Compliance Guide · Illinois BIPA · 2024 Amendment
Illinois BIPA and Employee Monitoring: 2024 Amendment Compliance Guide
Illinois BIPA biometric employee monitoring compliance is the set of legal requirements under the Illinois Biometric Information Privacy Act that employers must follow when collecting, storing, or using employee biometric identifiers through monitoring, attendance, or authentication systems in Illinois. The 2024 amendment (Public Act 103-769) changed class action damages from per-scan to per-person, reducing maximum exposure but not altering the underlying compliance obligations every Illinois employer must meet.
What Is Illinois BIPA?
Illinois BIPA, formally the Biometric Information Privacy Act (740 ILCS 14), is an Illinois state law enacted in 2008 that creates specific legal obligations for any private entity that collects, stores, uses, or profits from biometric identifiers or biometric information from individuals in Illinois. BIPA was the first comprehensive biometric privacy law in the United States and remains the most litigated, with thousands of class action lawsuits filed under the statute since 2015, many of them against employers.
BIPA covers biometric identifiers: fingerprints, retina or iris scans, voiceprints, hand geometry measurements, and scans of face geometry derived from image or scan analysis. The law requires any covered entity to: maintain a publicly available written data retention and destruction policy; obtain informed written consent before collection; protect data with reasonable security measures; prohibit sale or profit from biometric data; and destroy data when the initial collection purpose is fulfilled or after three years, whichever is sooner.
Why BIPA Matters for Employers
Employers are among the most frequent BIPA defendants because they are the primary deployers of systems that collect employee biometric data at scale. Fingerprint time-clock systems, facial recognition attendance tracking, voiceprint authentication for call center access, and eye-scan security systems all collect BIPA-covered biometric identifiers. When these systems are deployed without a published policy, without individual written consent, or without compliant data handling, every enrolled employee is a potential plaintiff.
The strategic risk calculus changed with the 2024 amendment (Public Act 103-769), but it did not disappear. Before the amendment, some Illinois courts ruled that each scan or collection event was a separate BIPA violation, exposing employers with fingerprint time clocks to millions of dollars in statutory damages calculated across years of daily scans for every enrolled employee. The amendment capped class action exposure at one violation per person per claim type, but a workforce of 500 Illinois employees whose biometric consent was defective still represents potential exposure of $500,000 to $2.5 million in statutory damages before attorney fees.
What Biometric Data Does BIPA Cover?
BIPA defines biometric identifiers as fingerprints, voiceprints, retina scans, iris scans, and scans of hand or face geometry. It defines biometric information as any information based on an individual's biometric identifier used to identify that individual, regardless of how it is captured, converted, stored, or shared.
What BIPA Clearly Covers
The following data collection methods clearly fall within BIPA's scope for employer monitoring and attendance systems:
- Fingerprint readers: Any time clock, access control system, or authentication mechanism that reads and stores fingerprint data or a derived template.
- Facial recognition systems: Software that analyzes employee photographs or video feeds to derive facial geometry measurements used for identification or authentication.
- Iris and retina scanners: High-security access control systems using eye biometrics. Common in financial services, data centers, and government facilities.
- Voiceprint authentication: Systems that analyze voice recordings to derive a biometric voiceprint template used for authentication. Distinct from simple call recording, which BIPA does not directly regulate.
- Hand geometry readers: Time and attendance systems that measure hand dimensions for identification. Common in manufacturing and healthcare facilities.
What BIPA Does Not Cover
BIPA explicitly excludes from biometric identifier status: photographs (not processed for facial geometry extraction), audio and video recordings of a general nature, information derived from photographs for the purpose of identifying criminal suspects, and information collected under HIPAA or similar federal health privacy laws. Video surveillance footage that is not processed through facial recognition software is not a BIPA biometric identifier. Standard employee monitoring software that captures screenshots, tracks application usage, or logs keystrokes does not collect biometric identifiers and is not subject to BIPA.
The Gray Area: Behavioral Biometrics
Behavioral biometrics — systems that derive identification signals from typing rhythm, mouse movement patterns, or scroll behavior — occupy an unsettled position under BIPA. Some courts have entertained arguments that keystroke timing profiles constitute biometric information under the statute's broad definition. Illinois employers using behavioral biometric authentication tools (such as continuous authentication systems used in financial services) should obtain specific legal analysis of whether their system collects BIPA-covered data before determining whether BIPA consent requirements apply.
