Illinois BIPA Compliance for Small Business: What Chicago Companies Need to Know

The Illinois Biometric Information Privacy Act — BIPA — is the strictest biometric privacy law in the United States, and Chicago small businesses are squarely in its blast radius. A 14-person manufacturer that switched to fingerprint time clocks in 2019, a property management company in the Loop that installed facial-recognition door readers during the pandemic, and a logistics dispatcher in the southwest suburbs that uses voice authentication on its phone system are all subject to the same law that produced hundreds of millions of dollars in settlements against larger Illinois employers over the past five years.

The good news is that BIPA compliance for a typical small business is not complicated. The bad news is that doing nothing — or doing the wrong things — can produce a class-action lawsuit that easily reaches six figures in defense costs and settlement, even after the 2024 amendment that limited per-scan damages. This guide explains what BIPA actually requires, how the 2024 changes affect your exposure, the specific written policies and consent processes you need in place, and a practical decision framework for whether to keep using biometrics at all.

What BIPA Covers and Why It Matters for Chicago SMBs

BIPA was enacted in 2008 in response to Illinois businesses experimenting with fingerprint payment systems. It defines two key terms: a biometric identifier is a retina or iris scan, fingerprint, voiceprint, hand scan, or scan of face geometry; biometric information is any data based on a biometric identifier used to identify a person. Photographs, demographic data, and standard ID information are explicitly excluded.

The act applies to any private entity — businesses of all sizes, nonprofits, and most other non-government organizations — that collects, stores, or uses biometric identifiers belonging to any Illinois resident. There is no small-business exemption. A six-person Chicago dental practice that runs a fingerprint time clock is held to the same standard as a Fortune 500 employer. The size of the company affects the size of a settlement, not whether the law applies.

For Chicagoland small businesses, the practical universe of BIPA-triggering technology is wider than most owners realize. Fingerprint and hand-scan time clocks are the most common source of litigation. Facial-recognition entry systems for offices, warehouses, and apartment buildings have generated a growing share of recent cases. Voice authentication for phone systems and helpdesk verification, fingerprint login for shared workstations, and any kind of "smart" surveillance camera with facial analytics all create exposure.

How the 2024 BIPA Amendment Changed Your Risk

In August 2024, Illinois Governor Pritzker signed Public Act 103-769, the first significant amendment to BIPA since its passage. The amendment was a direct response to Cothron v. White Castle, the 2023 Illinois Supreme Court case that held every individual fingerprint scan was a separate BIPA violation — a ruling that exposed employers to ruinous statutory damages calculations.

The amendment narrowed that interpretation. Under the new rules, repeated collections of the same biometric identifier from the same person, by the same entity, using the same method, count as a single violation rather than one per scan. The amendment also clarified that electronic signatures qualify as "written releases" for the purpose of obtaining BIPA consent, easing one practical obstacle to compliance.

The amendment did not change the underlying obligations of the act. Written notice, written consent, a public retention and destruction policy, and prohibitions on selling or profiting from biometric data all remain. The amendment also did not narrow the private right of action — affected individuals can still sue without showing any actual harm. For a Chicago small business with 30 employees who used a fingerprint time clock without consent for two years, the maximum statutory exposure under the new rules is closer to $30,000–$150,000 rather than the multi-million-dollar figures that drove pre-amendment headlines, but that range is still company-ending for many SMBs once defense costs and attorneys' fees are added.

The Five Things BIPA Requires

Stripped of legal complexity, BIPA imposes five obligations on any business that collects biometric data from Illinois residents.

1. Written, publicly available retention and destruction policy. You must publish a written policy stating how long biometric data is kept and when it will be destroyed. The default destruction trigger is when the initial purpose for collection has been satisfied or three years after the individual's last interaction with the entity, whichever is sooner. Posting the policy on a public website or including it in a publicly accessible employee handbook satisfies this requirement.

2. Written notice before collection. Before any biometric data is collected, the individual must be informed in writing of (a) the fact that biometric data is being collected or stored, (b) the specific purpose, and (c) the length of time the data will be collected, stored, and used.

