Illinois has the strictest US biometric privacy law (BIPA) applying to AI with facial/voice recognition, carrying per-violation private right of action penalties up to $5,000. Also the AI Video Interview Act requiring disclosure and consent for AI interview analysis.
BIPA applies to any organization collecting, storing, using, or sharing biometric identifiers or biometric information of Illinois residents. The AI Video Interview Act applies to employers using AI to analyze video interviews of Illinois job candidates. BIPA uniquely allows individuals to sue directly for $1,000 per negligent violation and $5,000 per intentional or reckless violation, making it the highest-risk AI-adjacent law in the United States for class action litigation.
Who This Applies To: Any organization collecting, storing, using, or sharing biometric data of Illinois residents, including through AI systems using facial recognition, voice recognition, fingerprint scanning, or iris scanning. AI Video Interview Act applies to employers using AI to analyze video interviews of Illinois candidates. Both in-state and out-of-state employers hiring or processing biometric data of Illinois residents are covered.
Illinois occupies a unique position in the US AI regulatory landscape. While other states have passed broad AI governance laws, Illinois has two highly specific statutes that create outsized compliance risk for companies using AI: the Biometric Information Privacy Act (BIPA) and the Artificial Intelligence Video Interview Act. BIPA is not technically an AI law, but it has become the most litigated AI-adjacent statute in the country because so many AI applications involve biometric data processing, from facial recognition in security systems to voice analysis in customer service tools.
The combination of BIPA's private right of action with per-violation statutory damages and the growing use of biometric AI has produced a wave of class action litigation that has resulted in settlements exceeding $1 billion since the law's 2008 enactment. For companies deploying AI systems that process any form of biometric data from Illinois residents, BIPA compliance is not optional. For context on how Illinois fits into the broader regulatory picture, see our 2026 AI regulatory compliance guide. For AI governance in HR specifically, see our AI governance for HR guide.
This guide covers both BIPA and the AI Video Interview Act, explains the specific requirements, penalty structures, and compliance steps, and identifies the operational changes companies need to make to reduce their legal exposure.
What Illinois AI Regulations Require
BIPA: Biometric Information Privacy Act
BIPA regulates the collection, storage, use, and dissemination of biometric identifiers and biometric information. Biometric identifiers include fingerprints, voiceprints, face geometry, iris scans, and retina scans. Biometric information is any information derived from biometric identifiers used to identify an individual. The law's requirements apply to any private entity that collects or possesses biometric data of Illinois residents.
The core BIPA requirements are as follows. First, informed written consent: before collecting biometric identifiers or information, a private entity must inform the individual in writing of the specific purpose and length of time for which the data will be collected, stored, and used, and must obtain a written release from the individual. Second, retention and destruction policy: every entity possessing biometric data must develop a written policy establishing a retention schedule and guidelines for permanently destroying the data when the initial purpose has been satisfied or within three years of the individual's last interaction with the entity, whichever occurs first. Third, prohibition on sale or profit: no private entity may sell, lease, trade, or otherwise profit from biometric identifiers or information. Fourth, disclosure restrictions: no private entity may disclose biometric data unless the individual consents, disclosure is required by law, or disclosure is required by a valid court order. Fifth, security obligation: entities storing biometric data must protect it using a standard of care reasonable in the industry and at least as protective as the measures used to protect other confidential and sensitive information.
AI Video Interview Act
The Illinois AI Video Interview Act (820 ILCS 42) regulates the use of artificial intelligence to analyze video interviews submitted by job applicants. The law applies to employers that request applicants to record video interviews and then use AI analysis of the applicant's facial expressions, body language, vocal patterns, or other biometric-adjacent signals. The requirements are as follows. Employers must notify each applicant before the interview that AI will be used to analyze the video. Employers must provide an explanation of how the AI works and what general characteristics it evaluates. Employers must obtain the applicant's consent before using AI analysis. Only individuals involved in the hiring process may view the video. Applicants who are not selected within 30 days can request that the employer delete the video, and the employer must comply within 30 days. Employers may not share applicant videos except with individuals whose expertise is needed to evaluate the applicant.
