Biometric Privacy Violations (BIPA): Legal Rights Over Your Face/Voice Data
SHARE
20. April 2026
Admin
Biometric Privacy Violations (BIPA): Legal Rights Over Your Face/Voice Data
Your face, fingerprints, voice, and iris patterns are unique β and increasingly valuable to corporations. Unlike passwords, you cannot change your biometric identifiers if they are stolen or misused. The Illinois Biometric Information Privacy Act (BIPA) has become the nation's strongest biometric privacy law, enabling individuals to sue companies that collect or use their biometric data without proper consent. This guide explains your legal rights, the companies being sued, and how to take action if your biometric privacy has been violated.
Tip: Document every time you are asked to scan your face, fingerprint, or voice for work or commerce. Save consent screens, privacy policies, and emails about biometric data collection β they are critical evidence.
1. What is BIPA and Who Does It Protect?
Enacted in 2008, Illinois BIPA is the first and most protective biometric privacy law in the United States. Several other states have since followed.
Protected biometric identifiers: Retina or iris scans, fingerprints, voiceprints, hand scans, and face geometry
Written consent required: Companies must obtain written release before collecting, storing, or sharing biometric data
Public disclosure requirement: Companies must publicly disclose their biometric data retention policies and destruction timelines
Private right of action: Individuals can sue for violations β no need to prove actual harm
Statutory damages: $1,000 per negligent violation, $5,000 per reckless or intentional violation
Who is protected: Any person whose biometric data is collected in Illinois β residents and non-residents alike
2. States with Biometric Privacy Laws
While Illinois leads, other states have enacted or are considering similar legislation.
Illinois (BIPA): Strongest law with private right of action and statutory damages
Texas (CUBPA): Capture or Use of Biometric Identifier Act β enforcement by Attorney General only, no private right of action
Washington (HB 1493): Similar to Texas β AG enforcement only
California (CCPA/CPRA): Biometric data treated as sensitive personal information with consumer rights but no standalone private right of action
New York (proposed): Multiple biometric privacy bills pending with private right of action
Colorado, Virginia, Connecticut: Comprehensive privacy laws cover biometric data but enforcement is primarily by AG
Class actions outside Illinois: Plaintiffs increasingly file BIPA-style claims under state common law (invasion of privacy, unjust enrichment)
3. Common Biometric Privacy Violations
Companies face BIPA lawsuits across many industries. Understanding common violations helps you identify potential claims.
Workplace time tracking: Employers using fingerprint or hand scanners for clock-in/clock-out without written consent
Face recognition for security: Casinos, stadiums, and retailers scanning faces without notice or consent
Photo tagging on social media: Facebook, Google Photos, and other platforms using facial recognition without opt-out consent
Voice assistant data collection: Smart speakers and voice-activated devices storing voiceprints without disclosure
Consumer kiosks and lockers: Retail fingerprint scanners for loyalty programs or package lockers
Failure to publish retention policy: Companies collecting biometric data but not disclosing how long it will be kept or when it will be destroyed
Sharing biometric data with third parties: Selling or providing biometric data to vendors, marketers, or data brokers without consent
4. Major BIPA Class Action Lawsuits and Settlements
BIPA litigation has resulted in some of the largest privacy settlements in U.S. history.
Facebook (2021): $650 million settlement β largest privacy class action in history β over facial recognition tagging without consent
Google (2022): $100 million settlement over Google Photos face grouping tool
Snapchat (2022): $35 million settlement over face filters collecting biometric data without notice
Clearview AI (2024): Settled BIPA claims for undisclosed amount β company scraped billions of faces from social media without consent
Six Flags (2019): Illinois Supreme Court ruled BIPA violations do not require actual harm β $36 million settlement for fingerprint scans at park entrances
Walmart (2023): Pending BIPA class action over self-checkout cameras using facial recognition
Marriott and Hyatt (2024): Multiple pending lawsuits over employee fingerprint time clocks
5. Key Legal Holdings from Illinois Courts
The Illinois Supreme Court has issued several landmark rulings interpreting BIPA broadly in favor of privacy protection.
Rosenbach v. Six Flags (2019): No actual harm required to sue under BIPA β violation of procedural rights alone is sufficient injury
McDonald v. Symphony Bronzeville (2022): Each separate scan (e.g., every time an employee clocks in) is a separate violation β potentially massive damages
Cothron v. White Castle (2023): BIPA claims accrue each time biometric data is collected or disclosed β not just once per person
Tims v. Black Horse Carriers (2023): BIPA's one-year statute of limitations runs from the date of each violation
Impact of these rulings: A single employee clocking in 200 times per year could yield 200 separate violations at $1,000-$5,000 each
6. Who Can Be Sued Under BIPA
BIPA applies broadly to any private entity that collects or uses biometric data in Illinois.
