BIPA Compliance: Illinois Biometric Privacy Law for SaaS (2026)

If your SaaS app touches a face scan, a fingerprint, a voiceprint, or even a hashed mathematical model derived from any of those, an Illinois law from 2008 may quietly be the most expensive statute in your compliance stack. The Biometric Information Privacy Act — almost universally called BIPA — has driven nine-figure settlements against tech giants and bankrupted smaller vendors who never set foot in Illinois. With statutory damages baked into the law and a private right of action that lets ordinary residents sue, BIPA is the only US biometric privacy regime where one missing checkbox can end a company.

This guide explains exactly what BIPA requires in 2026, what changed after the 2024 amendments, who falls inside its scope, and the practical steps a SaaS team should take this quarter. It is written for founders, product managers, and engineers who need a working understanding without a law-firm retainer.

What BIPA Actually Regulates

BIPA, enacted in 2008, is the oldest and strictest biometric privacy statute in the United States. It governs how private entities collect, store, use, share, and destroy two categories of data:

• Biometric identifiers — retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry.
• Biometric information — any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify a specific person.

The second bucket is where many SaaS teams get caught off guard. A face-recognition vendor that only stores a numerical embedding (an array of floats) rather than the source image is still inside BIPA's scope, because the embedding is information based on a biometric identifier used to identify a specific person. The same logic captures voice embeddings used for speaker verification.

What BIPA Does Not Cover

BIPA explicitly excludes a handful of categories. Photographs by themselves are not biometric identifiers under the statute, nor is information derived from photographs unless a face geometry scan is performed. Demographic data, physical descriptions, and writing samples are also outside scope. Health information already protected by HIPAA, when collected by a covered entity, is excluded as well. None of these carve-outs help a SaaS app that runs face geometry models on user uploads.

The Five Operational Duties Under BIPA

BIPA imposes five concrete obligations on private entities. A defensible compliance program addresses every one of them in writing, in product, and in vendor contracts.

1. Written, informed consent before collection. Before capturing or receiving biometric data, you must inform the individual in writing of the specific purpose and length of term, and obtain a written release. After the 2024 amendments, electronic signatures explicitly count as written consent.
2. A publicly available retention and destruction policy. You must publish a written schedule and guidelines specifying when biometric data will be destroyed — at the latest, when the initial purpose is satisfied or three years after the individual's last interaction, whichever comes first.
3. No selling or profiting from biometric data. The statute flatly prohibits selling, leasing, trading, or otherwise profiting from a person's biometric identifier or biometric information.
4. Tightly limited disclosure. You may only disclose biometric data with explicit consent, to complete a financial transaction the subject authorized, when required by law, or pursuant to a valid warrant or subpoena.
5. Reasonable storage and protection standards. Biometric data must be stored, transmitted, and protected using the reasonable standard of care within your industry, and at least as protectively as how you store other confidential and sensitive information.

Notice that BIPA does not regulate whether you collect biometrics — it regulates how. A clean opt-in flow, a published retention schedule, and a vendor agreement that mirrors these duties take you most of the way there.

Why BIPA Is Different From Every Other US Privacy Law

BIPA's bite comes from one feature: the private right of action. Unlike CCPA (which limits private suits to data breaches) or every other state comprehensive privacy law, BIPA lets any aggrieved Illinois resident sue directly for any violation. Combined with statutory damages, that turns small process failures into class actions.

Violation type	Statutory damages	Other remedies
Negligent	$1,000 per person	Actual damages if higher; attorneys' fees and costs; injunctive relief
Intentional or reckless	$5,000 per person	Actual damages if higher; attorneys' fees and costs; injunctive relief

Earlier interpretations of BIPA treated each individual scan or transmission as a separate violation, producing potentially astronomical exposure for systems that scan employees in and out of work many times a day. That theory was endorsed by the Illinois Supreme Court in early 2023, which is what triggered the legislative response described below.

What Changed in 2024: SB 2979 and Its Ripple Effect

On August 2, 2024, Illinois Governor J.B. Pritzker signed SB 2979 into law, amending BIPA in two important ways that materially reduce — but do not eliminate — exposure for ongoing operations.

One Recovery Per Person

Multiple collections or disclosures of the same person's biometric data, in the same manner, now count as a single violation. A timekeeping system that scans an employee's fingerprint twice a day for three years is one $1,000 (or $5,000) exposure per employee, not roughly 1,500 of them. The U.S. Court of Appeals for the Seventh Circuit subsequently held that this amendment applies retroactively to pending cases, which dramatically reshaped the settlement landscape.

Electronic Signatures Count

The amendment also clarified that an electronic signature satisfies BIPA's written-consent requirement, removing any lingering ambiguity for app onboarding flows. A standard click-through consent — clearly worded, with a checkbox tied to a timestamped record — now plainly works.

Critically, SB 2979 did not change the substantive duties of the statute. You still need consent, a retention schedule, and reasonable safeguards. The amendment narrows the damages multiplier; it does not move the goalposts on what compliance looks like.

Who Is Actually In Scope?

BIPA applies to any private entity that collects, captures, purchases, receives, or otherwise obtains a person's biometric data, where that person is an Illinois resident at the time. There is no revenue threshold and no employee minimum. A two-person startup is treated the same as a Fortune 500 company.

The harder question is geographic: does BIPA reach an out-of-state SaaS vendor? Courts have generally held that BIPA can apply when the relevant collection or processing occurs in Illinois — for example, when an Illinois employee uses your authentication SDK on a device located in Chicago. If your product is sold to companies with Illinois employees or end users, assume you are in scope and design accordingly.

