Compliance •
Illinois BIPA and Employee Monitoring: Biometric Privacy Compliance Guide
The Illinois Biometric Information Privacy Act (BIPA) imposes some of the strictest biometric data rules in the United States, with penalties reaching $5,000 per intentional violation. For employers using monitoring tools that touch fingerprints, facial recognition, or other biometric identifiers, BIPA compliance is not optional. This guide covers what BIPA requires, which employee monitoring features trigger its provisions, and how to build a compliant monitoring program in 2026.
Illinois BIPA employee monitoring refers to the intersection of the Illinois Biometric Information Privacy Act (740 ILCS 14) and workplace monitoring software that collects, stores, or uses biometric identifiers. BIPA is a state privacy law enacted in 2008 that regulates how private entities handle biometric data, including fingerprints, retina scans, voiceprints, and facial geometry scans. Since 2015, BIPA has generated over 2,000 class-action lawsuits (Seyfarth Shaw, "BIPA Litigation Report," 2025), making it the most actively litigated biometric privacy statute in the country. Employers operating in Illinois, or managing Illinois-based employees remotely, must understand exactly which monitoring features trigger BIPA obligations and which do not.
The stakes are concrete. In 2023, the Illinois Supreme Court ruled in Cothron v. White Castle Restaurants that each individual biometric scan constitutes a separate BIPA violation. For a company scanning employee fingerprints daily over several years, the cumulative liability can reach hundreds of millions of dollars. White Castle's potential exposure in that case was estimated at over $17 billion (Reuters, February 2023). That ruling changed the risk calculus for every Illinois employer using biometric technology.
What Is the Illinois Biometric Information Privacy Act (BIPA)?
The Illinois Biometric Information Privacy Act is a state statute that regulates the collection, storage, use, and destruction of biometric identifiers and biometric information by private entities. Governor Rod Blagojevich signed BIPA into law in October 2008, making Illinois the first state in the US to enact standalone biometric privacy legislation.
BIPA defines two categories of protected data. Biometric identifiers include retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry. Biometric information refers to any information derived from biometric identifiers that is used to identify an individual, regardless of how it is captured, converted, stored, or shared (Section 10).
The law explicitly excludes certain data types: writing samples, written signatures, photographs, demographic data, tattoo descriptions, physical descriptions, and data collected through medical testing or screening. This exclusion matters significantly for employee monitoring. Standard workplace photographs and video feeds that do not involve facial geometry analysis fall outside BIPA's scope.
But what makes BIPA particularly consequential for employers is its private right of action. Unlike most privacy statutes that rely on government enforcement, BIPA Section 20 allows any "aggrieved" person to file a lawsuit directly against the collecting entity. No government agency needs to initiate enforcement. No regulatory complaint is required. An individual employee, or a class of employees, can sue and recover statutory damages without proving actual harm.
BIPA Penalties: $1,000 to $5,000 Per Violation, Per Scan
BIPA's penalty structure creates extraordinary financial exposure for employers. Section 20 establishes two tiers of statutory damages. Negligent violations carry damages of $1,000 per violation or actual damages, whichever is greater. Intentional or reckless violations carry damages of $5,000 per violation or actual damages, whichever is greater. The prevailing party also recovers reasonable attorneys' fees and costs, plus other relief including an injunction.
The Cothron v. White Castle decision in February 2023 amplified these penalties dramatically. The Illinois Supreme Court held that a separate claim accrues each time a private entity scans or transmits biometric data without proper consent. Before this ruling, courts debated whether BIPA claims accrued once (at first collection) or repeatedly (at each scan). The Supreme Court settled the question: each scan is a separate violation.
Consider the math for a practical scenario. An employer uses fingerprint scanners for clock-in and clock-out without proper BIPA consent. Each employee scans twice daily across 250 workdays per year. For a 100-employee Illinois office over three years, that totals 150,000 individual scans. At $1,000 per negligent violation, the exposure is $150 million. At $5,000 per intentional violation, the exposure is $750 million. Even with judicial discretion to reduce damages (which the Cothron court acknowledged as an option), the numbers are severe enough to threaten business viability.