Employers: Companies using fingerprint or facial recognition for time clocks, building access, or device login
Technology companies: Social media platforms, photo services, and AI companies using facial or voice recognition
Retailers and hospitality: Stores, hotels, restaurants, and entertainment venues using biometrics for customer identification
Landlords and property managers: Apartment buildings using facial recognition or fingerprint access systems
Schools and universities: Educational institutions using biometrics for cafeteria payments or building access
Government entities: Generally exempt from BIPA but may face constitutional claims
Third-party vendors: Companies that provide biometric systems to other businesses may also be liable
7. Damages Available in BIPA Lawsuits
BIPA's statutory damages structure makes litigation financially viable even for individual claims.
Statutory damages (negligent violation): $1,000 per violation (each scan, each disclosure, each retention failure)
Statutory damages (reckless/intentional): $5,000 per violation
Actual damages: If you can prove monetary loss from biometric data breach (e.g., identity theft), you can recover that amount instead
Injunctive relief: Court order requiring company to stop collecting biometric data or to destroy existing data
Attorney fees and costs: Prevailing plaintiffs recover legal fees β encouraging attorneys to take BIPA cases on contingency
No cap on total damages: A class action with thousands of members and thousands of violations each can result in nine-figure settlements
8. Voice Data and AI Training β Emerging Frontier
As voice assistants and AI models proliferate, voiceprint collection is the newest BIPA battleground.
Voiceprints defined as biometric: BIPA explicitly covers voiceprints β unique vocal characteristics used for identification
Smart speaker lawsuits: Amazon (Alexa), Google (Assistant), and Apple (Siri) face BIPA claims over voice data collection
Call center voice authentication: Companies using voice recognition for customer verification may violate BIPA without consent
AI voice cloning: Emerging claims over companies using voices to train AI models without performer consent
Key distinction: Transcribing speech content (what you say) differs from analyzing voiceprint (how you sound). Both may implicate privacy laws
Pending litigation: Multiple class actions allege voice assistant recordings are used to train voice recognition models without consent
9. Steps to Take If Your Biometric Privacy Was Violated
If you believe a company collected or used your face, fingerprint, or voice data without proper consent, consider this action plan.
Identify the violation: Are you scanning your fingerprint at work? Does a store scan your face? Does an app use voice recognition?
Document everything: Take screenshots of consent screens, photograph biometric scanners, save employee handbooks or privacy policies
Check for written consent: Did you ever sign a written release specifically authorizing biometric collection? (Verbal or electronic clickwrap may not suffice)
Look for retention policy disclosure: Is the company publicly disclosing how long they keep biometric data and when it will be destroyed?
Determine if you are in Illinois: BIPA applies to collection in Illinois. If outside Illinois, check your state's laws
Contact a BIPA attorney: Many law firms specialize in biometric privacy class actions and work on contingency
Join an existing class action: Search for pending BIPA lawsuits against the company β you may be able to join as a class member
Act before statute of limitations expires: BIPA has a one-year statute of limitations from the date of violation
10. Employer BIPA Compliance: Your Workplace Rights
Workplace biometric collection (fingerprint time clocks, facial recognition entry) is the most common BIPA violation source.
Your employer must provide written notice: Explaining that biometric data is being collected, the purpose, and how long it will be kept
Your employer must obtain written release: You must sign a specific biometric consent form β cannot be buried in general onboarding paperwork
Your employer must publish retention policy: Publicly available schedule for destroying biometric data (typically within 3 years of last interaction)
You cannot be retaliated against: Refusing to sign biometric consent is legally protected β employer cannot fire or discipline you for refusal
Alternative access required: Employers must provide reasonable alternative means of clocking in/out for employees who refuse biometric collection
Fired for refusing? You may have wrongful termination and BIPA retaliation claims β consult an attorney immediately
Conclusion
Your face, fingerprints, and voice are uniquely yours β and you have legal rights to control how companies collect and use them. Illinois BIPA provides the strongest protections in the United States, including the right to sue for $1,000-$5,000 per violation without proving actual harm. Landmark rulings from the Illinois Supreme Court have confirmed that each fingerprint scan or face scan is a separate violation, potentially yielding massive damages in class actions. Major settlements β including Facebook's $650 million and Google's $100 million β demonstrate that courts take biometric privacy seriously. If you are scanning your fingerprint at work, having your face scanned at a store, or speaking to a voice assistant, ask: Did the company get my written consent? Do they have a published retention policy? If not, you may have a claim. Act quickly β BIPA's one-year statute of limitations is short, and every day of continued collection creates new violations. Consult a biometric privacy attorney to understand your rights and potential recovery.
β οΈ Note: Biometric privacy laws vary significantly by state. This guide focuses primarily on Illinois BIPA, the nation's strongest law. This is educational and not legal advice. Consult a qualified attorney for your specific situation. Review the full text of Illinois BIPA and check your state's biometric privacy statutes.
