What Is BIPA?

BIPA (Illinois Biometric Invasion of Privacy Act)

The Illinois Biometric Invasion of Privacy Act (BIPA), enacted in 2008, grants Illinois consumers the right to their own biometric data, such as fingerprints, retina or iris information, voiceprints, and DNA. Under the BIPA, private companies are prohibited from collecting biometric information unless (1) the person consents in writing and (2) the companies inform the person in writing of what data is being collected, for what purpose, and for how long. Besides the notice and consent requirement, the law also bans any company from selling or otherwise profiting from consumers’ biometrics.

Like its genetic data counterpart, the Illinois Genetic Information Privacy Act (GIPA), BIPA provides a private right of action that need only a technical violation of the statute to satisfy standing to sue. Plaintiffs need not show harm resulting from the violation.

In August 2024, the Illinois governor signed SB 2979 into effect, limiting BIPA damages and providing for electronic consent.

Winston & Strawn’s Privacy & Data Security practice has vast experience advising clients on BIPA compliance and representing clients in litigation matters related to alleged BIPA violations.