Illinois’ Leadership in Privacy Law: How BIPA Shaped the National Conversation

Written By Sagar Sharma

By Nathan Reem

*The following is neither legal advice nor a legal opinion.

Illinois, alongside states such as California and New York, has been a pioneer of innovation through legislation. In the data privacy world, though, it has been at the forefront of privacy legislation in the biometric field, with the passing of the Biometric Information Privacy Act (BIPA).

BIPA was a model for other state-level privacy laws. It was the first law to regulate the collection and use of biometric data. Furthermore, it implemented strict requirements for companies, including:

  • Obtaining informed consent before collecting biometric data.

  • Implementing data retention and destruction policies to ensure companies delete biometric data after a certain period.

  • Prohibiting the sale or disclosure of biometric data without consent.

This law was ahead of its time. Passed in 2008, it addressed privacy concerns that many states are only now beginning to tackle. As technology has advanced, BIPA has remained relevant, particularly with the growing use of AI-driven facial recognition, workplace surveillance, and digital identity verification. The law has set the foundation for privacy rights in the modern era, influencing both state and federal privacy discussions.

Why BIPA Was Revolutionary

At its core, BIPA was one of the first privacy laws in the U.S. to specifically regulate biometric data. While states like California were focusing on broad consumer data protections through laws like the California Consumer Privacy Act (CCPA), Illinois took a targeted approach. Lawmakers recognized that biometric data is uniquely sensitive—unlike a password or credit card number, you can’t change your fingerprint, retina scan, or facial geometry if it gets stolen.

The law also put an emphasis on transparency and consumer control, requiring businesses to:

  • Inform individuals what data is being collected, how long it will be stored, and why it’s needed.

  • Obtain a written release from individuals before collecting their biometric information.

  • Establish a clear policy for deleting biometric data when it’s no longer necessary.

While many privacy laws are toothless when it comes to enforcement, BIPA is different. It includes a private right of action, meaning that individuals—not just the government—can sue companies for noncompliance. That’s a major reason why it has had such a wide-reaching impact.

BIPA’s Legal Impact: Lawsuits & Big Settlements

Since its passage, BIPA has been at the center of landmark lawsuits. Many companies have faced class-action lawsuits for failing to comply with the law. Some of the biggest settlements include:

  • Facebook ($650M, 2021): Lawsuit over its use of facial recognition in photo-tagging without user consent.

  • Google ($100M, 2022): Settlement related to the use of facial recognition in Google Photos.

  • TikTok ($92M, 2022): Alleged collection of facial and voice data from users without consent.

These lawsuits have sent a clear message: companies can’t ignore biometric privacy laws without consequences. In fact, many businesses have stopped using biometric data altogether out of fear of litigation. Others have changed their policies to align with BIPA’s requirements.

But it’s not just tech giants that have been affected. Small businesses, employers, and even healthcare providers have been sued for violations, particularly for biometric timekeeping systems that scan employees’ fingerprints without proper consent. As a result, BIPA has reshaped how companies handle biometric data, leading to a broader national conversation about the future of privacy rights in America.

BIPA’s Influence on Other Privacy Laws

Illinois may have been the first to pass a biometric privacy law, but other states are now following its lead. A number of states have introduced BIPA-style laws, including:

  • Texas (Capture or Use of Biometric Identifier Act - CUBI): Regulates biometric data but lacks a private right of action.

  • Washington (HB 1493): Requires consent before collecting biometric data but is weaker than BIPA.

  • New York (pending Biometric Privacy Act): A proposed law that mirrors BIPA, including a private right of action.

  • California (CCPA/CPRA): While not as specific as BIPA, California’s privacy laws now include biometric protections.

Even at the federal level, there’s been increasing discussion about nationwide biometric privacy standards. The proposed American Data Privacy Protection Act (ADPPA) includes some elements of biometric privacy, but it does not go as far as BIPA in terms of enforcement and private litigation rights.

This raises a key question: should biometric privacy be regulated at the federal level? Some argue that BIPA-style protections should be adopted nationwide, while others (particularly corporations) worry about expanding liability and lawsuits. Regardless of what happens federally, it’s clear that Illinois’ model is shaping the future of privacy regulation across the country.

Why Businesses Are Pushing Back

BIPA has been controversial, particularly among businesses that rely on biometric data. Many argue that the law is too strict and that the private right of action has led to excessive litigation.

  • Some businesses claim they were unaware of the law and were sued over technical violations.

  • Others say the lack of a federal standard makes compliance difficult, especially for national companies operating in multiple states.

  • Industry groups have lobbied for BIPA reforms, including limiting lawsuits or requiring proof of harm before litigation can proceed.

Despite these challenges, Illinois courts have consistently upheld BIPA, reinforcing its consumer-first approach. And with new privacy concerns emerging—such as AI-powered facial recognition, workplace surveillance, and deepfake technology—it’s unlikely that Illinois will weaken its stance anytime soon.

The Future of Biometric Privacy

BIPA has stood the test of time, but the privacy landscape is constantly evolving. New technologies like AI-driven biometric authentication, digital IDs, and metaverse applications are raising new privacy concerns that weren’t even on the radar in 2008.

Looking ahead, we’re likely to see:

  1. More states passing BIPA-style laws to regulate biometric privacy.

  2. Federal lawmakers considering a national biometric privacy framework (though its strength remains uncertain).

  3. AI-related amendments to BIPA, ensuring that it covers emerging technologies like deepfake manipulation and AI-generated biometric data.

One thing is clear: BIPA’s influence isn’t going away. Whether through state-level expansions, federal privacy legislation, or new AI regulations, Illinois has set a precedent that will shape biometric privacy law for years to come.

Conclusion

Illinois has long been a leader in progressive legislation, and BIPA is one of the most important privacy laws in the country. While California and New York have pioneered broad consumer privacy protections, Illinois has led the charge on biometric privacy, forcing businesses to take data security more seriously.

BIPA’s private right of action, strict consent requirements, and focus on transparency have made it the gold standard for biometric privacy laws in the U.S. Despite pushback from businesses, its impact on privacy law is undeniable. As technology continues to evolve, Illinois will likely remain at the forefront of protecting biometric data—just as it has for the past 16 years.

Sagar Sharma
Next

Bright Smiles and Legal Insights: Protecting Your Dental Practice in a Digital Age