Recent settlements confirm that these are not hypothetical figures. Facebook settled a BIPA class action for $650 million in 2021 over its photo-tagging facial recognition feature (Patel v. Facebook). Google settled for $100 million in 2022 over Google Photos face-grouping. BNSF Railway settled for $75 million in 2023 over fingerprint scanning of truck drivers at Illinois facilities. These settlements set the floor, not the ceiling, for employer exposure.
Which Employee Monitoring Features Trigger BIPA?
Not all employee monitoring software triggers BIPA. The critical distinction is whether the software collects, stores, or processes biometric identifiers as defined in Section 10. Most standard monitoring features do not involve biometric data at all. Here is a breakdown by feature category.
Monitoring Features That Trigger BIPA Compliance
Facial recognition for authentication or time tracking. Any system that scans facial geometry to verify identity, log attendance, or grant access to a device or facility collects biometric identifiers. This includes facial recognition time clocks, facial authentication for software login, and AI-powered identity verification that maps facial geometry. All of these trigger BIPA's full consent and policy requirements.
Fingerprint-based time and attendance systems. Fingerprint scanners used for clock-in, clock-out, or facility access collect biometric identifiers directly. This is the most common BIPA trigger in the workplace and the source of the majority of employer-facing BIPA litigation. The BNSF Railway case involved exactly this scenario: fingerprint scanning of workers at gate entry without written consent.
Iris or retina scanning for access control. High-security facilities sometimes use iris scanners for restricted area access. Iris and retina scans are explicitly listed as biometric identifiers under BIPA Section 10.
Voice recognition for identity verification. Systems that analyze voiceprint characteristics to verify a speaker's identity collect biometric identifiers. This is distinct from simple voice recording, which does not involve biometric analysis. A call center that records calls is not collecting voiceprints under BIPA. A system that uses voice patterns to authenticate an employee's identity before granting system access is collecting voiceprints.
Monitoring Features That Do Not Trigger BIPA
Screenshot and screen recording. Periodic screenshots and continuous screen recordings capture visual output of the employee's display. They do not collect biometric identifiers. Even if a screenshot incidentally captures a webcam preview showing the employee's face, this constitutes a photograph, which BIPA explicitly excludes from its definition of biometric identifiers.
Application and website usage tracking. Monitoring which applications and websites an employee uses, and for how long, involves no biometric data. Activity classification engines that label apps as productive or non-productive operate on application metadata, not physiological data.
Keystroke and mouse intensity measurement. Tracking typing speed, click frequency, and mouse movement patterns measures behavioral input intensity. These are behavioral metrics, not biometric identifiers. BIPA specifically covers physiological characteristics like fingerprints, retinas, and facial geometry, not behavioral patterns captured through standard input devices.
GPS and location tracking. Location data from mobile devices or geo-fenced attendance systems does not involve biometric identifiers. GPS coordinates describe where an employee is, not who the employee is based on physical characteristics.
Time tracking and idle detection. Automated time capture, idle time measurement, and attendance logging through software agents operate on system activity data. No biometric identifiers are involved.
eMonitor's core monitoring platform operates entirely within this second category. Activity tracking, screenshot capture, app and website usage analytics, keystroke intensity measurement, time tracking, and idle detection do not collect, store, or process biometric identifiers. Illinois employers using eMonitor's standard feature set are not subject to BIPA obligations for that monitoring activity.
BIPA Consent Requirements for Biometric Employee Monitoring
When an employer does use biometric technology in the workplace, BIPA Section 15(b) prescribes a specific consent process. This is not a general "click to agree" mechanism. The law requires three distinct steps, all completed before the first biometric data collection occurs.