How BIPA Applies to Common AI Systems
BIPA's reach extends to many AI applications that companies may not immediately recognize as involving biometric data. Facial recognition systems used for building access, employee time tracking, or customer identification all collect face geometry subject to BIPA. Voice-based AI assistants and customer service tools that create voiceprints for speaker identification or authentication trigger BIPA obligations. AI-powered video analytics in retail or workplace settings that identify individuals by facial features require BIPA compliance. Photo tagging and organization features in enterprise software that use facial recognition to categorize images involve biometric identifier collection. Any AI system that processes fingerprint data for authentication, including smartphone or laptop biometric login managed by employers, is covered.
Key Dates and Enforcement Timeline
| Date | Requirement | Who | Status |
|---|---|---|---|
| October 3, 2008 | BIPA enacted | All private entities handling biometric data | Active |
| January 1, 2020 | AI Video Interview Act enacted | Employers using AI video interview analysis | Active |
| February 2, 2023 | Illinois Supreme Court rules in Cothron v. White Castle that each scan/transmission is a separate violation | All BIPA-covered entities | Active |
| August 2, 2024 | BIPA amendment limits damages accrual to per-person basis for same violation (SB 2979) | All BIPA-covered entities | Active |
| 2025-2026 | Ongoing class action litigation and enforcement with annual settlement values exceeding $100 million | All entities processing Illinois biometric data | Active |
| 2026 Ongoing | Proposed amendments and additional AI legislation under consideration in Illinois General Assembly | All AI deployers in Illinois | Monitor |
Penalties for Non-Compliance
BIPA's penalty structure makes it the most financially dangerous AI-adjacent law in the United States. The statute provides a private right of action allowing any person aggrieved by a BIPA violation to sue directly. Statutory damages are $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus reasonable attorneys' fees and costs, and injunctive relief.
The 2023 Illinois Supreme Court decision in Cothron v. White Castle Holdings held that each individual biometric scan or transmission constitutes a separate violation, meaning damages can accumulate with every use of a biometric system. However, the 2024 BIPA amendment (SB 2979) limited this by providing that claims accruing from the same type of violation committed by the same entity against the same person are treated as a single claim for damages purposes. This amendment significantly reduces the per-person damage multiplier but does not eliminate class action risk. A class action involving 10,000 affected individuals at $1,000 per person for negligent violations still produces $10 million in statutory damages before attorneys' fees.
The AI Video Interview Act does not include a private right of action. Enforcement is through the Illinois Department of Labor. However, employers who violate the AI Video Interview Act may also face claims under the Illinois Consumer Fraud and Deceptive Business Practices Act, which does allow private actions. The practical penalty for AI Video Interview Act violations tends to be reputational damage and litigation costs rather than large statutory damages.
Notable BIPA settlements illustrate the financial exposure. Facebook settled its BIPA class action for $650 million in 2021 over facial recognition in photo tagging. Google settled a BIPA case for $100 million in 2022 related to face grouping in Google Photos. TikTok settled for $92 million in 2022 over biometric data collection. These settlements demonstrate that BIPA class actions produce nine-figure outcomes, making biometric AI compliance a board-level priority.
Compliance Checklist
- ☐ Audit all AI systems for biometric data collection including facial recognition, voiceprint analysis, fingerprint scanning, and iris recognition
- ☐ Develop and publish a written BIPA-compliant retention and destruction policy specifying retention periods and destruction procedures
- ☐ Implement informed written consent workflows that disclose purpose, retention period, and obtain signed releases before any biometric collection
- ☐ Verify that no biometric identifiers or information are sold, leased, traded, or used for profit in any AI system or data pipeline
- ☐ Apply industry-reasonable security measures to all stored biometric data, at minimum equal to protections for other confidential information
- ☐ For video interviewing AI, implement pre-interview disclosure, AI explanation, and affirmative consent before analysis
- ☐ Build a 30-day video deletion workflow for unsuccessful candidates who request deletion under the AI Video Interview Act
- ☐ Establish ongoing monitoring to detect new AI tools or features that may introduce biometric data processing without approved consent workflows
BIPA compliance requires operational changes, not just policy documents. Every biometric touchpoint needs a consent workflow, a retention schedule, and a destruction process. If your organization uses any AI system that processes biometric data from Illinois residents, contact PolicyGuard for a compliance assessment before litigation risk increases further.
