From facial recognition tracking to fingerprint data breaches, learn how to fight back against unauthorized biometric data collection. Illinois BIPA protections, Meta $1.4B Texas settlement, Clearview AI judgments, and GDPR Article 9 special category data rights.
Your face, fingerprints, iris patterns, voiceprint, and even your DNA are unique biological identifiers—far more sensitive than passwords or credit card numbers, because they cannot be changed if stolen or misused. Yet companies increasingly collect this biometric data with minimal oversight, embedding facial recognition in social media apps, using fingerprint scans for workplace timeclocks, deploying iris scanners for building access, and scraping billions of photos from the internet to build surveillance databases—often without clear consent, adequate security, or disclosure of how the data will be used or shared.
The consequences of unauthorized biometric data collection are severe. Once your facial geometry or fingerprint template is stolen in a data breach, criminals can use it for identity theft forever—you cannot get a new face or new fingerprints. Biometric surveillance systems enable pervasive tracking of your movements through public spaces, stores, and workplaces without your knowledge. Discriminatory algorithms embedded in facial recognition systems misidentify minorities at alarming rates, leading to wrongful arrests (at least six documented cases in the U.S. as of 2024). Companies profit by selling your biometric data to advertisers, data brokers, and even authoritarian governments.
Illinois led the way in 2008 by enacting the Biometric Information Privacy Act (BIPA), the nation's strongest biometric privacy law, which grants individuals a private right of action to sue companies that collect biometric data without written consent and disclosure. BIPA provides statutory damages of $1,000 per negligent violation and $5,000 per reckless/intentional violation—meaning no proof of actual harm is required. Texas followed with the Capture or Use of Biometric Identifier (CUBI) Act (2023 amendments strengthened enforcement). California's CCPA classifies biometric data as sensitive personal information requiring heightened protections. And the European Union's GDPR Article 9 treats biometric data as "special category" data requiring explicit consent and strict security.
Major settlements have validated these protections: Meta paid $1.4 billion to Texas (2024) for collecting facial recognition data without consent, the largest privacy settlement by a single state. Meta previously paid $650 million to settle an Illinois BIPA class action over Facebook photo tagging. Clearview AI paid $50 million to settle Illinois claims for scraping billions of photos. Google paid $100 million for Google Photos facial recognition (Illinois). Amazon Ring, Six Flags, Snapchat, TikTok, and dozens of employers have paid BIPA settlements ranging from $500,000 to $100 million. Individual BIPA claims regularly yield $5,000-$15,000 per person. This guide shows you how to identify biometric privacy violations, understand your rights, and pursue every avenue for compensation.
Illinois BIPA (740 ILCS 14/) is the strongest biometric privacy law in the U.S. It applies to any private entity that collects, captures, stores, or uses biometric identifiers (facial geometry, fingerprints, voiceprints, iris scans, retina scans, hand scans, gait recognition) of Illinois residents—even if the company is based elsewhere. Companies must: (1) develop and publish a written retention and destruction policy; (2) provide written notice that biometric data is being collected; (3) obtain written consent; (4) never sell, lease, or profit from biometric data; (5) use reasonable care to protect biometric data (same standard as financial data).
BIPA's key power: private right of action. You can sue directly in Illinois state court without filing an administrative complaint. Damages: $1,000 per negligent violation, $5,000 per intentional/reckless violation, plus attorney's fees. No proof of actual harm required—the violation itself creates a claim. Courts have ruled that each scan can be a separate violation (e.g., if employer scanned your fingerprint 500 times for timeclock over 2 years, potential damages: $500,000-$2.5M, though courts typically award less). Statute of limitations: 5 years (sometimes 1 year for written release violations—complex).
Common BIPA Violations:
Common BIPA violations: Employer requires fingerprint scan without written consent. Facebook tags you in photos using facial recognition without consent. Security system scans your face for building entry without disclosure. Retailer uses facial recognition for customer tracking without notice. App analyzes your voiceprint without consent.