Step 1: Written notice. The employer must inform the employee in writing that biometric data will be collected and stored. The notice must identify the specific biometric identifier being collected (fingerprint, facial geometry, voiceprint, etc.) and the specific purpose for collection. A vague statement like "we may collect biometric data for security purposes" is insufficient. The notice must be specific: "We will collect your fingerprint geometry for the purpose of verifying your identity at the time clock system located at 123 Main Street, Chicago, IL."
Step 2: Disclosure of retention and destruction schedule. The written notice must include, or be accompanied by, a disclosure of the employer's data retention schedule and the timeline for permanent destruction of the biometric data. BIPA Section 15(a) requires that destruction occur when the initial purpose for collection is satisfied or within three years of the individual's last interaction with the collecting entity, whichever comes first. For an employer, this means biometric data must be destroyed when the employee terminates or within three years of the employee's last biometric scan, whichever happens first.
Step 3: Written release signed by the employee. After receiving the written notice and retention disclosure, the employee must sign a written release authorizing the collection. Verbal consent does not satisfy BIPA. Implied consent (e.g., the employee used the fingerprint scanner without objecting) does not satisfy BIPA. The release must be a distinct written authorization, not buried in a 40-page employee handbook acknowledgment. Electronic signatures are acceptable, provided they meet the requirements of the Illinois Electronic Commerce Security Act.
Timing matters. All three steps must occur before the employer collects any biometric data from the employee. Retroactive consent, where an employer collects biometric data first and obtains written consent later, does not cure the violation. Each scan taken without prior consent is a separate violation under Cothron.
Building a BIPA-Compliant Retention and Destruction Policy
BIPA Section 15(a) requires every private entity possessing biometric data to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. This policy is not optional. It is a standalone legal requirement, separate from the consent process. Failure to maintain the policy is itself a BIPA violation, even if consent was properly obtained.
A compliant retention and destruction policy must address five elements. First, it must identify all biometric data the organization collects and stores, by type and purpose. Second, it must establish a specific retention period. Third, it must define the trigger for data destruction (purpose fulfilled or three-year cap). Fourth, it must describe the method of destruction (secure deletion, physical destruction of storage media, etc.). Fifth, it must designate a responsible party within the organization for managing the retention schedule and executing destruction.
The three-year maximum retention period runs from the employee's last interaction with the collecting entity. For terminated employees, the clock starts at the termination date. For active employees, the clock resets with each interaction, but the policy must still define the maximum retention period and the destruction process that triggers when the purpose is satisfied.
Organizations should also address data stored by third-party vendors. If a biometric time clock vendor stores fingerprint templates on its servers, the employer's retention policy must account for this. The employer remains responsible for ensuring the vendor destroys biometric data according to the retention schedule. BIPA Section 15(d) prohibits selling, leasing, trading, or otherwise profiting from biometric data, and Section 15(e) requires reasonable security measures equivalent to those used for other confidential information.
The BIPA Litigation Landscape: What Employers Face in 2026
BIPA litigation has evolved from a niche privacy concern into one of the most significant employment law risks in the United States. Understanding the current state of litigation helps employers assess their exposure and prioritize compliance investments.
According to Seyfarth Shaw's annual BIPA litigation report, Illinois courts saw over 320 BIPA filings in 2024 alone, a 15% increase from 2023. The majority targeted employers using biometric time and attendance systems without proper consent. The plaintiffs' bar has developed a repeatable litigation model: identify an employer using fingerprint or facial recognition technology, verify the absence of a written consent process, and file a class action on behalf of all affected employees.
Three key rulings have shaped the current landscape. Rosenbach v. Six Flags Entertainment Corp. (2019) established that plaintiffs do not need to prove actual injury or adverse effect beyond the technical BIPA violation itself. Cothron v. White Castle (2023) held that each biometric scan constitutes a separate claim. Tims v. Black Horse Carriers (2023) set a five-year statute of limitations for both negligent and intentional BIPA claims, providing a defined lookback period for employers to assess their exposure.