The 2024 BIPA Amendment: What Changed and What Did Not
Public Act 103-769, signed into law in 2024, amended BIPA's damages provision in response to a series of Illinois Supreme Court decisions that had dramatically expanded litigation exposure for employers. The amendment is significant for litigation strategy but does not change a single substantive compliance requirement.
What Changed: Per-Person Rather Than Per-Scan Damages in Class Actions
Before the amendment, the Illinois Supreme Court ruled in Cothron v. White Castle System (2023) that each biometric scan or collection event was a separate BIPA violation. A fingerprint time clock scanning 100 employees twice daily for two years generated over 146,000 individual violations at the theoretical class action level. At $1,000 per negligent violation, maximum class action exposure reached $146 million for a single employer's time clock program. The 2024 amendment changed this calculation: a plaintiff may recover damages for one violation of each subsection of BIPA per individual, regardless of how many times the violation occurred.
This change reduced maximum class action damages significantly. The same 100-employee time clock program now faces maximum statutory exposure of $100,000 to $500,000 (one violation per person at $1,000 to $5,000) rather than $146 million. Courts retain discretion to award actual damages if they exceed statutory damages, and attorney fee provisions remain, meaning large-scale biometric programs still carry substantial litigation risk.
What Did Not Change: Every Substantive Compliance Requirement
The 2024 amendment changed nothing about the obligations that prevent BIPA violations from occurring. Employers still must: publish a written retention and destruction policy before collecting biometric data; obtain written informed consent from each employee before each type of biometric identifier is collected; limit data retention to three years or end of employment, whichever is earlier; protect biometric data with reasonable security measures; and never sell, trade, lease, or profit from biometric data. The amendment did not create any new safe harbor, did not establish a notice-and-cure period, and did not add a statute of limitations shorter than the existing five-year general limitations period.
The Strategic Risk That Remains
The 2024 amendment reduced but did not eliminate the strategic case for BIPA class action litigation against employers. A 2,000-employee Illinois manufacturer using fingerprint time clocks without compliant consent agreements faces potential class action exposure of $2 million to $10 million in statutory damages (one violation per person) before attorney fees. At typical BIPA plaintiff attorney hourly rates, fee awards in the $3 million to $7 million range have been common in settled class actions. Total exposure in a 2,000-person defective-consent scenario remains in the $5 million to $17 million range — a number that still drives early settlement economics for defendants.
Which Monitoring Software Features Trigger BIPA?
Employers evaluating or currently deploying employee monitoring software need to assess each feature category against BIPA's biometric identifier definition. The majority of standard employee monitoring capabilities do not involve biometric data. However, specific feature additions, particularly in the authentication and AI analysis categories, can bring a monitoring program within BIPA's scope.
Features That Trigger BIPA
- Facial recognition screenshot authentication: Some monitoring software uses facial recognition to verify that the enrolled employee is the person present at the monitored device. Each facial recognition authentication event collects facial geometry data, triggering BIPA requirements for Illinois employees.
- Keystroke biometric authentication: Continuous authentication systems that build and compare keystroke rhythm profiles to verify user identity collect behavioral biometric data that may constitute biometric information under BIPA's broad definition.
- Voice analytics with biometric profiling: Call recording software that derives individual voice biometric templates for speaker identification goes beyond standard call recording into BIPA territory.
- AI emotion detection from facial analysis: Software that analyzes webcam feeds to infer employee sentiment or engagement through facial expression analysis derives facial geometry measurements, potentially triggering BIPA.
Features That Do Not Trigger BIPA
- Application and URL tracking (no biometric data involved)
- Screenshot capture (photographs not processed for facial geometry)
- Time tracking and clock-in/out logging
- Keystroke count monitoring (total keystrokes, not timing patterns for authentication)
- Idle time and active time detection based on mouse and keyboard input signals
- Productivity scoring based on application usage patterns
- Video surveillance footage not processed through facial recognition software
- Call recording stored as audio files without voiceprint template derivation
Does eMonitor Collect Biometric Data?
eMonitor does not collect biometric identifiers. eMonitor's core monitoring features — application usage tracking, URL logging, screenshot capture, time tracking, idle/active detection, and keystroke count monitoring — do not involve fingerprints, facial geometry, voiceprints, iris scans, hand geometry, or any other biometric identifier defined by BIPA. Illinois employers using eMonitor for standard workforce monitoring do not trigger BIPA consent, policy, retention, or destruction requirements for their eMonitor data.
eMonitor's screenshot feature captures images of employee screens. These screenshots are photographs of screen content, not facial images processed for geometric analysis. BIPA explicitly excludes photographs from the definition of biometric identifier unless they are processed to extract facial geometry for identification purposes. eMonitor does not process screenshot images for facial recognition. The screenshots are stored and displayed as visual records of screen activity, not analyzed for biometric content.
