Did your job ever scan your fingerprint, your hand, or your face to clock you in? In Illinois, that might be worth $1,000 to $5,000 — and you might be able to collect without needing to prove any harm at all.

Biometric privacy law is one of the most employee-friendly areas of law in the United States right now, and Illinois is leading the way. Companies that collected biometric data without following the rules are paying out millions in settlements every year. Here's what you need to know.

What Is BIPA?

The Illinois Biometric Information Privacy Act (BIPA) was passed in 2008, making Illinois the first state in the nation to give private citizens legal protection over their biometric data. At the time, it was a forward-thinking piece of legislation. Today, it's the most powerful tool employees have against employers who collected their fingerprints, facial scans, or other biometric data without consent.

BIPA requires any private company that collects or uses biometric data to:

  • Inform employees or customers in writing before collecting their biometric information
  • Explain the specific purpose and length of time the data will be stored
  • Obtain a written release (consent) before collection
  • Develop and follow a written retention and destruction policy
  • Never sell, lease, or profit from biometric data
  • Protect biometric data with the same standard of care as other sensitive data

If a company violated any of these requirements — even with no malicious intent, even if your data was never misused — you can sue. And the statutory damages are significant.

What Counts as Biometric Data Under BIPA?

BIPA covers any biologically-derived identifier that is unique to an individual:

  • Fingerprints (the most common workplace application)
  • Hand geometry (hand-scan timeclocks that map the shape of your hand)
  • Retina and iris scans
  • Facial geometry (facial recognition timeclocks, photo-based attendance systems)
  • Voiceprints

If your employer used any of these to track attendance, control building access, or authenticate identity — and didn't follow BIPA's consent and notification rules — they may owe you money.

The Three Tiers of BIPA Violations

BIPA has built-in statutory damages, meaning you don't have to prove actual harm to collect. The violation itself is enough. Damages are tiered by how serious the violation was:

  1. Negligent violation: $1,000 per violation (or actual damages, whichever is greater). This applies when the company failed to comply but wasn't acting with intent.
  2. Intentional or reckless violation: $5,000 per violation. This applies when the company knowingly or recklessly disregarded BIPA's requirements.
  3. Injunctive relief: Courts can also order companies to stop the practice and delete biometric data, even without a monetary award.

In class actions, the "per violation" calculation is important. Courts have debated whether each scan constitutes a separate violation (which could result in massive damages for a company with thousands of employees using a daily fingerprint timeclock) or whether one violation per person is the right measure. Recent Illinois Supreme Court decisions have generally favored the per-scan approach.

Current Open BIPA Settlement: EasyWorkforce

One of the most accessible BIPA settlements currently open is the EasyWorkforce Biometric Privacy Settlement.

What happened: EasyWorkforce provides workforce management software including fingerprint-based timeclock systems to employers. The company allegedly collected and stored employee fingerprints without obtaining the required written consent under BIPA and without maintaining a compliant biometric data policy.

Who qualifies: Illinois employees who used an EasyWorkforce fingerprint or biometric timeclock system during the relevant period.

Payout: $160 to $750, depending on the violation tier applicable to your claim.

Deadline: March 31, 2026

Documentation needed: None. Self-certification that you were an Illinois employee who used the system is sufficient.

File your EasyWorkforce claim

Other States With Biometric Privacy Laws

BIPA is the strongest, but Illinois is not alone. Several other states have enacted or are developing biometric privacy protections:

Texas — CUBI (Capture or Use of Biometric Identifier Act)

Texas enacted biometric privacy law in 2009. Like BIPA, it requires consent before collecting biometric identifiers. However, it does not provide a private right of action — only the Texas Attorney General can enforce it. This means individual Texans can't bring lawsuits directly, though AG enforcement actions can still result in significant changes.

Washington — My Health MY Data (MHMD)

Washington's 2023 My Health MY Data Act specifically covers consumer health data, including biometric information. Unlike BIPA, it focuses on health-adjacent data. Washington has a private right of action for some violations.

New York City — Local Biometric Identifier Law

New York City passed a biometric information law in 2021 covering commercial establishments (retailers, food service, entertainment venues). Companies must post signs informing customers if they're collecting biometric data. NYC residents who were subject to unconsented collection in commercial settings have claims similar to BIPA.

Other States to Watch

California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), and several other states include biometric data in their broader privacy laws, though typically without the same statutory per-violation damages that make BIPA so powerful for class actions.

How to Know If You Have a BIPA Claim

Ask yourself these questions:

  1. Did you work in Illinois? BIPA only covers employees of companies operating in Illinois. You don't need to be an Illinois resident — just employed there.
  2. Did your employer use a biometric timeclock or access system? This includes fingerprint scanners, hand-geometry readers, or facial recognition systems for clocking in/out or building access.
  3. Were you employed on or after October 3, 2008? That's when BIPA took effect.
  4. Did you sign a written consent form specifically for biometric data collection? If you can't remember signing something like that — or if you're certain you didn't — that's a red flag.

If the answer to questions 1 through 3 is "yes" and the answer to question 4 is "no" or "I'm not sure," you likely have a BIPA claim worth pursuing.

Famous BIPA Settlements You May Have Heard Of

BIPA has generated some of the largest privacy settlements in U.S. history:

  • Facebook (Meta) — $650 million: Facebook's facial recognition feature "Tag Suggestions" scanned faces in photos without consent. The 2021 settlement remains one of the largest privacy settlements ever.
  • BNSF Railway — $75 million: The freight railroad used fingerprint scanners for facility access without written consent. Settled in 2023.
  • Six Flags — $36 million: An amusement park that required fingerprint scans for season pass holders settled after years of litigation.
  • L.A. Tan — $5.25 million: Tanning salon chain required biometric check-in.

These settlements range from hundreds to thousands per class member, depending on the fund size and number of claims filed.

What to Do If You Think You Have a Claim

Don't wait for a notice letter. If you worked in Illinois and used a fingerprint or biometric timeclock, check whether your employer has been named in a BIPA lawsuit by searching the settlement databases.

Take the 60-second eligibility quiz to find BIPA and biometric privacy settlements that match your employment history. Or browse all open biometric privacy settlements to see the full current list.

BIPA claims have strict statutes of limitations — in Illinois, five years from the last violation. But with new settlements opening regularly and old ones closing, checking now is always better than checking later.