Understanding BIPA: A Guide for Illinois Business Owners

What Is BIPA and Why Should You Care?

The Biometric Information Privacy Act (BIPA) is one of the most impactful data privacy laws in the nation—and it was passed right here in Illinois. If your business uses fingerprint scanners, facial recognition, retina scans, or any other biometric identifiers to track employees, authenticate customers, or manage security systems, BIPA applies to you. In this article, we outline what BIPA requires, where most companies fall short, and what you can do to protect your business.

BIPA at a Glance

BIPA regulates the collection, storage, use, and sharing of biometric identifiers and biometric information. According to the law, these terms include:

• Fingerprints
• Facial recognition data
• Retina or iris scans
• Voiceprints
• Hand or face geometry scans

Importantly, BIPA does not apply to photographs, writing samples, tattoos, or demographic data. It also excludes biometric data collected in healthcare settings covered under HIPAA.

What makes BIPA especially powerful is that it gives individuals a private right of action. That means any Illinois resident can sue a company for violating their biometric privacy rights—even without proof of actual harm.

What BIPA Requires

Businesses that collect or use biometric data must:

1. Notify individuals in writing that biometric data is being collected or stored.
2. Explain the purpose and duration of the data’s use and storage.
3. Obtain written consent (often called a “written release”) before collecting the data.
4. Create a publicly available data retention and destruction policy.
5. Store and transmit data securely, using reasonable standards that are at least as protective as for other confidential information.
6. Never sell or profit from biometric data.

These requirements apply to employees, customers, vendors, and anyone else whose biometric information is handled by your business.

The Risks of Non-Compliance

Failure to comply with BIPA can be extremely costly:

• A fine per violation if determined that negligence is involved
• A fine per violation if determined to be reckless or intentional
• Class action lawsuits with thousands of violations are now common

Recent legal cases have shown that even small businesses are not immune. A single biometric time clock used without proper consent can result in hundreds of violations. Multiply that by the statutory penalties, and you’re looking at six- or seven-figure exposure.

Common Mistakes Businesses Make

A business can unintentionally violate BIPA. Here are the most common errors:

• Using fingerprint or facial recognition systems without providing written notice and obtaining consent.
• Failing to publish a biometric data policy outlining retention and destruction timelines.
• Storing biometric data in unsecured systems without encryption or access controls.
• Not reviewing third-party vendor practices, especially for workforce management or security systems.
• Assuming BIPA only applies to large corporations.

Even well-meaning companies often overlook these critical areas, leaving them vulnerable to lawsuits and reputational damage.

BIPA Compliance Checklist

We help businesses meet BIPA requirements through a structured, proactive approach:

1. Data Audit:
   Identify all biometric technologies and data sources used across your organization.
2. Consent Collection:
   Implement consent forms for employees, customers, and visitors where biometric data is collected.
3. Policy Development:
   Draft and publish a biometric privacy policy that complies with BIPA requirements.
4. Vendor Management:
   Ensure your third-party service providers also comply with BIPA.
5. System Hardening:
   Secure biometric data using encryption, role-based access, and monitoring.
6. Annual Reviews:
   Regularly reassess your policies and systems as technology and laws evolve.
7. Employee Training:
   Train your staff on handling biometric data and your internal policies.

Why Partner with Reintivity?

As a Managed IT Services and Consulting firm based in Illinois, we understand local regulations and the unique challenges businesses face here. Our team delivers:

• Compliance-focused technology consulting
• Custom security solutions tailored to your business size and industry
• Privacy policy creation and review
• On-demand staff training
• Audit support and breach response planning

We don’t just check boxes—we work with you to build a culture of compliance that reduces risk and supports growth.

BIPA Compliance Is a Business Essential

With enforcement rising and class-action lawsuits becoming more frequent, BIPA compliance is no longer optional. It’s a critical part of doing business in Illinois. Waiting until you’re facing legal action is too late.

The good news? With expert help, compliance is entirely achievable.

Reintivity is here to help you navigate BIPA and build a privacy-first approach to IT. Let’s protect your business, your customers, and your reputation.