3. Written release from the individual. The individual (or a legally authorized representative) must provide a written release before collection. Electronic signatures now expressly qualify after the 2024 amendment.

4. No selling or profiting from biometric data. Selling, leasing, trading, or otherwise profiting from biometric identifiers is flatly prohibited. There are no consent exceptions for monetization.

5. Reasonable safeguards. Biometric data must be stored and transmitted using the reasonable standard of care for the industry, and at least as protectively as you protect other confidential information. In practice, this means encryption in transit and at rest, access controls, audit logs, and a documented incident-response plan.

Common BIPA Mistakes Chicago Small Businesses Make

Almost every BIPA case against an Illinois small business comes down to one of a handful of recurring mistakes.

The most common is assuming the vendor handles compliance. Time-clock vendors, access-control providers, and SaaS platforms typically tell businesses their systems are BIPA-friendly, but the legal obligation to publish a policy, obtain consent, and document the process rests with the employer, not the vendor. When a class-action lawyer files suit, the named defendant is the business that obtained the fingerprints — not the platform that stored them.

The second most common mistake is treating biometric consent like a casual checkbox. A line in an employee handbook saying "you agree to use the time clock" does not satisfy BIPA. The consent must specifically disclose biometric collection, identify the data type, state the purpose, identify the third party (if any) that processes the data, and state the retention period. It must be obtained before the first scan — not bundled with paperwork delivered three weeks into employment.

The third recurring mistake is forgetting to handle offboarding. BIPA's destruction requirement triggers when the initial purpose is satisfied. When an employee leaves, that purpose has ended for them. Many small businesses never instruct the vendor to destroy the templates of former employees, leaving years of orphaned biometric records that violate the act's destruction requirement.

The fourth is using consumer-grade smart cameras with facial recognition for business surveillance — Wyze, Ring, Nest, and similar products often include facial detection or analytics features that, if enabled in an Illinois business context, can trigger BIPA. Turn those features off, or pick business-grade surveillance gear that does not perform facial geometry analysis.

A Practical Compliance Checklist

If your Chicagoland business already uses biometrics or is considering doing so, walk through this checklist before the next employee scans a finger or looks at a camera.

Inventory every system that touches biometric data. Time clocks, access controls, IT login systems, phone authentication, security cameras with analytics, photocopier scanners, and any HR platform with optional biometric features should all be documented. Include vendor name, type of biometric collected, where data is stored, who has administrative access, and the retention period currently configured.

Publish a written retention and destruction policy. Post the policy on your public website (often at /biometric-policy or within the privacy policy) and include it in the employee handbook. State the categories of data collected, the purpose, the retention period (typically the duration of employment plus a defined wind-down), and the destruction process.

Update your employee onboarding paperwork. Add a specific, standalone BIPA notice and release that employees sign before their first scan. Track signatures in your HRIS or a dedicated document repository, with date and version of the policy referenced.

Audit your vendor contracts. Every contract with a vendor that processes biometric data must include language addressing the vendor's handling, retention limits, prohibition on resale, and breach notification obligations. Many older time-clock contracts predate the formal vendor-management language that BIPA implicitly requires.

Build an offboarding workflow. When an employee leaves, the IT or HR offboarding checklist must include a step to instruct the biometric vendor to destroy the individual's biometric records and obtain written confirmation. Document the completed destruction in the personnel file.

Review your cyber insurance policy. Many small business cyber policies now include explicit BIPA exclusions or sublimits. Confirm whether your policy covers BIPA claims, and if not, request a BIPA endorsement or shop for a carrier that includes it. We covered the broader cyber insurance landscape in our 2026 cyber insurance guide.

