BIPA Compliance
BIPA compliance is adherence to the Illinois Biometric Information Privacy Act — the strictest US state law governing collection and storage of biometric identifiers.
BIPA compliance is adherence to the Illinois Biometric Information Privacy Act (740 ILCS 14, enacted 2008), generally regarded as the strictest US state law governing the collection, storage, and use of biometric identifiers like face geometry, fingerprints, and voiceprints. The statute applies to any business that handles biometrics from Illinois residents, even if the business is based elsewhere.
How it works
In the United States, BIPA generally requires private entities to: provide written notice that biometrics will be collected and the purpose; obtain a written release before collection; publish a retention schedule with a destruction deadline; and refrain from selling or profiting from biometric data. BIPA also includes a private right of action — individuals can sue directly for violations, which has driven significant litigation against retailers, employers, and technology vendors.
Compliance programs typically combine policy documents, signed consent forms, technical controls (encryption, access logging), and a destruction workflow that runs on schedule.
Why it matters for independent retailers
A small retailer operating in Illinois that turns on a face-based age estimator without consent paperwork can face statutory damages per individual scanned — BIPA sets liquidated damages at $1,000 per negligent violation and $5,000 per intentional or reckless violation (740 ILCS 14/20). Class actions have produced settlements in the eight- and nine-figure range against larger retailers. Indie operators are not exempt.
For an indie retailer, the practical rule is: don't collect biometrics in Illinois without legal review of the consent flow, and prefer non-biometric alternatives (ID-scan age verification, PIN-based timeclocks) where they meet the operational need. This is general guidance, not legal advice — verify against current statute and counsel.
Related terms
- Biometric Privacy — broader category
- CCPA Retail — adjacent state privacy regime
- Age Verification — common biometric trigger
- Retail PCI Compliance — companion compliance domain
See also
- Remi product page — Remi avoids biometric collection by default
- Multi-Unit Operators — multi-state compliance scope