Employers who have separately deployed facial recognition attendance systems, fingerprint time clocks, or voice biometric authentication alongside eMonitor face BIPA obligations for those separate systems but not for eMonitor's own data collection. The compliance analysis for each system must be conducted independently. For employers considering adding AI-powered features to their monitoring stack, verify that no feature involves facial geometry derivation, voiceprint template creation, or fingerprint processing before deployment in Illinois.
BIPA Compliance Checklist for Employers with Biometric Systems
The following steps apply to Illinois employers who have confirmed that at least one of their monitoring, authentication, or attendance systems collects BIPA-covered biometric identifiers. Complete all steps before activating any biometric data collection.
- Determine if your monitoring software collects biometric identifiers. Review your monitoring software's feature list for facial recognition, fingerprint-based authentication, voice biometric analysis, retinal scanning, or any feature that derives a unique identifier from physical characteristics. Standard activity tracking, screenshot capture, and time tracking do not collect biometric identifiers under BIPA.
- Draft a written biometric data retention and destruction policy. BIPA requires a publicly available written policy stating: what biometric data is collected, the purpose of collection, the retention schedule (maximum 3 years or end of employment relationship, whichever is first), and the destruction protocol. This policy must be in place before any collection occurs.
- Obtain written informed consent from each employee. Before collecting any biometric identifier, obtain a written release signed by the employee. The release must inform the employee of the specific biometric data being collected, the purpose, and the retention period. Opt-out mechanisms do not satisfy this requirement.
- Implement data retention limits. Configure your systems to automatically flag biometric data records for deletion at the earlier of: three years from collection, or termination of the employee's relationship with the employer. Manual deletion processes create compliance gaps. Automated destruction workflows are strongly preferred.
- Secure biometric data with reasonable safeguards. Apply encryption at rest and in transit, access logging, and role-based access controls. BIPA requires the same standard of care applied to other confidential and sensitive data held by the employer.
- Prohibit sale or profit from biometric data. Review your monitoring and authentication vendor contracts to confirm they do not include provisions permitting the vendor to sell, trade, or profit from your employees' biometric data. Any such provision transfers BIPA risk to your organization as the collecting entity.
- Document compliance records. Retain evidence of: written policy publication date, each employee's signed consent with collection date, the date and method of biometric data destruction for departed employees, and all third-party contracts covering biometric data.
Illinois BIPA vs. Other State Biometric Laws
Illinois BIPA is the most plaintiff-favorable biometric privacy law in the United States, but several other states have enacted or are considering similar legislation. Employers operating across multiple states need a state-by-state compliance view rather than a single policy.
| Factor | Illinois BIPA | Texas CUBI | Washington SHB 1672 |
|---|---|---|---|
| Private right of action | Yes | No (AG enforcement only) | Yes |
| Consent required | Written, affirmative, before collection | Written, before collection | Notice required (not biometric-specific) |
| Retention limit | 3 years or end of purpose, whichever first | 1 year after initial purpose fulfilled | Not specified for biometrics |
| Statutory damages | $1,000 (negligent) to $5,000 (intentional) per person | $25,000 per violation (AG) | $500+ per violation (private) |
| Public policy required | Yes, before collection | Yes | No specific requirement |
| AI biometric restrictions | Covered by biometric identifier definition | Covered by biometric identifier definition | Explicit AI restriction provision |
For Illinois employers with operations in Washington state, both sets of requirements apply simultaneously. An Illinois-headquartered company with Washington-based remote employees must comply with BIPA for biometric data collection and with Washington SHB 1672 for the 15-day advance notice, off-duty monitoring prohibition, and AI monitoring restrictions. See the full US state monitoring law comparison for a 50-state analysis.
Illinois BIPA Biometric Monitoring FAQ
What is Illinois BIPA?
