Illinois BIPA compliance is not optional, and it is not cheap to get wrong. The Biometric Information Privacy Act gives employees a private right of action for every unconsented biometric scan, with per-violation damages of $1,000 to $5,000. For a time clock that fingerprints 30 employees daily over six months without proper consent, the math gets uncomfortable fast. This guide explains what BIPA requires for biometric time clocks, how to comply, and why many small businesses are choosing non-biometric alternatives instead.
What Illinois BIPA covers
The Illinois Biometric Information Privacy Act (740 ILCS 14, effective 2008) is the strictest biometric privacy law in the United States. It applies to private entities that collect, capture, purchase, receive, or otherwise obtain biometric identifiers or biometric information from Illinois residents.
What counts as biometric data under BIPA
- Fingerprints and fingerprint scans.
- Retina or iris scans.
- Voiceprints.
- Hand scans (including hand geometry).
- Face geometry (the mathematical mapping of facial features used in face-recognition systems).
Photographs are not biometric identifiers under BIPA. A selfie or a kiosk photo for visual verification purposes does not trigger BIPA obligations by itself. However, if that photo is processed through a facial-recognition algorithm to produce a facial geometry map, BIPA applies to the output.
What Illinois BIPA compliance requires before collecting biometrics
Before a business can enroll an employee in a biometric time clock, it must complete three steps. All three must happen before the first scan. The order matters.
Step 1: Publish a written retention and destruction policy
The employer must have a publicly available written policy that establishes a retention schedule and guidelines for permanently destroying biometric data. The policy must specify:
- What biometric data is collected and why.
- How long it will be stored (no longer than 3 years or when the employment purpose is fulfilled, whichever comes first).
- How it will be destroyed at the end of the retention period.
“Publicly available” in practice means posting it on your website or making it available in writing on request. It does not need to be a complex document, but it must exist and be accessible.
Step 2: Inform employees in writing
Before collection, the employer must inform each employee in writing:
- That biometric data is being collected or stored.
- The specific purpose for which it is being collected.
- The length of time for which it will be stored.
Step 3: Obtain a written release
The employee must sign a written release authorizing the collection and storage of their biometric data. The release must be signed before the first scan. A blanket employment agreement that mentions biometrics somewhere in the fine print is not sufficient. Courts have interpreted BIPA’s consent requirement strictly.
Ongoing BIPA obligations
Compliance is not a one-time checkbox. BIPA imposes continuing obligations while biometric data is in your possession.
- No sale or profit from biometric data. BIPA prohibits selling, leasing, trading, or otherwise profiting from biometric data. This also means you cannot transfer the data to a third party without a separate written release from the employee unless required by law or contract (e.g., a payroll provider who processes the data on your behalf).
- Reasonable care standard. Biometric data must be stored, transmitted, and protected with the same level of care as other confidential and sensitive data. If your other sensitive data (social security numbers, bank account numbers) are encrypted in transit and at rest, your biometric data must be too.
- Destruction schedule.Biometric data must be permanently destroyed within 3 years of last use, or when the initial purpose is fulfilled (e.g., when employment ends), whichever comes first. A terminated employee’s fingerprint template must be deleted, not archived.
The Illinois BIPA penalty math
BIPA creates a private right of action, meaning employees (and plaintiff’s class action attorneys) can sue directly without first filing with a government agency.
- $1,000 or actual damages (whichever is greater) for each negligent violation.
- $5,000 or actual damages (whichever is greater) for each intentional or reckless violation.
- Attorney’s fees and costs if the plaintiff prevails.
Courts have generally found that each individual biometric scan constitutes a separate violation. For a 30-person team that clocks in twice daily (once in, once out) without proper consent, over a 180-day period, the theoretical exposure at $1,000 per scan is: 30 employees x 2 scans x 180 days = 10,800 violations, or $10.8 million at the negligent rate. Class action suits in Illinois have settled for eight-figure amounts.
Vendor and third-party liability
If you purchase a biometric time clock from a vendor, the vendor may also face independent BIPA liability for collecting or processing data without your employees’ consent. However, purchasing a non-compliant time clock does not insulate the employer. Both the hardware vendor and the employing business can be defendants in the same lawsuit.
Before deploying any biometric system, ask the vendor for:
- A copy of their BIPA compliance documentation.
- Confirmation of their data retention and destruction schedule.
- A data processing agreement (DPA) that explicitly covers biometric data handling.
Non-biometric alternatives for Illinois employers
Most small businesses in Illinois are choosing non-biometric time clocks, not because GPS or PIN-based kiosks are less reliable, but because they achieve the same goal (confirming the right employee is clocking in) without BIPA exposure.
GPS + geofencing
Employees clock in from their own phones. The app records their GPS coordinates and checks them against a geofence drawn around each job site. Out-of-bounds clock-ins are blocked or flagged. No biometric data is collected. See our GPS time clock setup guide for how to configure geofences.
Kiosk + 4-digit PIN
A tablet at the door runs kiosk mode. Employees punch in with a PIN. No personal device required. For teams where PIN-sharing is a concern, kiosk mode can be combined with an exception inbox that flags unusual patterns (multiple employees using the same PIN in quick succession, clock-ins far outside scheduled shifts). See how to set up a tablet kiosk for step-by-step instructions.
Kiosk + selfie verification
A tablet kiosk that captures a photo on each punch provides visual verification for managers without triggering BIPA (photos are not biometric identifiers). The photo is attached to the timesheet entry; managers can review it in the exception inbox. This is a common middle ground for teams that want visual accountability without biometric enrollment.
For a full comparison of buddy-punch prevention methods ranked by friction and BIPA risk, see our guide on stopping buddy punching.