
Illinois BIPA: Biometric Consent and Face-Geometry Compliance
Definition: The Illinois Biometric Information Privacy Act (740 ILCS 14) regulates the collection, storage, and use of biometric identifiers such as face geometry, requiring informed written consent and a retention schedule.
TL;DR: BIPA requires consent before collecting biometric identifiers and gives individuals a private right of action: $1,000 per negligent and $5,000 per intentional violation. SB 2979, signed 9 August 2024, limited how per-scan violations stack. Identity verification flows that touch face geometry must be designed around it.
What BIPA requires
Before collecting face geometry or similar biometrics, an entity must inform the person in writing, state the purpose and retention period, and obtain a written release. It must also publish a retention-and-destruction schedule. The private right of action is what gives BIPA teeth: individuals sue directly.
What SB 2979 changed
Signed 9 August 2024, SB 2979 addressed the stacking problem where each scan counted as a separate violation, which had produced enormous class-action exposure. It limits that accumulation, but the consent and retention duties remain fully in force.
Designing KYC and capture flows
Provenance and biometrics intersect in identity verification. A signed receipt of a selfie capture can carry a CAWG identity assertion without storing raw biometric templates beyond what consent and retention allow. The design goal is to prove a capture happened and was not replayed, while keeping biometric handling inside BIPA's consent and retention rules.
The incident behind this
Face-geometry capture sits at the center of KYC deepfake bypass, where attackers inject synthetic faces into onboarding. BIPA shapes how any face-based verification can be built in Illinois.
Regulatory mapping
| Regime | Effective | Bite | Why it applies |
|---|---|---|---|
| Illinois BIPA (740 ILCS 14) | In force | $1,000 negligent / $5,000 intentional per violation | Collection of biometric identifiers |
| SB 2979 | 9 Aug 2024 | Limits stacking | Per-scan violation accumulation |
FAQ
Does signing a selfie trigger BIPA?
Collecting or deriving face geometry can. Provenance signing of the capture event is separate from biometric template handling; design so consent and retention rules govern any biometric data.
Where Original Pictures stands today
Original Pictures ships three things today: a Sign API, a Verify API, and the SDKs that wrap them. One POST /v1/sign attaches a C2PA-format manifest, an invisible TrustMark watermark, and an OpenTimestamps anchor. The open-source verifier checks any of it without calling us.
Two things are on the near roadmap, and we name them as roadmap, not as shipped: C2PA Conformance Program recognition (target Q3 2026, until then our manifests use the published C2PA v2.2 format and any C2PA-aware validator can read them, but third-party validators will show our signer as not-yet-listed), and a consumer capture app (Q3 2026). We do not sell a capture SDK, and we do not claim Trust-List membership we do not yet hold.
Bottom line: BIPA makes face-geometry capture a consent-and-retention problem with a private right of action. Build identity flows so you can prove capture integrity without mishandling biometric data.
Related
Original Pictures is progressing through the C2PA Conformance Program; our signing certificate is not yet on the official C2PA Trust List. Target: Q3 2026. We will not describe ourselves as "C2PA-certified" until it is true.
Original Pictures provides content-provenance infrastructure. It does not by itself constitute legal compliance with the EU AI Act or any other regime; compliance depends on how you deploy it, your disclosures, and your governance. Figures are drawn from public reporting, verify against primary sources before citing in regulated materials. Nothing here is legal advice.
Last verified 2026-05-25. Author: Mahdi Kazempour, Founder, Original Pictures.