)
Holding: A five-year statute of limitations applies to BIPA claims, not a one-year or two-year limitation.
Significance: Combined with Cothron, this ruling meant plaintiffs could sue for five years of accumulated per-scan violations, dramatically increasing potential damages.
Remember the chronology: Rosenbach (2019) eliminated the harm requirement → Tims (2023) established 5-year limitations → Cothron (2023) created per-scan liability → SB 2979 (2024) limited damages to per-person.
5. Major Settlements & Verdicts
BIPA has generated some of the largest privacy settlements in U.S. history. These cases demonstrate the law's potency and are frequently tested on the CIPP/US exam.
Meta/Texas CUBI Settlement
Date: July 2024
Law: Texas CUBI (not BIPA)
Issue: Facebook's Tag Suggestions feature collected facial geometry without consent
Note: Largest single-state privacy settlement ever
Facebook BIPA Settlement
Date: February 2021
Class: 1.6 million Illinois users
Issue: Facial recognition tagging without consent
Payout: ~$345-400 per class member
Google Photos Settlement
Date: 2022
Issue: Face-grouping feature collected facial geometry without consent
TikTok BIPA Settlement
Date: 2021
Issue: Collection of face and voice data through the app
Clearview AI Settlement
Date: March 2025
Structure: 23% equity stake in company
Issue: Scraping billions of facial images from web
BNSF Railway Verdict
Date: October 2022
Type: Jury verdict (later vacated)
Class: 45,600 truck drivers
Note: Only BIPA case to reach jury verdict
Recent 2024-2025 Settlements
Following the August 2024 amendments, settlement values have continued but with potentially different calculations:
- Speedway: $12.1 million (November 2024) – Fingerprint timekeeping system
- ESO Solutions: $4.1 million (December 2024) – Employee fingerprint scans
- Incode Technologies: $4 million (November 2024) – Facial geometry software
- Lightricks: $4.5 million (November 2024) – Mobile app facial data
- Magid: $5.1 million (October 2024) – Employee biometric data
6. Other State Biometric Privacy Laws
While BIPA remains the most impactful biometric privacy law, understanding how other states approach this issue is essential for CIPP/US success and practical compliance.
Texas: Capture or Use of Biometric Identifier Act (CUBI)
Enacted in 2009, Texas CUBI remained largely unenforced until the landmark 2024 Meta settlement.
| Feature | Illinois BIPA | Texas CUBI |
|---|---|---|
| Year Enacted | 2008 | 2009 |
| Private Right of Action | Yes | No (AG only) |
| Statutory Damages | $1,000-$5,000 per violation | Up to $25,000 per violation |
| Consent Required | Written consent before collection | Informed consent before capture |
| Covered Identifiers | Fingerprint, retina, iris, voiceprint, face/hand geometry | Fingerprint, voiceprint, retina/iris, face/hand geometry |
Washington: HB 1493 (2017)
Washington's biometric privacy law takes a notably different approach:
- No private right of action – Enforced only by Attorney General
- Security exception – Biometrics collected for security purposes are exempt
- "Enrollment" focus – Regulates enrollment into databases, not mere collection
- Narrower scope – Excludes facial geometry scans (unlike BIPA)
- Flexible consent – Notice, consent, OR opt-out mechanism (not all three)
BIPA is stricter than both Texas CUBI and Washington HB 1493 primarily because of its private right of action. This difference explains why BIPA generates vastly more litigation than other state biometric laws.
Comprehensive Privacy Laws with Biometric Provisions
As of 2025, 19+ states have comprehensive privacy laws that classify biometric data as "sensitive data" requiring heightened protection. Key examples include:
- California (CCPA/CPRA): Biometrics are sensitive personal information requiring opt-out rights
- Colorado: July 2025 amendments add BIPA-like consent requirements for biometric data
- Virginia, Connecticut, Utah: Biometrics require consent before processing
- Maryland (October 2025): Stricter data minimization for biometrics
Emerging State Legislation
Several states have introduced BIPA-like bills with private rights of action:
- New York: Biometric Privacy Act (pending since 2021)
- Maryland: Biometric Identifiers Privacy Act (pending)
- Massachusetts, Missouri: BIPA-style bills introduced
When comparing biometric laws, focus on three key differentiators: (1) private right of action, (2) consent requirements, and (3) scope of covered identifiers. BIPA is strongest on all three.
7. Compliance Checklist
Organizations collecting biometric data in Illinois (or from Illinois residents) should implement comprehensive compliance programs. This checklist covers both BIPA requirements and best practices.
