Glossary · Privacy

Biometric Data Breach: Fingerprints, Faceprints & BIPA Class Actions Explained

By Steve Levine · Updated July 2, 2026 · 8 min read

Quick Answer

A biometric data breach is the unauthorized exposure, collection, or disclosure of biometric identifiers — fingerprints, faceprints, voiceprints, iris or retina scans, hand geometry — or the templates derived from them. Unlike a password or card number, a biometric identifier is biologically permanent: it cannot be reset or reissued, so its exposure is a lasting harm. The Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14, is the leading law in this area. It requires informed written consent and public retention-and-destruction schedules, and its private right of action carries liquidated damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation — the engine behind hundreds of biometric class actions, from workplace fingerprint timeclocks to face-scanning apps.

What Biometric Data Is

Biometric data is a measurement of who you physically are. Instead of something you know (a password) or something you have (a key card), a biometric system identifies you by something you are. The identifiers that appear in privacy statutes and lawsuits include fingerprints, faceprints (scans of face geometry), voiceprints, iris and retina scans, and hand geometry — the shape and measurements of a person's hand, common in workplace hand-scan timeclocks.

Most systems do not store a raw image of your finger or face. They convert it into a mathematical template — a string of numbers describing the unique ridges of a fingerprint or the distances between facial features. Statutes generally cover both layers: the identifier itself and any biometric information derived from it that can be used to identify a person. Ordinary photographs and signatures are typically excluded, but a faceprint template generated from a photograph can still qualify — which is how photo-tagging and face-recognition features have ended up in biometric litigation.

Why Biometric Exposure Is Uniquely Harmful

When a database of passwords leaks, the fix is annoying but real: reset the passwords. When a credit card number is stolen, the bank issues a new card. Even a Social Security number, the classic identity-theft key, can at least be monitored and flagged. A biometric identifier is different — it is immutable. You cannot be issued new fingerprints, a new face, or new irises. Once a usable biometric template is exposed, the person it belongs to carries that exposure for life.

The Illinois legislature wrote this concern directly into BIPA's findings: biometrics are “biologically unique to the individual,” and once compromised, the individual “has no recourse” and is at heightened risk of identity theft. That permanence is why biometric statutes impose consent and destruction duties before any breach happens, and why courts treat the loss of control over biometric data as a concrete injury rather than a technicality. It is also why a breach that includes biometric templates is generally treated as more serious than one limited to reissuable account data — a theme that carries through data breach class actions generally.

Illinois BIPA — the Law Behind Most Biometric Class Actions

The Illinois Biometric Information Privacy Act, 740 ILCS 14, enacted in 2008, is the most consequential biometric privacy law in the country because it combines strict duties with a private right of action. A private entity that collects or possesses biometric identifiers or biometric information in Illinois generally must:

  1. Publish a written policy. A publicly available retention schedule and guidelines for permanently destroying biometric data.
  2. Give notice and obtain informed written consent. Before collecting a biometric, the entity must tell the person what is being collected, why, and for how long — and obtain a written release (since the 2024 amendment, an electronic signature qualifies).
  3. Destroy the data on schedule. When the original purpose ends, or within 3 years of the person's last interaction with the entity, whichever comes first.
  4. Never sell or profit from biometric data, and not disclose it without consent or legal authorization.
  5. Protect it with reasonable care. Store and transmit biometric data using the standard of care in the industry, at least as protectively as other confidential information.
The remedy is what makes BIPA bite. A prevailing party may recover the greater of actual damages or liquidated damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys' fees, costs, and injunctive relief. Multiplied across a workforce clocking in by fingerprint every day, or millions of app users, those figures explain why BIPA cases settle for substantial sums.

Rosenbach, Cothron & the 2024 Amendment

Three developments define modern BIPA litigation. First, in Rosenbach v. Six Flags Entertainment Corp. (2019), the Illinois Supreme Court held that a person is “aggrieved” — and can sue — the moment a company violates BIPA's notice, consent, or retention rules, without proving any additional harm like actual identity theft. The case involved a teenager whose thumbprint was scanned for a season pass without the statute's required disclosures. The violation of the privacy right is itself the injury.

Second, in Cothron v. White Castle System, Inc. (2023), the Illinois Supreme Court held that a separate BIPA claim accrues with each unlawful scan or transmission — not just the first one. For an employee who scanned a fingerprint at every shift for years, the per-violation math became enormous, and the court itself noted that damages appeared to be discretionary and invited the legislature to weigh in.

The legislature did. A 2024 amendment (effective August 2, 2024) provides that when an entity collects the same biometric identifier from the same person using the same method more than once, that is a single violation for which the person can recover, at most, one statutory award. The amendment also confirmed that an electronic signature satisfies the written-release requirement. The practical effect: per-person recovery, not per-scan recovery, for repeated identical collections — though courts continue to sort out how the amendment applies to conduct that predates it.

