Does Your Time Clock Scan Fingerprints? Then This Illinois Law Applies to Your Business.

Most of the cybersecurity threats we write about come from criminals. This one is different, and if you run a business in Chicago or anywhere in Illinois, it deserves your attention today. The risk here does not come from a hacker. It comes from a law, one of the strictest of its kind in the entire country, that quietly applies to a huge number of ordinary Illinois small businesses, and that most owners have never heard of until they get a letter from a lawyer.

It is called the Biometric Information Privacy Act, or BIPA, and here is why it should make you pause. If your business uses a fingerprint scanner to clock employees in and out, or a face-scan system for entry, or any technology that captures a fingerprint, face, retina, voiceprint, or hand scan, this law almost certainly applies to you. And it has real teeth. Businesses have faced enormous liability under BIPA, sometimes enough to threaten their survival, often without ever realizing they were doing anything wrong. The good news is that compliance is very achievable once you know it exists. The danger is in not knowing. So let me explain it plainly.

A quick and important note first: this article is educational, not legal advice. We are not attorneys, and BIPA is a genuine legal matter. The right move, if any of this applies to you, is to talk with a qualified Illinois attorney. What we can do here is make sure you know the law exists and understand the basics, so you know to ask.

What BIPA is and why Illinois is different

Illinois has one of the toughest biometric privacy laws in the United States. BIPA regulates how businesses collect, store, and use biometric data, the unique physical identifiers like fingerprints and facial geometry that cannot be changed the way a password can. The reasoning behind the law is sound: if your password leaks, you can change it, but if your fingerprint data leaks, you are stuck with that fingerprint for life. So Illinois decided this kind of data deserves special protection.

What makes Illinois stand out is two things. First, the law is strict and specific about what businesses must do before collecting biometric data. Second, and this is the part that matters most, BIPA gives individuals the right to sue directly, with set dollar amounts attached to violations. That combination is why Illinois has seen a wave of BIPA lawsuits while most other states have nothing comparable. It is genuinely a Chicago and Illinois issue in a way it is not elsewhere.

Who this actually applies to

This is where owners are most often caught off guard, because the technology that triggers BIPA is so ordinary. You do not have to be a tech company. You just have to use a tool that captures biometric data, and many common small business systems do exactly that.

The most common trigger by far is the timekeeping system. A great many Illinois businesses, including restaurants, shops, manufacturers, healthcare offices, and warehouses, switched to fingerprint or hand-scan time clocks because they are convenient and stop buddy-punching. Every one of those scans is biometric data collection under the law. Other triggers include face-scan or fingerprint access systems for doors, and various systems that use voiceprints or facial recognition. If any technology in your business identifies a person by a part of their body, BIPA is in the room.

The unsettling part is how invisible this is. You bought a time clock to solve a payroll headache. You had no idea you had just taken on a set of legal obligations. That gap between ordinary business decisions and unknown legal exposure is exactly what has caught so many Illinois businesses.

What the law generally requires

BIPA sets out specific steps a business must take before and while collecting biometric data. In plain terms, and again as general education rather than legal advice, the core obligations look like this.

• You need a written policy. Businesses are expected to have a written, publicly available policy that explains how biometric data is handled, including a schedule for retaining it and a clear plan for permanently destroying it when it is no longer needed. The law does not want this data kept forever.
• You need informed, written consent before you collect. This is the big one. Before capturing someone's biometric data, you must inform them in writing about what you are collecting and why, and obtain their written consent. For employees, that means getting proper consent before the first fingerprint scan, not after. Recent updates to the law have clarified that an electronic signature can count as that written consent, which makes this more practical to handle.
• You must protect the data and not profit from it. The law requires you to store and protect biometric data using reasonable care, and it prohibits selling or profiting from it. You also generally cannot share it without consent.

Notice that some of these obligations are legal and procedural, the policy and the consent, which is where an attorney is essential, and some are about data protection, the storing and safeguarding, which is squarely a security matter.

Why this is urgent, and the recent good news

For years, the exposure under BIPA was staggering. The law attaches set damages to violations, and a 2023 court decision had interpreted it so that each individual scan could count as a separate violation. For a business with employees scanning in twice a day for years, the theoretical numbers reached into the millions, which is what fueled the lawsuit wave and put real businesses at existential risk.

There is genuine good news on this front. In 2024, Illinois amended the law so that repeated collection from the same person counts as a single violation rather than one per scan, and courts in 2026 confirmed that this limit applies to pending cases as well. This dramatically reduces the worst-case exposure that hung over Illinois businesses. But, and this is the crucial point, it does not make the law go away. The obligations still stand. Lawsuits still happen. The damages, while no longer astronomical, are still significant, and the law can apply even when a violation was completely unintentional. The takeaway is not "the danger passed." It is "the danger is now survivable if you comply, and very real if you ignore it."

What to do today

If any of this might apply to your business, here are the sensible first steps. Take an honest inventory: does any system in your business capture fingerprints, faces, or other biometric data? Be thorough, because the time clock is easy to forget about. If the answer is yes, treat it as a priority, not a someday. Talk to a qualified Illinois attorney about your specific situation and what compliance requires for you. And on the security side, make sure any biometric data you do hold is genuinely protected, stored safely, access-controlled, and destroyed on a schedule, because protecting that data is both a legal expectation and simply the right thing to do with something so permanent and personal.

How we think about it

This is exactly the kind of overlooked, location-specific risk we help Chicago businesses get ahead of, working alongside your legal counsel. Our role lives in the data-protection half of the picture, organized around a simple framework we call KIT: Keep, Inspect, Trust. Keep what is valuable secure, which absolutely includes biometric data that, unlike a password, can never be changed if it leaks. Inspect, which means knowing what sensitive data your business holds and where it lives, including the data flowing through that time clock. And trust through validation, which means handling permanent, personal information with documented care rather than assumption. We help you protect and document the data; your attorney handles the legal policy and consent. Together, that is real compliance, not guesswork.

What ready looks like

Picture knowing exactly what biometric data your business collects, having proper consent and policies in place through your attorney, and protecting that data with real, documented security. If a letter ever arrives, or a new hire asks how their fingerprint data is handled, you have a clear and confident answer. You are not lying awake wondering whether the time clock you installed years ago quietly turned into a liability.

That is what ready feels like, especially for an Illinois business. Not hoping BIPA never comes up, but knowing you have handled it properly.

This is one of those risks that is dangerous mainly because it is invisible. The Chicago businesses that get hurt by BIPA are almost never the ones who knew about it and chose to ignore it. They are the ones who never knew it applied to them. Now you know. If you want help understanding what sensitive data your business holds and making sure it is properly protected, that is a conversation worth having today, and pairing it with a quick check from an Illinois attorney is the complete answer.

Read more about Illinois data breach notification laws, learn about cyber insurance requirements, or review our 8-point cybersecurity checklist.