Illinois is the only state where you can sue a company for scanning your face without permission. That one fact changed the entire biometric privacy landscape in the U.S.
The Biometric Information Privacy Act (BIPA) became law in 2008. It requires written consent before a company collects your fingerprints, faceprint, iris scan, or voiceprint. No consent? You sue them directly. Not the attorney general. You.
That private right of action is the entire ballgame. Every other state privacy law funnels enforcement through a government office. BIPA puts it in your hands.
The Damages
$1,000 per negligent violation. They collected without knowing the law.
$5,000 per intentional or reckless violation. They knew and did it anyway.
Per person. Per incident. The Illinois Supreme Court confirmed in 2023 that liability accrues per scan — not per person. A company scanning your face daily for a year faces 365 separate violations.
The Settlements
Facebook (Meta) — $650 million (2021). Tag Suggestions collected faceprints of Illinois users without written consent. Roughly $350 per claimant across 1.6 million people.
Google — $100 million (2022). Google Photos grouped faces without BIPA-compliant consent.
TikTok — $92 million (2022). Filters and effects harvested faceprints and voiceprints without disclosure.
Clearview AI — settlement (2023). Scraped billions of photos from the open web. The class action banned sales of the database to most private companies.
These are not fines. These are settlements forced by individual lawsuits. That distinction matters.
What BIPA Covers
Five categories: fingerprints, faceprints, iris scans, voiceprints, and hand/palm geometry. Before collecting any of them, a company must disclose the purpose and storage duration in writing, obtain your written consent (click-through ToS does not count), and publish a retention and destruction policy.
Why It Matters Nationally
Texas and Washington have biometric laws, but enforcement sits with the attorney general. California, Colorado, Connecticut, Utah, and Virginia allow Clearview AI opt-outs. None of them give individuals the right to sue.
BIPA is the reason Facebook changed its facial recognition defaults. It is the reason Google settled. Companies do not change behavior because of complaints filed with a state office. They change because lawsuits cost money.
If you live outside Illinois, the same protective steps apply — audit your facial recognition exposure, submit opt-outs, strip photo metadata, remove broker listings. You just lack the legal teeth if a company ignores you.
BIPA was written before FaceID existed. Before Clearview. Before dating apps stored faceprints for identity verification. The lawmakers who wrote it saw where this was heading. The settlement numbers prove they were right.
— J. Daniel, Dark Scrub