The financial outcomes of recent settlements illustrate the risk. In addition to the Facebook ($650 million) and BNSF Railway ($75 million) settlements, Clearview AI agreed to a permanent nationwide injunction prohibiting sale of its faceprint database (ACLU v. Clearview AI, 2022). Topgolf settled for $5.75 million in 2023 over fingerprint-based check-in systems. These cases demonstrate that BIPA exposure is not limited to tech companies; any employer using biometric technology in Illinois is a potential defendant.
Recent legislative activity adds another dimension. The Illinois General Assembly passed an amendment in August 2024 clarifying that per-violation damages apply per individual affected, not per scan, for claims arising after the amendment's effective date. This partially limits the Cothron ruling's impact for future violations, but does not retroactively reduce exposure for biometric data collected before the amendment. Employers with historical BIPA non-compliance still face the full per-scan liability.
Illinois BIPA Compared to Other State Biometric Privacy Laws
Illinois BIPA is the most consequential biometric privacy law in the US, but it is not the only one. Texas, Washington, Colorado, and several other states have enacted biometric privacy protections. Understanding how BIPA compares to these laws helps multi-state employers build a national compliance strategy.
| Provision | Illinois BIPA | Texas CUBI | Washington H.B. 1493 | Colorado CPA (biometric provisions) |
|---|---|---|---|---|
| Enacted | 2008 | 2009 | 2017 | 2023 (biometric-specific provisions) |
| Private right of action | Yes (Section 20) | No (AG enforcement only) | No (AG enforcement only) | No (AG enforcement only) |
| Statutory damages | $1,000-$5,000 per violation | $25,000 per violation (AG-imposed) | None specified | Up to $20,000 per violation |
| Written consent required | Yes, signed release | No (notice + opt-out) | No specific consent mechanism | Yes, affirmative consent |
| Retention/destruction policy | Required, 3-year max | Required, 1 year after purpose ends | Not specified | Reasonable retention limit |
| Covers employees | Yes | Yes | Commercial purposes only | Yes |
The critical differentiator is BIPA's private right of action. Texas and Washington rely exclusively on attorney general enforcement, which limits the volume of litigation. Illinois employees can sue directly, and the plaintiffs' bar has built an industry around BIPA claims. This is why BIPA generates hundreds of filings annually while Texas CUBI generates single-digit enforcement actions per year.
For multi-state employers, the practical approach is to use BIPA as the compliance baseline. Any biometric consent process that satisfies BIPA's requirements will also satisfy the less stringent requirements of Texas, Washington, and Colorado. Building to the highest standard eliminates the need for state-by-state compliance variations.
Illinois BIPA Employee Monitoring Compliance Checklist for 2026
Employers operating in Illinois or managing Illinois-based employees should audit their monitoring practices against BIPA requirements. This checklist covers the essential compliance steps.
Step 1: Inventory All Biometric Data Collection Points
Catalog every system that collects biometric identifiers from employees. Common workplace biometric collection points include fingerprint time clocks, facial recognition cameras at building entrances, voice authentication systems for phone-based access, and biometric-enabled laptop login (fingerprint readers, Windows Hello facial recognition). If no systems collect biometric identifiers, document that finding. Employees using personal device biometric features (like unlocking their phone with a fingerprint) are not subject to BIPA because the employer is not collecting or storing that data.
Step 2: Draft a Written Retention and Destruction Policy
Create a standalone biometric data policy that identifies every category of biometric data collected, states the business purpose for each, establishes a retention period not exceeding three years from last interaction, describes the destruction method, and names the individual or role responsible for policy execution. Publish this policy and make it accessible to all affected employees.
Step 3: Build the Consent Process
For each biometric collection point, create a written notice that identifies the specific biometric data being collected, states the specific purpose, and discloses the retention schedule. Create a separate written release form for employees to sign. Implement a workflow that ensures no biometric data is collected until the signed release is on file. Store consent records securely with timestamps.