Illinois BIPA (Biometric Information Privacy Act, 740 ILCS 14) is an Illinois state law enacted in 2008 that governs the collection, storage, use, and destruction of biometric identifiers and biometric information by private entities. BIPA requires written retention policies, informed written consent before collection, reasonable data security, and destruction of data within three years or at end of the employment relationship. BIPA includes a private right of action with statutory damages of $1,000 to $5,000 per violation per person.
Does employee monitoring software violate BIPA?
Standard employee monitoring software does not violate BIPA because it does not collect biometric identifiers. Application tracking, screenshot capture, time tracking, keystroke counts, and URL monitoring do not involve fingerprints, facial geometry, voiceprints, or other BIPA-covered biometric identifiers. Monitoring software that incorporates facial recognition authentication, voice biometric analysis, or fingerprint-based access triggers BIPA requirements.
What did the 2024 BIPA amendment change?
Public Act 103-769 changed how BIPA damages are calculated in class action lawsuits. Before the amendment, courts ruled that each biometric scan was a separate violation. The amendment limits class action damages to one violation per person per claim type rather than one per scan. This reduced maximum class action exposure but did not change any substantive compliance obligations — written consent, retention limits, and destruction requirements remain exactly as before.
What biometric data does BIPA protect?
BIPA protects biometric identifiers: fingerprints, voiceprints, retina scans, iris scans, and scans of hand or face geometry. BIPA also protects biometric information, meaning any information based on a biometric identifier used to identify an individual. Photographs and video recordings are not biometric identifiers unless processed to derive facial geometry measurements for identification purposes.
Do employers need written consent for biometric monitoring in Illinois?
Yes. BIPA requires employers to obtain a written release from each employee before collecting any biometric identifier. The release must inform the employee of what biometric data is collected, the specific purpose of collection, and the retention period. Written consent must be affirmative. A biometric consent provision buried in a general onboarding agreement without clear disclosure has been found insufficient by Illinois courts.
What is the BIPA penalty per violation?
BIPA statutory damages are $1,000 per negligent violation or $5,000 per intentional or reckless violation, plus attorney fees and costs. The 2024 amendment changed class action calculation from per-scan to per-person, meaning each plaintiff can recover one set of statutory damages per claim type rather than damages for every collection event. Actual damages may be awarded if they exceed statutory damages.
Does eMonitor collect biometric data?
No. eMonitor does not collect biometric identifiers. eMonitor tracks application usage time, visited URLs, screenshot captures of screen content, keyboard and mouse activity indicators, and clock-in/out timestamps. None of these constitute fingerprints, facial geometry, voiceprints, retina scans, or other biometric identifiers covered by BIPA. Illinois employers using eMonitor for standard activity monitoring do not trigger BIPA requirements.
How long can employers retain biometric data under BIPA?
BIPA requires biometric data to be destroyed at the earlier of: three years from the date of collection, or when the initial purpose for collection has been satisfied. For employee monitoring and attendance programs, the practical limit is three years from collection or upon termination of employment, whichever comes first. Employers must have a written retention and destruction policy in place before collecting any biometric data.
Does BIPA apply to remote workers?
BIPA applies to any individual whose biometric data is collected by an entity in connection with Illinois. A remote employee physically located outside Illinois but whose biometric data is collected by an Illinois employer may have BIPA rights. The analysis depends on where collection occurs and the nexus to Illinois. Illinois-headquartered employers should apply BIPA requirements to all employees whose biometric data they collect, regardless of the employee's physical location.
What should employers do to comply with BIPA for employee monitoring?
Employers should audit all monitoring and authentication tools for biometric data collection, draft and publish a written biometric data retention and destruction policy before any collection begins, obtain signed written consent from each employee before collection, configure systems to automatically destroy biometric data within three years or at employment termination, and verify that monitoring vendor contracts prohibit sale or profit from biometric data. Employers using monitoring software without biometric features do not need to complete these steps for that tool.
Related Compliance Resources
US State Monitoring Laws
Full comparison of employee monitoring laws across all 50 US states.
Learn more →CCPA/CPRA Compliance
California consumer privacy requirements for employee monitoring programs.
Learn more →Legal Guide 2026
Complete employer guide to employee monitoring law across federal and state jurisdictions.
Learn more →Additional resources: Employee Monitoring Policy Template · Employee Monitoring Consent Form