BIPA and the University: Illinois’ Biometric Law at the Door

No biometric privacy law has generated more litigation than Illinois’ Biometric Information Privacy Act. Employers have paid nine-figure settlements over fingerprint time clocks. So when a campus in Illinois — or one enrolling Illinois residents — proposes facial authentication, BIPA is the statute that decides how the project gets built.

The core of it: BIPA (740 ILCS 14) requires informed written consent before collecting a biometric identifier, a publicly available retention-and-destruction policy, and reasonable safeguards — and it gives individuals a private right of action with statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless one. A deployment survives BIPA the same way it earns student trust: opt-in consent, minimal data, documented destruction.

What does BIPA actually require?

Strip away the case law and BIPA asks five things of a private entity handling biometric identifiers:

  • A written policy, publicly available, with a retention schedule and destruction guidelines.
  • Informed written consent — a release obtained after disclosing what is collected, why, and for how long.
  • No profit — biometric data cannot be sold, leased, or traded. Ever.
  • No disclosure without consent or narrow legal exceptions.
  • Reasonable care in storage — at least the standard used for other confidential data.

Note what BIPA does not do: it doesn’t ban biometrics. It bans unconsented biometrics. A deployment that is opt-in by design, records consent at enrollment, and publishes its retention policy is working with the statute’s grain.

Does BIPA apply to universities?

BIPA applies to private entities and expressly excludes state and local government agencies. Illinois courts have generally treated public universities as arms of the state for this purpose, which has led suits against public institutions to be dismissed on that ground — while private universities in Illinois get no such exclusion and face the statute in full. A second caution: the exclusion protects the agency, not necessarily its vendors, so a technology provider collecting biometrics on a public campus can carry its own exposure.

Either way, the safest posture for any institution is to behave as if BIPA applies — because its requirements simply describe a well-run biometric program, and your students’ expectations travel with them regardless of jurisdiction.

What did the case law teach?

BIPA’s private right of action is what separates it from every other biometric statute. Plaintiffs long argued each scan was a fresh violation — a reading the Illinois Supreme Court accepted in Cothron v. White Castle, producing theoretical damages in the billions for one employer, before a 2024 amendment limited recovery to a single violation per person for repeated identical scans.

The lesson for campus teams isn’t the arithmetic. It’s the pattern in the complaints: nearly every BIPA defendant collected biometrics first and thought about consent second. Time clocks that fingerprinted employees on day one. Photo services that templated faces nobody submitted for that purpose. The failure mode is silent, default-on collection — precisely what facial authentication, as opposed to facial recognition, refuses to do.

How does architecture become your compliance posture?

Every BIPA obligation gets easier when the system holds less. A deployment on the Alcatraz Platform maps to the statute directly: enrollment is strictly opt-in, with consent recorded, auditable, and revocable, and a badge fallback at every door for anyone who declines. Revocation deletes the template, giving your written destruction policy a mechanism instead of a promise. The face becomes an encrypted, non-reconstitutable mathematical template — no photos, names, or videos stored on the Rock X reader, matching at the edge in under a second. Storage runs AES-256 at rest and TLS 1.2/1.3 in transit, with SOC 2 attestation for the auditor.

One limit worth naming: architecture can’t write your policy for you. The published retention schedule, the consent language, and the incident plan are institutional documents — start from the consent form guide and the privacy-first playbook, not the spec sheet.

If your counsel wants to see the consent flow rather than read about it, book a demo — the enrollment and revocation screens are usually the first thing they ask for.

Frequently asked questions

Does BIPA apply to public universities in Illinois?

BIPA excludes state and local government agencies, and Illinois courts have generally treated public universities as state agencies — while private universities remain fully covered and vendors may carry their own exposure. Best practice is to meet BIPA's requirements regardless.

What are the penalties for a BIPA violation?

BIPA grants a private right of action with statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys' fees. After a 2024 amendment, repeated identical scans of the same person generally count as one violation rather than accruing per scan.