Step 4: Audit Vendor Contracts
Review contracts with any vendor that receives, processes, or stores biometric data on the employer's behalf. Ensure contracts require the vendor to handle data according to BIPA standards, prohibit the vendor from selling or profiting from biometric data, require the vendor to implement reasonable security measures, and obligate the vendor to destroy data according to the employer's retention policy upon contract termination.
Step 5: Evaluate Non-Biometric Alternatives
For many workplace use cases, biometric technology is not the only option. Badge-based access systems, PIN-based time clocks, and software-based monitoring tools provide equivalent functionality without triggering BIPA. eMonitor's employee monitoring platform tracks attendance, productivity, and work activity using software-based data collection that involves zero biometric identifiers. Employers seeking to eliminate BIPA risk entirely can replace biometric systems with non-biometric monitoring tools while maintaining full workforce visibility.
Step 6: Train Managers and HR
BIPA violations often originate from operational decisions made without legal review. A facilities manager who installs a fingerprint scanner for a server room, or an IT administrator who enables facial recognition on security cameras, can create company-wide BIPA exposure without realizing it. Train all managers, HR staff, and IT personnel to recognize biometric data collection and route new biometric implementations through legal review before deployment.
Six BIPA Compliance Mistakes Illinois Employers Make
BIPA's requirements are straightforward on paper, but employers routinely make implementation errors that create legal exposure. Here are the six most common mistakes based on patterns from BIPA litigation filings.
1. Burying biometric consent in the employee handbook. BIPA requires a specific written release for biometric data collection. A general acknowledgment that the employee has read the handbook does not constitute a valid written release. The consent must specifically reference the biometric data being collected, the purpose, and the retention policy. Handbook acknowledgments are too broad to satisfy BIPA's specificity requirements.
2. Collecting biometric data before obtaining consent. The most common BIPA violation in employment settings is collecting biometric data on an employee's first day before the consent process is complete. Orientation checklists that include fingerprint enrollment before the written release is signed create immediate BIPA exposure. The consent workflow must complete before the first scan.
3. Failing to update the retention and destruction policy. Organizations add new biometric systems without updating their written policy to reflect the new data type, purpose, and retention schedule. The policy must cover every category of biometric data the organization holds. An outdated policy that omits a newly deployed facial recognition system is a standalone BIPA violation.
4. Not destroying biometric data after employee termination. BIPA requires destruction when the initial purpose is satisfied or within three years of last interaction. For terminated employees, the purpose (verifying identity for work access) is satisfied at termination. Biometric data must be destroyed promptly. Organizations that retain fingerprint templates or facial geometry data for years after an employee leaves are in active BIPA violation for each day the data persists.
5. Ignoring vendor data handling. Employers that use third-party time clock or access control vendors often do not verify that the vendor destroys biometric data according to BIPA timelines. The employer remains liable for BIPA violations regardless of whether the violation occurred in the employer's systems or the vendor's. Contract terms alone do not eliminate liability; employers must verify compliance.
6. Assuming remote employees are outside Illinois jurisdiction. BIPA applies based on where the affected individual is located, not where the employer is headquartered. A California-based company using fingerprint authentication for its Illinois remote employees must comply with BIPA for those employees. Remote work has expanded BIPA's effective geographic reach well beyond its statutory borders.
Building an Effective Illinois Employee Monitoring Program Without Biometric Data
Biometric data is not a prerequisite for effective workforce monitoring. Modern employee monitoring platforms provide comprehensive productivity visibility, activity tracking, and attendance management using software-based data collection that involves no biometric identifiers and no BIPA risk.
eMonitor provides Illinois employers with a complete monitoring platform that operates entirely outside BIPA's scope. Activity monitoring tracks application and website usage with role-based productivity classification. Time tracking captures work hours automatically through the desktop agent, without fingerprint or facial recognition authentication. Screenshot capture and screen recording provide visual proof of work activity using display-level data, not biometric data. Idle detection and attendance tracking use system activity signals (keystrokes, mouse movement, application focus) rather than physiological identifiers.
