The Complete Guide to BIPA Compliance for Tech Companies

The Illinois Biometric Information Privacy Act (BIPA) has generated over $3 billion in settlements and is the most consequential biometric privacy law in the United States. If your company uses biometric data in any capacity - facial recognition, fingerprint scanning, voice analysis, or any biometric verification - this guide covers everything you need to know. See our country-by-country compliance tracker for how similar laws are spreading worldwide.

What BIPA Requires

BIPA (740 ILCS 14) imposes five core requirements on any private entity. Visit our compliance resource center for additional guidance. These five core requirements apply to any private entity that collects, captures, purchases, receives through trade, or otherwise obtains biometric identifiers or biometric information:

1. Written notice - Before collecting biometric data, you must inform the subject in writing that their biometric data is being collected, the purpose of collection, and the duration of storage.
2. Written consent - You must obtain a written release from the subject (or their legally authorized representative) before collecting their biometric data.
3. Retention schedule - You must develop and publicly make available a written policy establishing a retention schedule and guidelines for permanently destroying biometric data when the initial purpose has been satisfied or within 3 years of the individual's last interaction, whichever comes first.
4. No sale or profit - You may not sell, lease, trade, or otherwise profit from biometric data.
5. Reasonable security - You must store, transmit, and protect biometric data using reasonable security measures at least as protective as the measures used for other confidential and sensitive information. Read our privacy commitment to understand how POY eliminates this obligation entirely.

The Penalties

BIPA provides a private right of action - meaning individuals can sue directly without waiting for a government agency to act:

• $1,000 per negligent violation
• $5,000 per intentional or reckless violation
• Class action multiplier means exposure can reach hundreds of millions

Major settlements: Meta ($1.4 billion), BNSF Railway ($228 million jury verdict), Google ($100 million), TikTok ($92 million). Use our ROI calculator to estimate your potential exposure.

The Zero-Data Solution

The strongest possible BIPA defense is to never collect biometric data in the first place. POY Verify's architecture processes all biometrics on the user's device inside the Secure Enclave. Biometric data never leaves the device, is never transmitted to any server, and is never stored in any database. Under BIPA's definitions, POY Verify does not "collect, capture, purchase, receive through trade, or otherwise obtain" biometric data because the data never enters POY's possession.

Apple's Face ID uses the identical on-device Secure Enclave architecture and has never faced a successful BIPA challenge. Learn how our zero-data architecture follows the same principle. This precedent supports the position that on-device biometric processing does not constitute "collection" under BIPA.

Action Items

1. Audit your current biometric data collection practices
2. Evaluate whether your verification provider stores biometric data on servers (most do) - see how POY compares to providers like Persona
3. Consider switching to a zero-data provider like POY Verify to eliminate BIPA exposure
4. Consult with qualified legal counsel for your specific situation
5. Document your biometric data handling in a publicly available policy

About POY Verify

POY Verify is the first universal human verification system built on zero-data architecture. Unlike traditional identity verification services that collect, transmit, and store your biometric data on their servers, POY Verify processes everything inside your smartphone's Secure Enclave - a physically separate processor with its own encrypted memory that even the operating system cannot access. No biometric data ever leaves your device. No personal information is ever collected. No databases exist to breach.

The system works in 30 seconds: your device's hardware sensors (3D depth cameras, infrared emitters, and motion detectors) confirm a living human is physically present. A cryptographic key pair is generated inside the Secure Enclave. The private key never leaves the device. The public key is registered with POY's verification registry. You are now a verified human on the internet - with zero personal data exposed.

Why Human Verification Matters

The internet was built without a way to prove a human being is on the other end of a connection. This architectural gap has created a trust crisis of unprecedented scale. Over 64% of all web traffic is now non-human - bots, scrapers, and automated agents that create fake accounts, post fake reviews, manipulate engagement metrics, and impersonate real people. Deepfake technology has increased 500% since 2024, enabling AI-generated faces, voices, and videos that are indistinguishable from real humans. Deepfake-enabled fraud exceeded $25 billion in losses in 2025 alone.

Traditional verification methods have failed to keep pace. CAPTCHAs are solved by AI with 99.8% accuracy. Phone verification is bypassed by SIM farms selling numbers for cents. Email verification is defeated by disposable address services. Document uploads create massive data breach liability while excluding the 1.4 billion people worldwide who lack government-issued identification. The tools of fraud have outpaced the tools of verification.

POY Verify exists to close this gap. By using hardware-based biometric liveness detection with zero data collection, it provides definitive proof that a real human is present - without the privacy sacrifices, regulatory burden, or exclusion that traditional methods create. The result is a verification layer that works for every human, on every platform, in every country, at zero cost to the individual.