Does BIPA apply to AI systems that process facial images transiently?

Yes. BIPA's 'obtains' language covers transient processing — a facial recognition API call that analyzes facial geometry and returns a verification result has 'obtained' a biometric identifier even if it does not store the raw image. Illinois courts have found BIPA violations for processing-only systems that never retain biometric data in a database.

What written consent must an employer obtain before deploying AI facial recognition timekeeping?

Illinois employers must: (1) inform employees in writing that biometric data will be collected, (2) disclose the specific purpose and duration of collection, (3) obtain a written release before any biometric collection event. This must apply to every covered employee. Employees cannot be required to consent as a condition of employment — employers must provide a reasonable alternative for those who refuse.

Does sharing facial recognition results with a vendor via API violate BIPA §15(d)?

Potentially yes. BIPA §15(d) prohibits disclosing biometric data without consent or a statutory exception. Transmitting facial geometry to an AI vendor API is a 'disclosure.' The service provider exception (§15(d)(2)) requires the provider to complete services for which the data was collected and not use it for any other purpose — including model training. AI vendor contracts must explicitly prohibit use of transmitted biometric data for training.

What is the NY SHIELD Act's data security program requirement for AI?

The NY SHIELD Act requires a written data security program with administrative safeguards (risk assessment, employee training), technical safeguards (network monitoring, anomaly detection, AI audit logging), physical safeguards (secure disposal), and third-party management (AI vendor contracts must require equivalent security). Each AI system processing NY residents' private information must be inventoried and risk-assessed.

How does per-scan accrual under Cothron v. White Castle affect BIPA liability?

Under Cothron (2023), a new BIPA claim accrues each time biometric data is scanned or transmitted in violation of BIPA. For a daily facial recognition timeclock with 100 employees, each day produces 100 new claims at $1,000-$5,000 minimum. Over 5 years this is 182,500 individual violations — explaining why BIPA class actions have produced nine-figure settlements (Facebook $228M, Meta $650M).

Does BIPA apply to out-of-state companies for Illinois employees?

Yes. BIPA applies to any private entity collecting biometric data from Illinois individuals. An out-of-state employer deploying facial recognition for Illinois employees, or processing Illinois employee voice data through voice authentication AI, is subject to BIPA regardless of where the company is headquartered or where the AI system is hosted.

Can AI training on biometric data violate BIPA §15(c)?

Yes. BIPA §15(c) prohibits any private entity from 'selling, leasing, trading, or otherwise profiting from' biometric data. Using biometric data collected for employee timekeeping to train a commercial facial recognition AI model — where the model becomes a commercial product — is 'otherwise profiting from' biometric data, violating §15(c).

How does Tenet AI support BIPA and NY SHIELD Act compliance?

Tenet AI provides: (1) immutable audit logs of every AI decision involving biometric data — capturing collection events to prove consent coverage; (2) data flow visibility for NY SHIELD Act risk assessments; (3) retention schedule enforcement via timestamps on collection events; (4) anomaly detection for unusual data access patterns, satisfying NY SHIELD Act technical safeguard requirements.

NY SHIELD Act and Illinois BIPA for AI Systems: Biometric Consent, Security Programs, and Class Action Exposure

Two state statutes create significant AI compliance exposure invisible in most corporate governance frameworks: Illinois BIPA requires written consent before any AI system collects biometric identifiers, carries per-scan statutory damages with a private right of action, and has generated nine-figure class action settlements (Facebook $228M, Meta $650M). New York's SHIELD Act requires a data security program for any entity processing NY residents' private information. Illinois BIPA's per-scan accrual rule (Cothron v. White Castle, 2023) means daily facial recognition systems create millions of individual violations over 5 years.

What Triggers Illinois BIPA for AI Systems

BIPA (740 ILCS 14) applies to any private entity that "collects, captures, purchases, receives through trade, or otherwise obtains a person's or a customer's biometric identifier or biometric information." The key word is "obtains" — transient processing triggers BIPA. AI systems within scope: facial recognition for employee timekeeping or access control; speech-to-text or voice authentication AI that extracts voiceprints; document processing AI that scans fingerprints; retail loss prevention facial recognition; healthcare AI processing facial images for diagnosis; emotion detection AI analyzing facial muscle patterns; KYC/AML AI capturing and verifying facial geometry; any computer vision model extracting facial features from images of individuals. A company that processes facial images through an AI model is "obtaining" biometric identifiers within BIPA's scope even if it does not store the raw image.

BIPA's Four Requirements: Consent, Policy, Retention, Non-Sale

BIPA §15(a): Written policy establishing retention schedule and destruction guidelines must exist before any collection — failure to have written policy is per se violation. BIPA §15(b): Inform person in writing of collection, purpose, and duration; obtain written release before collection or first use; for employment AI, every covered employee must consent before biometric systems engage. BIPA §15(c): Prohibited from selling, leasing, trading, or profiting from biometric data — using biometric data collected for timekeeping to train commercial AI models violates §15(c). BIPA §15(d): Cannot disclose biometric data without consent or statutory exception — transmitting facial geometry to an AI vendor API is a disclosure requiring consent or a service provider agreement prohibiting vendor use for model training. Each requirement carries $1,000-$5,000 per violation with private right of action.

Per-Scan Accrual Under Cothron and Class Action Exposure

The Illinois Supreme Court's 2023 decision in Cothron v. White Castle held that a new BIPA claim accrues each time biometric data is scanned or transmitted in violation — not just on first collection. Combined with BIPA's 5-year statute of limitations, a daily facial recognition timeclock with 100 employees creates 100 new claims per day: 182,500 over 5 years at $1,000 minimum each. Landmark settlements: Facebook $228 million, Google Photos $100 million, Meta $650 million, Clearview AI $52 million. The Illinois legislature has discussed damages reform but has not passed limiting legislation as of 2026.

NY SHIELD Act: Data Security Program Requirements for AI

The NY SHIELD Act (N.Y. Gen. Bus. Law §§ 899-aa through 899-bb) requires a "reasonable" data security program for any entity owning or licensing NY residents' private information. Administrative safeguards: designated owner, risk assessment, employee training. Technical safeguards: assess risks in network design, detect and prevent attacks, test and monitor systems — for AI: audit logging, anomaly detection for unusual data access, penetration testing for AI APIs. Physical safeguards: secure storage and disposal — for AI: secure deletion of biometric features extracted by AI, not just raw data. Third-party management: AI vendor API contracts must require equivalent security measures. Enforcement is AG-only (no private right of action) but civil penalties up to $5,000/violation apply.

BIPA vs. NY SHIELD Act vs. CCPA: State Privacy Comparison for AI

Illinois BIPA: biometric-specific, opt-in written consent required, private right of action ($1,000-$5,000/scan), per-scan accrual, 5-year period — highest litigation risk. NY SHIELD Act: security program obligation only (no consent requirement), AG enforcement only, civil penalty up to $5,000/violation. CCPA (California): sensitive personal information includes biometric data, opt-in for sensitive PI processing, private right of action for security breaches only, AG/CPPA enforcement. Multi-state employers with Illinois + NY + California employees face simultaneous obligations: BIPA consent for Illinois employees, SHIELD Act security program for NY employee data, CCPA opt-in process for California employees when biometric AI is deployed.