This approach eliminates BIPA risk by design rather than by compliance process. There is no biometric data to consent to, no retention policy to maintain, and no destruction schedule to enforce, because no biometric data is collected in the first place. For employers seeking to reduce legal exposure while maintaining full workforce visibility, non-biometric monitoring is the more defensible path.
The practical outcomes are equivalent. Employers using eMonitor gain real-time productivity insights, automated timesheets, attendance records, and activity analytics, all the workforce intelligence that biometric time clocks are supposed to provide, without the $5,000-per-violation risk that biometric technology carries in Illinois.
What Comes Next: BIPA Developments to Watch in 2026
BIPA continues to evolve through legislation and litigation. Illinois employers should monitor several developments that will shape compliance requirements through 2026 and beyond.
The 2024 amendment's impact on damages calculations. The August 2024 amendment limiting per-violation damages to per-individual rather than per-scan calculations applies only to violations occurring after the amendment's effective date. Courts will interpret the amendment's scope and retroactivity throughout 2026. Employers with pre-amendment biometric collection practices still face the Cothron per-scan standard for historical violations.
Federal biometric privacy legislation. Multiple federal bills addressing biometric privacy have been introduced in Congress, including proposals that would preempt state biometric laws. If federal legislation passes, it could either strengthen or weaken BIPA's protections depending on whether it sets a floor or a ceiling. As of April 2026, no federal biometric privacy law has passed, but the legislative activity signals potential changes.
Expansion to other states. New York City's biometric privacy ordinance (2021), Maryland's facial recognition restrictions, and proposed legislation in Massachusetts and New Jersey indicate a trend toward broader biometric regulation. Employers with multi-state workforces should build compliance programs that anticipate BIPA-style requirements in additional jurisdictions.
AI and biometric analysis convergence. As AI-powered monitoring tools add capabilities like emotion recognition, gait analysis, and behavioral biometrics, the definition of "biometric identifier" will face new tests. Illinois courts have not yet addressed whether behavioral biometrics (typing patterns, mouse movement dynamics) qualify as biometric identifiers under BIPA. The current statutory language focuses on physiological characteristics, but litigation will test the boundaries as technology evolves.
Illinois BIPA in Practice: Three Employer Scenarios
Abstract legal requirements become clearer through practical application. Here are three scenarios that illustrate how BIPA applies to common employee monitoring decisions.
Scenario 1: BPO With 200 Illinois Agents Using Fingerprint Time Clocks
A business process outsourcing firm operates a 200-person contact center in Chicago. Agents clock in and out using fingerprint scanners. The company deployed the scanners two years ago without a BIPA consent process. Each agent scans twice daily, five days a week. The exposure calculation: 200 agents multiplied by 2 scans per day multiplied by 250 workdays per year multiplied by 2 years equals 200,000 individual scans. At $1,000 per negligent violation, the exposure is $200 million. The recommended action: immediately implement a BIPA consent process for all active employees, destroy fingerprint data for any terminated agents, and evaluate transitioning to badge-based or software-based time tracking (like eMonitor) to eliminate future BIPA exposure entirely.
Scenario 2: Remote-First Company With Illinois Employees Using Facial Recognition Login
A software company headquartered in Austin, Texas, has 35 employees working remotely from Illinois. The company requires employees to authenticate through a facial recognition system before accessing internal tools. Because the Illinois employees are physically located in Illinois when their facial geometry is scanned, BIPA applies regardless of the company's Texas headquarters. The company must implement the full BIPA consent process for all 35 Illinois-based employees before they authenticate via facial recognition again.