Texas Business & Commerce Code Chapter 503 (strengthened 2023) protects biometric identifiers (facial geometry, voiceprint, retina/iris scan, fingerprint, hand scan, keystroke dynamics). Companies must: (1) inform individuals that biometric data is being captured; (2) obtain consent (can be in terms of service, but must be clear); (3) destroy data within reasonable time after purpose is fulfilled; (4) protect data with reasonable care. Prohibition: cannot sell, lease, or disclose biometric data without consent.
Enforcement: Texas Attorney General can sue for injunctive relief and $25,000 per violation. Private right of action: individuals can sue for actual damages if they suffer harm, plus attorney's fees. Unlike Illinois BIPA, Texas CUBI requires proof of actual harm for private lawsuits (harder burden), but state enforcement has been aggressive—the $1.4B Meta settlement was brought by Texas AG under CUBI + Texas DTPA. Class actions possible.
Note:
Texas AG enforcement priorities (2024): Social media facial recognition, employee biometric tracking without consent, data breaches exposing biometric data, sale of biometric data to third parties.
CCPA (Cal. Civ. Code § 1798.100 et seq.) classifies "biometric information" (physiological, biological, or behavioral characteristics that can be used for identification, including facial imagery, iris scans, fingerprints, voiceprints, keystroke patterns, gait) as "sensitive personal information." Businesses must: (1) disclose collection of biometric data in privacy policy; (2) offer opt-out right (consumers can limit use to necessary purposes); (3) not sell biometric data without explicit opt-in consent. Violations: California Attorney General or Privacy Protection Agency can fine $2,500 per violation ($7,500 for intentional). Data breach: If biometric data is breached due to lack of reasonable security, consumers can sue for $100-$750 per incident, or actual damages (whichever is greater), plus attorney's fees. Unlike Illinois BIPA, CCPA does not provide statutory damages for collection without consent absent a data breach.
RCW 19.375 requires businesses that enroll consumers in biometric identifier systems to: (1) provide notice of purpose and duration of enrollment; (2) obtain consent; (3) destroy data when purpose is fulfilled or within 3 years. Violations enforced by Washington Attorney General under Consumer Protection Act: up to $7,500 per violation. Private right of action: consumers can sue for actual damages, injunctive relief, and attorney's fees if they suffer harm. Stronger than CCPA, but weaker than Illinois BIPA (requires proof of harm for individual damages).
GDPR Article 9 classifies biometric data used for unique identification (facial recognition, fingerprint matching, iris scans, DNA) as "special category" personal data requiring explicit consent (not just opt-in, but affirmative, informed, freely given consent) or another Article 9 exception (e.g., substantial public interest with legal basis). Controllers must conduct Data Protection Impact Assessments (DPIAs) for biometric processing. Security requirements are heightened.
Violations: Up to €20 million or 4% of global annual turnover (whichever is higher). Individuals can sue for material and non-material damages under Article 82 (EU courts have awarded €2,000-€10,000 for biometric GDPR violations causing emotional distress, higher if data breach or discrimination). Right to erasure (Article 17): you can demand deletion of your biometric data if consent was invalid or data is no longer necessary. National DPAs (Data Protection Authorities) enforce—file complaint with DPA in your EU country.
Major GDPR Fines:
Major GDPR biometric fines: Clearview AI (€20M+ fines across multiple EU countries for illegal facial recognition database), H&M (€35M for employee surveillance), British Airways (£20M for biometric passport data breach).
No comprehensive federal biometric privacy law yet, but: (1) FTC Act Section 5: FTC can sue companies for unfair/deceptive practices if they collect biometric data contrary to privacy policy promises or without disclosure. Snapchat, TikTok, Facebook settled FTC complaints. (2) Children's Online Privacy Protection Act (COPPA): Prohibits collecting biometric data from children under 13 without verifiable parental consent. (3) Proposed federal laws: National Biometric Information Privacy Act (pending, modeled on Illinois BIPA), Fourth Amendment is Not For Sale Act (restricts government purchase of biometric data). (4) Federal agencies: HHS HIPAA covers biometric data collected by healthcare entities. TSA facial recognition at airports subject to Privacy Act—limited remedies.