Written Policy Requirements
- Develop a publicly available biometric data retention policy
- Specify retention schedule with clear timeframes
- Include destruction guidelines (satisfied purpose OR 3 years from last interaction)
- Post policy on company website or make otherwise publicly available
- Review and update policy annually
Notice and Consent Procedures
- Provide written notice BEFORE collecting biometric data
- Inform individuals what specific data is being collected
- Disclose purpose of collection, storage, and use
- State length of time data will be stored
- Obtain written consent (electronic signatures now permitted)
- Maintain consent records
- Create separate consent forms for different biometric uses
Third-Party Management
- Identify all vendors receiving biometric data
- Obtain consent before disclosing to third parties
- Include BIPA compliance provisions in vendor contracts
- Verify vendor security practices
- Maintain records of all disclosures
Data Security
- Implement industry-reasonable security measures
- Protect biometric data at least as carefully as other sensitive information
- Encrypt biometric data in transit and at rest
- Limit access to biometric data on need-to-know basis
- Conduct regular security assessments
Record Retention and Destruction
- Track collection dates and last interaction dates
- Implement automated destruction triggers
- Document destruction procedures and completion
- Never retain biometric data beyond policy limits
Organizations operating in multiple states must comply with the most restrictive requirements. A uniform BIPA-compliant program generally satisfies Texas CUBI and Washington HB 1493 requirements as well.
8. CIPP/US Exam Focus Areas
BIPA appears in Domain II (Limits on Private-Sector Collection and Use of Personal Information) and occasionally in Domain V (State Privacy Laws). Here are the most testable concepts.
High-Priority Topics
- Private Right of Action: BIPA uniquely allows individuals to sue (unlike Texas or Washington)
- Statutory Damages: $1,000 per negligent violation, $5,000 per intentional/reckless violation
- Consent Requirements: Written notice AND written consent BEFORE collection
- No Harm Required: Rosenbach established that technical violations are actionable
- 2024 Amendments: Per-person (not per-scan) damages calculation
Sample Exam Questions
Question 1
A company uses fingerprint scanning for employee time tracking in Illinois. Under BIPA, what must the company do BEFORE collecting employee fingerprints?
Answer: Provide written notice specifying the purpose and duration of collection AND obtain written consent from each employee.
Question 2
What is the primary difference between Illinois BIPA and Texas CUBI regarding enforcement?
Answer: BIPA provides a private right of action allowing individuals to sue directly, while CUBI is enforced only by the Texas Attorney General.
Question 3
After the 2024 BIPA amendments (SB 2979), how are damages calculated when an employer repeatedly scans the same employee's fingerprint?
Answer: As a single violation per person, not per scan—regardless of how many times the fingerprint was collected using the same method.
Question 4
What did the Illinois Supreme Court hold in Rosenbach v. Six Flags regarding the "aggrieved" requirement?
Answer: A plaintiff need not allege actual injury beyond violation of statutory rights to be "aggrieved" under BIPA. Technical violations alone are sufficient to bring suit.
Key Terms to Know
| Term | Definition |
|---|---|
| Biometric Identifier | Fingerprint, retina/iris scan, voiceprint, or scan of hand/face geometry |
| Biometric Information | Any information based on a biometric identifier used to identify an individual |
| Written Release | Informed written consent signed by the individual (electronic signatures now permitted) |
| Private Right of Action | Legal standing for individuals to bring lawsuits directly, without government involvement |
| Statutory Damages | Fixed damages amounts specified by law ($1,000/$5,000) versus actual proven damages |
Common Exam Pitfalls
- Don't confuse BIPA (biometric-specific) with comprehensive privacy laws (CCPA, state laws)
- Remember that photographs alone are excluded from BIPA coverage
- Note that BIPA applies to private entities only—government entities are exempt
- Know that financial institutions subject to GLBA are exempt from BIPA
- Understand the 2024 amendment changed per-scan to per-person damages
Ready to Test Your BIPA Knowledge?
Practice with our CIPP/US exam questions covering biometric privacy, BIPA requirements, and state law comparisons.
Start Practice Questions →Conclusion
Illinois BIPA remains the most significant biometric privacy law in the United States, setting the standard that other states measure against. The August 2024 amendments represent a major recalibration of the litigation landscape, shifting from potentially "ruinous" per-scan liability to more manageable per-person damages.
For CIPP/US candidates, understanding BIPA's unique features—particularly its private right of action and stringent consent requirements—is essential. The law's evolution through landmark cases like Rosenbach and Cothron, culminating in the 2024 legislative response, illustrates how privacy law develops through the interplay of courts and legislatures.
As biometric technology becomes increasingly prevalent—from smartphone facial recognition to workplace time-tracking systems—the regulatory framework governing this sensitive data will continue to evolve. Stay current with developments in Illinois and emerging state legislation to maintain both exam readiness and practical compliance knowledge.