Scenario 3: Financial Services Firm Using Software-Based Monitoring
A financial advisory firm with 75 employees in Springfield, Illinois, uses eMonitor for activity tracking, time management, and compliance documentation. The monitoring platform captures app usage, website visits, idle time, keystroke intensity, and periodic screenshots. None of these features involve biometric identifiers. The firm has zero BIPA exposure from its monitoring program. The firm does have badge-based access (non-biometric) and standard video security cameras (which capture video but do not analyze facial geometry). Neither triggers BIPA. This firm is fully compliant without any biometric-specific consent process.
Frequently Asked Questions About Illinois BIPA and Employee Monitoring
Does BIPA apply to employee monitoring software?
BIPA applies to employee monitoring software only when the software collects, stores, or processes biometric identifiers or biometric information. Standard monitoring features like screenshot capture, app usage tracking, and time logging do not involve biometric data and fall outside BIPA's scope. Facial recognition for authentication or fingerprint-based clock-in systems do trigger BIPA requirements.
What biometric data does BIPA cover?
BIPA covers biometric identifiers including retina scans, iris scans, fingerprints, voiceprints, and scans of hand or face geometry. It also covers biometric information derived from these identifiers. Standard photographs, demographic data, and physical descriptions are explicitly excluded from BIPA's definition under Section 10.
What are BIPA penalties per violation?
BIPA imposes $1,000 per negligent violation and $5,000 per intentional or reckless violation under Section 20. The Illinois Supreme Court ruled in Cothron v. White Castle (2023) that each individual scan constitutes a separate violation, making cumulative liability potentially catastrophic for repeat data collection.
How do you get BIPA consent for employee monitoring?
BIPA consent requires three steps: provide a written notice stating the specific biometric data being collected and the purpose, disclose the retention schedule and destruction timeline, and obtain a written release signed by the employee before any collection occurs. Verbal consent is insufficient. Electronic signatures on documented forms satisfy the written release requirement.
Can employers use facial recognition for time clocks in Illinois?
Employers can use facial recognition time clocks in Illinois, but only after completing BIPA's consent process. This includes written notice of collection purpose, a published retention and destruction policy, and signed employee consent before the first scan. Several Illinois employers have faced class-action suits for deploying facial recognition clocks without prior consent.
Does BIPA apply to fingerprint-based attendance systems?
BIPA directly applies to fingerprint-based attendance systems because fingerprints are explicitly listed as biometric identifiers under Section 10. Employers must obtain written consent before the first scan, publish a retention policy, and destroy fingerprint data when the employment relationship ends or when the stated retention period expires, whichever comes first.
What is the BIPA retention and destruction policy requirement?
BIPA Section 15(a) requires every employer collecting biometric data to publish a written policy establishing a retention schedule and guidelines for permanently destroying data. Destruction must occur when the initial purpose is satisfied or within three years of the employee's last interaction with the employer, whichever comes first.
Are screenshots and screen recordings considered biometric data under BIPA?
Standard screenshots and screen recordings are not biometric data under BIPA. Biometric identifiers require physiological measurements like fingerprint geometry, retinal patterns, or facial geometry scans. A screenshot capturing a person's face is a photograph, which BIPA explicitly excludes. The distinction is between a photograph and a facial geometry scan.
Can employees sue their employer directly under BIPA?
BIPA provides a private right of action under Section 20, allowing individual employees to sue employers directly without waiting for a government enforcement action. This private right of action distinguishes BIPA from most other state biometric privacy laws and has generated over 2,000 class-action filings since 2015.
Does BIPA apply to out-of-state employers with Illinois employees?
BIPA applies to any entity that collects biometric data from individuals in Illinois, regardless of where the employer is headquartered. An out-of-state company using fingerprint scanners or facial recognition for Illinois-based employees must comply with all BIPA requirements including consent, retention policies, and data destruction timelines.
How does BIPA differ from GDPR biometric data rules?