Texas Attorney General sued Meta (Facebook) under Texas CUBI and Deceptive Trade Practices Act for collecting millions of Texans' facial recognition data through photo tagging without consent. Facebook's facial recognition feature automatically scanned faces in uploaded photos to suggest tags, collecting facial geometry. Settlement: $1.4 billion (largest privacy settlement by a single state), paid over 5 years. Meta agreed to stop using facial recognition in Texas without explicit consent, delete previously collected data, and submit to monitoring. Significance: Proved that state AGs can secure massive damages under state biometric laws even when federal law is absent.
Class action Patel v. Facebook alleged Facebook's photo tagging facial recognition violated Illinois BIPA by collecting and storing facial geometry without written consent from 1.6 million Illinois users. Federal court approved $650M settlement ($397 average per person, with some receiving $300-$500 depending on years of use). Requirements: Illinois resident with Facebook account during June 2011-Aug 2021 where you or friends appeared in photos. Significance: Largest BIPA settlement and largest privacy class action at the time. Established that automatic facial recognition of photos, even if uploaded by friends (not by you), triggers BIPA consent requirements.
Clearview AI scraped 30 billion photos from social media, websites, and public internet to build facial recognition database sold to law enforcement and private companies. Illinois residents sued under BIPA. Settlement (2024): $50M (paid in Clearview stock to class members—controversial structure), plus nationwide injunction: Clearview prohibited from selling access to database to private companies in U.S., must notify individuals if their biometric data is in database and allow opt-out. Separate settlements: ACLU settlement restricted Clearview's use. Multiple EU countries fined Clearview €20M+ under GDPR. Ongoing cases in California, Vermont. Significance: Established that scraping public photos to build facial recognition database violates BIPA even if photos were publicly posted.
Class action alleged Google Photos' facial recognition grouping feature ("face clustering" to organize photos by person) violated BIPA by collecting and storing facial geometry without written consent. Settlement: $100M for Illinois residents who used Google Photos and were depicted in photos between May 2015-April 2023. Average payout: $150-$400 per person. Google agreed to provide clearer BIPA disclosures and obtain consent before facial recognition in Illinois. Significance: First major BIPA settlement against Google, shows cloud photo services subject to BIPA.
FTC sued Amazon for Ring doorbell cameras: (1) giving employees unrestricted access to customer video recordings, including intimate moments; (2) using facial recognition on customer videos to train AI without consent; (3) security failures leading to hackers accessing cameras. Settlement: $5.8M for consumer redress. Amazon agreed to delete data improperly collected, implement privacy safeguards, and stop using customer videos for AI training without explicit consent. Significance: Established FTC will enforce biometric privacy under Section 5, even absent specific federal biometric law.
Rosenbach v. Six Flags (Illinois Supreme Court 2019) established key BIPA precedent: Six Flags scanned teenager's fingerprint for season pass without written consent or disclosure. Illinois Supreme Court ruled: BIPA violation occurs at the moment of collection without consent—no proof of actual harm required (overturning lower court dismissal). Subsequent class action settled for $36M (Illinois season pass holders 2013-2018 whose fingerprints were scanned). Average payout: $200-$400 per person. Significance: Landmark case establishing BIPA's power even without tangible harm.
Class action alleged Snapchat's augmented reality lenses/filters (puppy ears, face swaps, etc.) used facial recognition to map facial geometry without BIPA consent. Settlement: $35M for Illinois Snapchat users Jan 2015-Nov 2022 who used lenses. Average: $58 per person. Snapchat agreed to provide BIPA disclosures in Illinois. Significance: Established that "fun" AR filters collecting facial geometry are subject to BIPA—not exempt as "commercial entertainment."