PolicyGuard helps companies like yours get AI governance documentation audit-ready in 48 hours or less.
Start free trial →How PolicyGuard Helps
PolicyGuard addresses the unique compliance challenges created by Illinois biometric and AI hiring laws:
- Biometric AI Discovery: PolicyGuard scans your AI system inventory to identify tools that collect, process, or store biometric identifiers, including facial recognition, voiceprint analysis, and other biometric-adjacent AI features. Many organizations discover biometric data processing in AI tools they did not realize triggered BIPA obligations.
- Consent Workflow Management: PolicyGuard provides configurable consent collection templates that satisfy BIPA's informed written consent requirements. The platform tracks consent status per individual, monitors for expiration based on retention periods, and generates evidence of consent for litigation defense.
- Retention and Destruction Tracking: PolicyGuard automates retention schedule management for biometric data, triggering destruction workflows when retention periods expire and documenting completed destructions with timestamped audit logs. This addresses one of the most common BIPA violation categories: failing to destroy biometric data within required timeframes.
- AI Video Interview Compliance: PolicyGuard includes workflow templates for AI Video Interview Act compliance, covering pre-interview disclosure generation, consent tracking, video access restriction monitoring, and automated deletion scheduling for unsuccessful candidates.
- Litigation Readiness Documentation: PolicyGuard generates compliance evidence packages designed for BIPA litigation defense, including consent records, retention policy documentation, destruction logs, and security measure documentation. When a class action notice arrives, your legal team has the evidence needed to demonstrate compliance efforts.
FAQ
Does BIPA apply to AI systems that process biometric data but do not store it?
Yes. BIPA covers the collection, capture, purchase, receipt through trade, and possession of biometric identifiers and information. Even transient processing of biometric data, such as an AI system that scans a face to grant building access but does not store the facial geometry permanently, constitutes collection under BIPA. The consent and disclosure requirements apply at the point of collection regardless of whether the data is stored long-term.
Can we get BIPA consent through a click-through agreement?
BIPA requires a written release, and courts have interpreted this to mean affirmative consent that clearly identifies the specific biometric data being collected and the purpose of collection. A general terms-of-service click-through that buries biometric consent in broad language is unlikely to satisfy BIPA. Best practice is a standalone consent form specifically addressing biometric data collection, separate from other agreements, with the individual's affirmative signature or electronic equivalent.
Does the AI Video Interview Act apply to live video interviews analyzed by AI in real time?
The statute specifically applies to video interviews that applicants submit and that are subsequently analyzed by AI. The application to live interviews analyzed in real time is not explicitly addressed in the current statute. However, the prudent approach is to apply the disclosure, explanation, and consent requirements to any AI-analyzed video interview of an Illinois candidate regardless of whether the interview is recorded or live. Illinois courts tend to interpret employee protection statutes broadly.
How does the 2024 BIPA amendment affect our liability exposure?
The 2024 amendment (SB 2979) limits per-person damages so that multiple violations of the same type by the same entity against the same person are treated as a single claim. Before this amendment, each biometric scan could be a separate violation, leading to astronomical per-person damages. After the amendment, the exposure is effectively capped at one claim per person per violation type. This reduces but does not eliminate class action risk, as the statutory damages of $1,000 to $5,000 per person across a large class still produce significant total exposure.
We use a third-party AI vendor that processes biometric data. Who is liable under BIPA?
Both parties can face BIPA liability. The entity that collects biometric data directly from the individual bears primary responsibility for obtaining consent and providing disclosures. However, entities that receive biometric data from others, including AI vendors processing data on behalf of clients, are also subject to BIPA's restrictions on disclosure, sale, and security. Your vendor contracts should include BIPA compliance provisions, indemnification for BIPA claims, and audit rights to verify vendor compliance. PolicyGuard can help you assess vendor BIPA compliance as part of your AI governance program. See our AI policy governance guide for vendor management frameworks.
Illinois biometric and AI hiring laws create unique litigation risk that no other state matches. Companies using AI systems that touch biometric data or hiring decisions involving Illinois residents must treat compliance as an urgent priority. Talk to PolicyGuard about building an Illinois compliance program that reduces your class action exposure.