BIPA requires affirmative written consent before any collection and provides a private right of action with statutory damages. GDPR classifies biometric data as special category data under Article 9, requiring explicit consent or another lawful basis, but enforcement runs through supervisory authorities rather than individual lawsuits. BIPA's per-violation damages create higher financial exposure than GDPR fines for biometric violations.
What monitoring features are safe to use in Illinois without BIPA concerns?
Activity tracking, app and website usage monitoring, screenshot capture, keystroke intensity measurement, time tracking, idle detection, and screen recording are all safe from BIPA because they do not collect biometric identifiers. eMonitor's core monitoring features operate entirely without biometric data, making them compliant with BIPA by design.
Illinois BIPA Employee Monitoring: The Compliance Bottom Line
Illinois BIPA creates real and substantial financial risk for employers that use biometric technology in the workplace. With $5,000 per intentional violation, a private right of action, and the Cothron per-scan damages standard (for pre-2024-amendment claims), the law has generated hundreds of millions of dollars in settlements and continues to produce new class-action filings every month.
The compliance path is clear. If your monitoring program uses biometric identifiers (fingerprints, facial recognition, iris scans, voiceprints), you need a written retention policy, specific written consent from every employee, and a verified destruction process. If your monitoring program uses software-based tools like eMonitor that track activity, time, and productivity without biometric data, BIPA does not apply to your monitoring operations.
For Illinois employers evaluating their monitoring strategy, the simplest risk mitigation is choosing monitoring tools that deliver workforce visibility without touching biometric data. eMonitor provides comprehensive employee monitoring, productivity tracking, activity analytics, and automated timesheets using zero biometric identifiers, giving you the data you need and none of the BIPA exposure you do not.
Sources
- Illinois General Assembly, 740 ILCS 14 (Biometric Information Privacy Act), 2008
- Cothron v. White Castle Restaurants, 2023 IL 128004, Illinois Supreme Court, February 2023
- Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, Illinois Supreme Court, January 2019
- Tims v. Black Horse Carriers, 2023 IL 127801, Illinois Supreme Court, February 2023
- Patel v. Facebook, Inc., No. 18-15982, 9th Circuit (settlement approved 2021)
- BNSF Railway v. Robles, No. 22-cv-3801, N.D. Ill. (settlement 2023)
- Seyfarth Shaw, "BIPA Litigation Annual Report," 2025
- Reuters, "White Castle Faces Potential $17 Billion Liability Under Illinois Biometric Privacy Law," February 2023
- Illinois General Assembly, SB 2979 (BIPA Amendment), August 2024
Recommended Internal Links
| Anchor Text | URL | Suggested Placement |
|---|---|---|
| employee monitoring software | https://www.employee-monitoring.net/features/ | First mention of "employee monitoring software" in body text |
| productivity monitoring | https://www.employee-monitoring.net/features/productivity-monitoring | Section on non-biometric monitoring features |
| screenshot monitoring | https://www.employee-monitoring.net/features/screenshot-monitoring | Section explaining screenshots are not biometric data |
| time tracking | https://www.employee-monitoring.net/features/time-tracking | Section on non-biometric attendance alternatives |
| employee activity tracking | https://www.employee-monitoring.net/features/app-website-tracking | Section on features that do not trigger BIPA |
| real-time alerts | https://www.employee-monitoring.net/features/real-time-alerts | Section on monitoring capabilities without biometric data |
| remote employee monitoring | https://www.employee-monitoring.net/use-cases/remote-team-monitoring | Scenario 2 about remote Illinois employees |
| US employee monitoring compliance | https://www.employee-monitoring.net/compliance/ | Section on BIPA compared to other laws |
| attendance tracking | https://www.employee-monitoring.net/features/attendance-tracking | Section on non-biometric attendance alternatives |
| employee monitoring pricing | https://www.employee-monitoring.net/pricing | Final CTA section or Scenario 3 description |