Class action consolidated 21 lawsuits alleging TikTok: (1) collected facial recognition and voiceprint data without consent (Illinois BIPA claims); (2) shared data with China; (3) violated children's privacy. Settlement: $92M (2021) for U.S. TikTok users as of Oct 2021. Illinois BIPA claimants received enhanced payments ($167-$500 depending on activity level). TikTok agreed to stop certain data collection practices and provide clearer privacy disclosures. Significance: One of the first major BIPA settlements against a major Chinese-owned platform.
Hundreds of Illinois employers have been sued under BIPA for requiring fingerprint scans for timeclocks without written consent: McDonald's franchises ($50M settlement), Mondelez/Nabisco ($5M), trucking companies, warehouses, healthcare facilities. Most settle for $500-$5,000 per affected employee. Significance: Established that workplace biometric systems must comply with BIPA—employer-employee relationship does not create exemption. Practical impact: Most large Illinois employers now use badges instead of biometric timeclocks.
Biometric privacy cases require proving: (1) company collected/stored your biometric data, (2) without proper consent/disclosure, (3) in violation of applicable law. Here's how to gather evidence:
Document what biometric data was collected: Facial recognition (security cameras, app filters, photo tagging), fingerprint scan (timeclocks, building access, phone unlock), iris/retina scan (airport security, high-security access), voiceprint (voice assistants, call centers), gait recognition (surveillance systems). Evidence: Take photos of devices/signs, screenshot app permissions showing biometric access, review privacy policies mentioning facial recognition or biometric data.
For Illinois BIPA claims, you must show company did NOT provide: (1) written disclosure that biometric data was being collected, (2) written disclosure of purpose and duration of storage, (3) written consent (signature or checkbox agreeing to biometric collection). Evidence: Show you never signed a biometric consent form. If consent was "buried" in general terms of service or privacy policy without specific biometric section, that often does NOT satisfy BIPA's "written disclosure and consent" requirement (courts have ruled BIPA requires separate, specific disclosure—not general privacy policy language). If employer implemented fingerprint timeclock without training or consent forms, that's strong evidence. Check hiring paperwork—if no biometric consent, you have a claim.
Illinois BIPA: You must be Illinois resident or employee of Illinois facility. Texas CUBI: Texas resident. CCPA: California resident. GDPR: EU resident or your data was processed by controller in EU. Evidence: Prove residency (utility bill, driver's license, employment records showing Illinois worksite). Illinois BIPA applies even if company is based elsewhere—if you live/work in Illinois and they collected your biometric data, BIPA applies.
Show company actually collected/stored biometric data: Screenshot of Facebook photo tag suggestions with your name. Fingerprint timeclock punch records (request from employer under data access rights). App requesting facial recognition permission. Surveillance camera footage (request under GDPR Article 15 / CCPA access right). Biometric data breach notification (if company notified you of breach). Expert testimony (forensic analysis showing app uses facial recognition even if not disclosed).
Illinois BIPA: NO proof of harm required—violation itself creates claim. Texas CUBI private action: Must prove actual harm (emotional distress, time/expense to address violation, identity theft risk). CCPA: Must prove data breach or actual harm. GDPR: Can recover for "non-material damage" (emotional distress, anxiety) without financial harm. Document harm: Medical records for anxiety/therapy related to violation. Time spent addressing issue (hours × reasonable hourly rate). Evidence of identity theft attempts if biometric data breached. Screenshots of harassing contact if stalking risk created.
For higher BIPA damages ($5,000 intentional vs $1,000 negligent): Show company knew about BIPA. Evidence: Company has Illinois employees/customers (should know about BIPA). Prior BIPA lawsuits against company or industry. BIPA compliance clauses in company contracts. Internal emails discussing BIPA (discoverable in litigation). If company ignored BIPA after being notified, that's reckless/intentional.