Common SaaS scenarios that pull a vendor into BIPA include face-recognition login, voice-based call analytics, fingerprint-based time clocks resold to employers, video-interview platforms that score facial movement, and any AI feature that builds an embedding from a face or voice for identification purposes.

A Practical BIPA Compliance Checklist for SaaS Teams

If you are starting from zero, here is the order most SaaS teams should run through. Each item is a pass/fail; together they form a defensible record.

• Map your biometric flows. Document every place biometric identifiers or embeddings are captured, transmitted, stored, or shared — including third-party SDKs and ML model providers.
• Write a public retention and destruction schedule. Publish it on your site (your privacy policy or a dedicated biometrics policy is the usual home). Specify the trigger for destruction and the maximum window.
• Build an explicit consent surface. Before the first scan, present a clear notice that names the data, the specific purpose, and the retention term, with a separately-affirmed checkbox or signature. Capture the timestamp, IP, and exact text shown.
• Update vendor and customer DPAs. If you are a processor, your data processing agreement should commit your customer (the controller) to obtaining BIPA-compliant consent and should mirror your retention obligations downstream.
• Lock down storage. Encrypt biometric records at rest, restrict access to a named role, and log every read. If you would not store production passwords this way, you should not be storing biometrics this way.
• Do not monetize, period. No selling, no leasing, no trading. Audit any data-sharing pipeline (analytics, ad tech, model-training) for accidental biometric exfiltration.
• Train the humans. Engineering, product, support, and sales all need to know what biometric data is and how to escalate any new use case for review.
• Refresh your privacy policy. Add a dedicated section on biometric data, mirroring your retention schedule. A privacy policy generator can produce the surrounding scaffolding, but the biometric-specific clauses need careful review.

How BIPA Interacts With Other Privacy Laws

Illinois is no longer the only state in this lane. Texas and Washington have biometric privacy statutes (without private rights of action), and most modern comprehensive privacy laws — including Texas's TDPSA, Colorado's CPA, and Connecticut's CTDPA — treat biometric data as a sensitive category requiring opt-in consent. The GDPR also treats biometric data used for unique identification as a special category requiring an explicit Article 9 lawful basis.

The practical upshot: if your BIPA program is solid, you will likely satisfy the biometric-specific provisions of every other US state law and a meaningful portion of GDPR Article 9. Build for Illinois first; the rest of the country comes along.

Common SaaS Mistakes That Drive BIPA Litigation

Plaintiffs' firms have spent fifteen years finding the soft spots. The same handful of failures show up in case after case.

• Treating embeddings as not biometric. Hashed face vectors and voice embeddings are biometric information when used for identification. The fact that the original image is discarded does not save you.
• Implicit consent through a buried policy. A privacy policy link in the footer is not a written release. BIPA requires a specific, affirmative act tied to specific notice.
• Indefinite retention by default. "We keep it as long as the account is active" is not a destruction schedule. The statute requires a defined endpoint.
• Subcontractor surprises. A vendor that processes biometrics on your behalf is collecting under BIPA. Your DPA must obligate them to mirror BIPA's duties — and you should confirm they actually do.
• Marketing copy that contradicts the policy. "We never store your face" on the homepage, while the SDK silently caches embeddings, is a gift to the plaintiffs' bar.

What to Do If You Just Realized You Are Out of Compliance

The right move is not to panic-delete data — that may itself create discovery and statutory issues. Instead, in this order: stop new collection that lacks proper consent, document what you discovered and when, draft a remediation plan with owners and dates, get qualified Illinois counsel involved before sending any external communication, and only then begin the technical clean-up. Voluntary, documented remediation has historically helped, even though it is not a defense in itself. A clean incident-style intake mindset — discover, contain, document, remediate — works well here.

Frequently Asked Questions

Does BIPA apply to my SaaS company if we are based outside Illinois?

Probably yes, if any of your end users or your customers' employees are in Illinois. Courts look at where the collection or processing actually happens, not where the company is incorporated.

Are face embeddings and voice embeddings really covered, even though we never store the raw image or audio?

Yes, when those embeddings are used to identify a specific person. BIPA covers "biometric information" derived from a biometric identifier, not just the raw scan itself.

Do I need a separate biometric consent, or is my existing privacy policy enough?

You need a separate, affirmative consent that names the data, the purpose, and the retention period before collection. A privacy policy disclosure alone is not sufficient under BIPA.

How long can I retain biometric data?

Until the initial purpose is satisfied or three years after the individual's last interaction with you, whichever comes first. The statute requires you to publish your schedule.

Did the 2024 amendment make BIPA less risky?

It reduced the damages multiplier by clarifying that repeated scans of the same person count as one violation, but the substantive duties — consent, retention, no sales, reasonable safeguards — are unchanged.

Can a clickthrough checkbox count as a written release?

Yes. The 2024 amendment makes clear that an electronic signature qualifies, provided the consent text is specific and the user takes an affirmative action.

What are the actual penalties if we get sued?

Statutory damages are $1,000 per affected person for negligent violations and $5,000 per person for intentional or reckless ones, plus attorneys' fees, costs, and injunctive relief. Class actions are common, so the per-person figure is multiplied by the size of the class.

This article is for informational purposes only and is not legal advice. BIPA litigation moves quickly, and the right answer for your product depends on facts a generator cannot see. Consult a qualified Illinois attorney before relying on anything you read here.

Want a starting scaffold for the surrounding documents? Our privacy policy generator and terms of service generator produce a baseline you can layer biometric-specific clauses onto. The biometric provisions still need careful, jurisdiction-aware review — but the rest does not have to start from a blank page.

Further reading from authoritative sources: the Illinois General Assembly's official text of BIPA, the FTC's policy statement on biometric information, and the NIST Face Recognition Vendor Test program for objective accuracy benchmarking of any biometric system you deploy.