Texas, Washington & Other States

Illinois is not alone in regulating biometrics — but it is alone in letting individuals sue directly under a standalone biometric statute. Texas's Capture or Use of Biometric Identifier Act (CUBI), Tex. Bus. & Com. Code § 503.001, requires notice and consent before capturing a biometric identifier for a commercial purpose and provides civil penalties of up to $25,000 per violation — but only the Texas Attorney General can enforce it. Texas has used it: the state's enforcement action against Meta over face-tagging produced a $1.4 billion settlement announced in 2024, the largest privacy recovery ever obtained by a single state.

Washington's biometric privacy law, RCW 19.375, similarly requires notice and consent before enrolling a biometric identifier in a database for a commercial purpose, and it is enforced exclusively by the Washington Attorney General under the state's Consumer Protection Act — again, no private right of action. Beyond the standalone statutes, many states now fold biometric data into their data-breach-notification laws or comprehensive consumer privacy acts, and BIPA-style bills (with private rights of action) are introduced in state legislatures every year. For now, that makes Illinois the center of gravity: where a person's biometrics were collected or scanned in Illinois, BIPA claims are usually the lead count.

How Biometric Claims Show Up in Class Actions

Biometric claims reach consumers through two main channels. The first is the workplace timeclock case: an employer requires workers to clock in and out by fingerprint or hand scan without the written policy, disclosures, and signed release BIPA requires. These cases are often certified as classes of all Illinois employees who used the device, and they regularly settle with per-person payments. The $4.2 million NOVAtime BIPA settlement — covering workers who used NOVAtime finger- or hand-scan timeclocks in Illinois — is a representative example (that settlement is now closed). A close cousin under Illinois's Genetic Information Privacy Act is the Watershed Foods GIPA settlement, which pays Illinois job applicants and employees automatically — no claim form — over family-medical-history questions.

The second channel is the consumer technology and data breach case: face-recognition features, photo-tagging, virtual try-on tools, voice assistants, and identity-verification services that allegedly collected faceprints or voiceprints without BIPA-compliant consent — and security incidents in which stored biometric templates are exposed alongside other personal data. When a breach includes biometric data, plaintiffs typically plead BIPA's reasonable-care requirement alongside negligence and other data-breach theories, and the immutability of the exposed data strengthens the injury argument. Related privacy statutes — like California's wiretapping-based CIPA — often travel with biometric counts in web-technology cases. You can track active breach cases and open settlements on our data breach settlements hub.

One caution: filing of a biometric lawsuit is an allegation, not a finding. Companies named in BIPA complaints regularly dispute that the data they collected qualifies as biometric at all, and settlements resolve claims without any admission of wrongdoing.

Frequently Asked Questions

What counts as biometric data?

Biometric identifiers are measurements of your unique biological traits. The Illinois Biometric Information Privacy Act lists retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry. Biometric information is any data derived from those identifiers that is used to identify a person — for example, the mathematical template a fingerprint timeclock stores instead of the fingerprint image itself. Photographs and writing samples are generally excluded, but a faceprint template generated from a photo can still qualify.

Why is a biometric data breach worse than a password breach?

Because biometrics are immutable. If a password, credit card number, or even a Social Security number is exposed, it can be changed, reissued, or monitored. Your fingerprints, face geometry, and iris patterns are biologically permanent — once a usable template is exposed, you cannot get a new fingerprint. That is why courts and legislatures treat biometric exposure as a lasting injury and why statutes like BIPA impose strict consent and destruction requirements.

What damages does BIPA allow?

BIPA gives a prevailing party the greater of actual damages or liquidated (statutory) damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus reasonable attorneys' fees and costs and possible injunctive relief. A 2024 amendment provides that when a company collects the same biometric identifier from the same person by the same method multiple times, that counts as a single violation for damages purposes — limiting the per-scan exposure recognized in Cothron v. White Castle.

Do I need to prove I was harmed to sue under BIPA?

No. In Rosenbach v. Six Flags Entertainment Corp. (2019), the Illinois Supreme Court held that a person is "aggrieved" under BIPA — and may sue — when a company violates the statute's notice, consent, or retention requirements, even without proving any additional injury like identity theft. The violation of the biometric privacy right is itself the harm the statute protects against.

Do states other than Illinois have biometric privacy laws?

Yes, but Illinois is the only state whose standalone biometric statute lets individuals sue directly. Texas's Capture or Use of Biometric Identifier Act (CUBI) and Washington's biometric privacy law (RCW 19.375) both regulate biometric collection, but only the state attorney general can enforce them — there is no private right of action. Some other states cover biometric data through broader data-breach-notification or comprehensive privacy laws, and more states consider BIPA-style bills each year.


About This Page

General legal information about biometric data breaches and biometric privacy laws like the Illinois Biometric Information Privacy Act, not legal advice. OpenClassActions.com is a consumer news site and is not a law firm or a settlement administrator. Statutes and case law change — BIPA in particular was amended in 2024 and continues to be interpreted by the courts — and how any law applies depends on the facts of a particular situation. For controlling text, see 740 ILCS 14 and the decisions of the Illinois courts. If you believe your biometric data was collected or exposed unlawfully, consult a qualified attorney in your jurisdiction.


More on Privacy & Data Breach Claims