Check: (1) Did company collect your facial recognition, fingerprint, iris scan, voiceprint, or other biometric data? (2) Are you in a protected jurisdiction (Illinois, Texas, California, EU, etc.)? (3) Did you give proper written consent (for BIPA, this means separate disclosure and consent—not just general terms)? (4) Did company follow required procedures (retention policy, destruction timeline, security measures)? If company collected biometric data in Illinois without written BIPA consent, you almost certainly have a claim—consult attorney immediately (5-year statute of limitations, but don't delay).
Request your data to gather evidence: Illinois: Send written request citing BIPA Section 15(c) asking for: (1) all biometric data collected, (2) written retention and destruction policy, (3) list of third parties with whom biometric data was shared, (4) dates of collection and storage. California CCPA: Request "specific pieces of personal information" including biometric data, sources, third-party recipients. EU GDPR Article 15: Request all biometric data, processing purposes, recipients, retention period, existence of automated decision-making. Companies must respond within 30-45 days. Refusal to provide data is additional evidence of violation.
Before filing individual lawsuit, check if class action exists for your situation: Search "[Company Name] BIPA class action" or "[Company Name] biometric lawsuit". Check classaction.org, topclassactions.com, ilbipalitigation.com. Illinois BIPA lawsuits: Many pending against employers (manufacturing, healthcare, retail), tech companies (apps with facial recognition), landlords (building access systems). If class action exists and you qualify, joining is simple (file claim form when settlement approved). If no class action but many people affected, attorney may file class action (more leverage for settlement).
Find attorney specializing in: BIPA litigation (Illinois), privacy law, consumer protection, employment law (for workplace biometric claims). Most BIPA attorneys work on contingency (33-40% of recovery, no upfront fee) because: BIPA allows prevailing plaintiffs to recover attorney's fees from defendant. Statutory damages ($1,000-$5,000 per violation) make cases economically viable even without proof of harm. Initial consultation usually free. Attorney will evaluate: strength of claim, defendant's assets (no point suing judgment-proof small business), whether to file individual or class action, potential settlement value.
Illinois BIPA: File directly in Illinois state court (no administrative filing required). Venue: County where violation occurred or where defendant does business. Texas CUBI: File in Texas state court; may need to show actual harm for damages. California/other states: File under applicable privacy law, common law (invasion of privacy, negligence), or wait for AG enforcement. Many cases settle before trial: Employers often settle BIPA claims for $2,000-$10,000 per employee to avoid litigation costs and precedent. Tech companies may settle early if class action certification is likely. Demand letters (from attorney) sometimes result in quick settlement if violation is clear.
Discovery: Your attorney will subpoena company records: biometric data retention policies, IT systems documentation, consent forms (or lack thereof), records of who accessed your biometric data, communications with vendors, prior lawsuits. Expert witnesses: Forensic analysis of biometric systems, security analysis (if data breach), damages calculation. Class certification (if class action): Attorney must prove commonality (all class members have same claim), adequacy (representative plaintiffs are typical), numerosity (enough class members). Trial or arbitration: If case doesn't settle, trial (jury or bench). BIPA cases often settle during discovery when company realizes evidence is strong. Appeals: BIPA law is still developing—some cases go to Illinois Supreme Court for legal interpretation.
You can also file regulatory complaints to pressure company and protect others: Illinois Attorney General: File complaint alleging BIPA violation (AG may investigate or join lawsuit). California Privacy Protection Agency: File complaint alleging CCPA violation (can result in fines). FTC: File complaint at reportfraud.ftc.gov if company made deceptive privacy promises or violated COPPA (children). EU: File complaint with national Data Protection Authority (e.g., ICO in UK, CNIL in France) alleging GDPR Article 9 violation. Regulatory actions can run parallel to private lawsuits and increase settlement pressure.
Follow these steps to protect your biometric data and pursue compensation for violations