Illinois BIPA: Why Your Face Is Worth More Here Than Anywhere Else in America

If you live in Illinois, your biometric data has legal protections that don’t exist anywhere else in the country.

The Biometric Information Privacy Act — BIPA — was signed into law in 2008, years before most people had heard the term “facial recognition.” It requires companies to get your written consent before collecting your fingerprints, faceprint, iris scan, or voiceprint. And if they don’t? You can sue them directly.

That private right of action has produced some of the largest privacy settlements in American history.

What Makes BIPA Different

Most state privacy laws are enforced by the attorney general. If a company violates your privacy in Virginia or Colorado, you can file a complaint — but you can’t sue. Illinois is different. Under BIPA, individuals can file lawsuits directly:

$1,000 per negligent violation. Company didn’t know it was violating the law.
$5,000 per intentional or reckless violation. Company knew or should have known.

These are per-person, per-incident damages. When millions of people are affected, the numbers become staggering.

The Settlements That Changed Everything

Facebook (now Meta) — $650 million (2021). Facebook’s “Tag Suggestions” feature used facial recognition to identify people in photos. It collected faceprints of Illinois users without written consent. The settlement paid roughly $350 to each of the 1.6 million Illinois residents who filed claims.

Google — $100 million (2022). Google Photos grouped photos by face without BIPA-compliant consent from Illinois users.

TikTok — $92 million (2022). TikTok collected biometric data including faceprints and voiceprints through its filters and effects without proper consent.

Clearview AI — settlement (2023). Clearview scraped billions of photos from the internet to build a facial recognition database. An Illinois class action resulted in a ban on selling the database to most private companies.

The Illinois Supreme Court confirmed in 2023 that BIPA creates liability per scan, not just per person — meaning a company that scans your face daily for a year faces 365 potential violations.

What BIPA Covers

BIPA protects five categories of biometric identifiers: fingerprints, faceprints, iris scans, voiceprints, and hand/palm geometry.

Before collecting any of these, a company must inform you in writing, tell you the specific purpose and storage duration, get your written consent (click-through Terms of Service isn’t enough), and maintain a publicly available retention and destruction policy.

Why This Matters for Your Digital Footprint

If you live in Illinois and have ever used social media, a dating app, or a phone with facial unlocking, your biometric data has almost certainly been collected by multiple companies.

Facial recognition databases. Companies like Clearview AI have scraped billions of photos from social media and public databases. If any of your photos are online, your faceprint may be in these databases — collected without your consent.

Dating apps. Tinder stores facial geometry data for identity verification. Bumble retains facial geometry for up to three years. These companies collect biometric data from Illinois residents every day.

Retail and public spaces. Some retailers use in-store facial recognition to identify shoppers. In Illinois, all of this requires your written consent.

What Illinois Residents Should Do

Step 1: Audit your facial recognition exposure. Search yourself on PimEyes, FaceCheck.ID, Google Lens, Yandex, and TinEye. See where your face appears. Illinois residents are eligible to opt out of Clearview AI.

Step 2: Submit opt-out requests. For any facial recognition database that has indexed your face, submit formal opt-out and deletion requests. Cite BIPA specifically — companies take Illinois requests more seriously because of the private right of action.

Step 3: Review app permissions. Check which apps have camera access. Disable facial recognition features you don’t need. Review biometric settings in social media apps.

Step 4: Remove your data from brokers. Your name, address, phone, and email are on hundreds of data broker sites. Removing this data reduces the ability to connect your face to your identity.

Step 5: Strip photo metadata. Every photo contains EXIF data — potentially including GPS coordinates, device information, and timestamps. Strip this before posting anywhere.

Step 6: Harden social media. Set profiles to private. Disable face tagging. Remove tagged photos you didn’t consent to. Disconnect linked accounts.

What About the Rest of the Country?

No other state has BIPA’s private right of action for biometric data. Texas and Washington have biometric privacy laws, but only the attorney general can enforce them. California, Colorado, Connecticut, Utah, and Virginia allow Clearview AI opt-outs, but none match Illinois’s comprehensive protections.

If you don’t live in Illinois, you can still take the same protective steps. You just can’t sue if companies don’t comply.

The Bigger Picture

BIPA was written in 2008, before FaceID, before Clearview AI, before dating apps started storing faceprints. The legislators who wrote it were ahead of their time. The settlements prove it works. Companies have changed their behavior — not out of goodwill, but because BIPA makes noncompliance expensive.

If you’re an Illinois resident, your face has legal protections. Use them.