When to Use Biometrics — and When to Skip Them

For many Chicago small businesses, the most cost-effective BIPA strategy is to not collect biometric data in the first place. Modern HR and timekeeping platforms — Paylocity, Paychex Flex, Gusto, ADP, Rippling, Justworks, and Deputy — all support clock-in by mobile app, PIN, badge, or geofence without ever capturing a fingerprint. Modern access-control systems like Brivo, Kisi, Verkada, and Openpath provide secure entry via mobile credentials, badges, or PIN codes that meet most small-business security needs without triggering BIPA.

Biometrics are worth the compliance overhead when they genuinely solve a problem badges and PINs cannot. A manufacturing floor with high turnover and routinely lost badges, a healthcare-adjacent operation where buddy-punching is a documented integrity issue, or a high-security data area where a stolen credential creates real risk are reasonable cases for biometric authentication. In those situations, implement the BIPA-required policies, consent flows, vendor agreements, and offboarding procedures before going live, not as a remediation effort after a complaint letter arrives.

If you already operate biometric systems without compliance in place, the path forward is not to panic-disable the systems mid-payroll cycle. The right move is to publish a policy, distribute and collect written consent from current users, configure the vendor's retention settings to match your policy, and document everything. Doing all of that within a defined remediation window dramatically reduces the legal posture of any potential claim — courts and plaintiffs' counsel treat retroactive good-faith compliance very differently from continued silence.

Frequently Asked Questions

What is Illinois BIPA and who does it apply to?

The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, is the strictest biometric privacy law in the United States. It applies to any private entity — including small businesses, regardless of size — that collects, captures, stores, or uses biometric identifiers (fingerprints, retina or iris scans, voiceprints, face geometry, or hand scans) of any Illinois resident. A Chicago small business that uses a fingerprint time clock, a facial-recognition door access system, or a voice authentication tool is subject to BIPA, even if it has only a few employees. The 2024 amendment (Public Act 103-769) limited per-scan damages but did not narrow who BIPA applies to.

What are the penalties for violating BIPA?

BIPA allows private lawsuits — meaning any affected individual can sue without needing to prove actual harm. Statutory damages are $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys' fees. Following the 2024 amendment, repeated scans of the same individual under the same procedure now count as a single violation rather than one per scan, which reduces the largest verdicts but still leaves Chicagoland small businesses exposed to five- and six-figure liability from a single class action. Many BIPA settlements against small and mid-size Illinois employers have landed in the $200,000–$2 million range.

What does a BIPA-compliant written consent process look like?

BIPA requires three things before you collect any biometric data: a written, publicly available retention and destruction policy, written notice to the individual explaining what biometric data will be collected and the specific purpose and length of storage, and a written release signed by the individual (or their legally authorized representative). "Public availability" generally means posting your retention and destruction policy on a website or in an employee handbook. Verbal consent does not count. Click-to-accept consent is acceptable for digital workflows, but the language must clearly disclose the biometric collection, the purpose, the third-party processor (if any), and how long the data will be kept.

Do I need a BIPA policy if my time clock vendor stores the fingerprints?

Yes. BIPA liability follows the entity that "collects, captures, or otherwise obtains" biometric data — which is the employer, even if the technology vendor performs the actual storage. Several large BIPA settlements have come from Illinois employers whose timekeeping vendors handled the fingerprint templates but where the employer never published a retention and destruction policy or obtained written employee consent. You also need a written contract with the vendor that addresses biometric data handling, retention limits, and prohibition on resale or independent disclosure. Treat the time clock vendor as a data processor and your business as the responsible party.

What is the safest biometric alternative for a small business that wants to avoid BIPA risk?

If your business does not need biometrics, the simplest risk reduction is to use a non-biometric alternative — PIN codes for time clocks, badge readers or proximity cards for door access, and password or hardware token authentication for IT systems. Modern badge-based timekeeping platforms from Paylocity, Paychex Flex, Gusto, ADP, Rippling, and Justworks support clock-in by mobile app, PIN, or RFID without ever touching biometric identifiers, eliminating BIPA exposure entirely. If biometrics meaningfully improve operations — for example, a manufacturing floor where badges are routinely lost or shared — then implement BIPA-compliant consent, retention, and destruction practices before going live, not after.