Biometric Data Privacy Laws: Illinois BIPA, GDPR Biometrics, and Employer Rules

$650 Million: What Happens When Biometric Law Has Teeth

In 2021, Facebook agreed to pay $650 million to settle a class action brought under Illinois' Biometric Information Privacy Act—the largest privacy settlement in US history at the time. The claim: Facebook's "Tag Suggestions" feature used facial geometry scans of Illinois users without written consent or a published retention policy. BIPA's private right of action, which awards $1,000–$5,000 per violation, transformed what would have been an abstract regulatory concern into an existential financial threat. No other area of privacy law has generated comparable litigation volume or settlement values in the United States.

Illinois BIPA: The Template That Everyone Copies (and Fears)

The Illinois Biometric Information Privacy Act, enacted in 2008, remains the strongest biometric privacy statute in the US. It covers any private entity that collects, captures, purchases, receives, or otherwise obtains biometric identifiers or information. Covered identifiers include retina or iris scans, fingerprints, voiceprints, hand scans, face geometry, and any other biological identifier. Notably, BIPA does not cover photographs themselves—only the biometric data derived from them.

BIPA's Four Core Requirements

• Written policy: Entities must publicly disclose a retention schedule and guidelines for permanent destruction of biometric data.
• Informed written consent: Before collection, entities must provide written notice of what is being collected and why, and obtain a written release from the subject.
• No sale or profit: Biometric data may not be sold, leased, traded, or otherwise profited from under any circumstances.
• Reasonable security: Biometric data must be stored, transmitted, and protected using the same reasonable standard as other confidential and sensitive information.

Violations carry statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys' fees. Because these are per-violation amounts—often interpreted as per-scan per-person—litigation exposure compounds rapidly. The Illinois Supreme Court's 2019 ruling in Rosenbach v. Six Flags confirmed that no actual harm beyond the statutory violation is required to bring suit, opening the floodgates to class actions.

Other US State Biometric Laws

GDPR and Biometric Data

Under GDPR Article 9, biometric data "processed for the purpose of uniquely identifying a natural person" is a special category of personal data. Processing is prohibited by default unless a specific exception applies: explicit consent, vital interests, establishment or defense of legal claims, substantial public interest, or occupational medicine purposes. Controllers must conduct a Data Protection Impact Assessment before deploying biometric systems at scale.

The key phrase is "for the purpose of uniquely identifying." A photo stored as pixels is not automatically biometric data under GDPR; a facial recognition system that converts that photo to a facial vector for identity matching is. This distinction matters for systems that use photos for purposes other than identification.

Employer Use of Biometrics

Workplace biometric collection—fingerprint time clocks, facial attendance systems, retinal access controls—has generated substantial BIPA litigation. Illinois courts have held that employees cannot impliedly consent to biometric collection through their employment relationship; explicit, informed written consent is required before first scan. Employers who deployed finger-scan timeclocks without BIPA-compliant consent programs have faced multi-million dollar class actions even where the primary purpose was mundane timekeeping.

• Before deploying any biometric workplace system in Illinois, obtain a signed written consent form from every employee specifying what is collected, why, how long it is kept, and who may receive it.
• Publish a biometric retention and destruction policy on your company website or intranet.
• Audit third-party vendors—payroll processors, security firms, attendance software providers—to confirm they are BIPA-compliant in their handling of employee data.
• Establish a deletion protocol triggered by termination: most BIPA litigation involves data retained after an employee's departure.

Emerging Federal and International Developments

The US has no federal biometric privacy law, but the FTC has brought enforcement actions treating unauthorized biometric collection as an unfair or deceptive trade practice. The EU AI Act (2024) classifies real-time biometric identification systems in public spaces as "unacceptable risk" AI, effectively banning them with narrow law enforcement exceptions. China's Personal Information Protection Law (PIPL) requires separate consent for biometric data and prohibits processing biometric data as a condition of service when an alternative means exists.

The common thread across jurisdictions: biometric data is treated as uniquely sensitive because it is immutable—unlike a password, you cannot change your fingerprints after a breach. Laws in this space reflect that permanence with correspondingly strict consent and security requirements.

Legal Disclaimer: This article is for general informational purposes only and does not constitute legal advice. Biometric privacy laws vary significantly by jurisdiction and are evolving rapidly. Organizations should consult qualified legal counsel before deploying biometric systems or designing compliance programs.