GDPR Compliance in Illinois: EU GDPR + BIPA Biometric Data Overlap

Illinois businesses processing EU resident data must comply with GDPR, while Illinois's own Biometric Information Privacy Act (BIPA) creates one of the strongest biometric data protection regimes in the United States — with significant overlap with GDPR's special category protection for biometric data. Illinois does not have a comprehensive state privacy law equivalent to California's CPRA, but BIPA's stringent consent and policy requirements mean Illinois companies with biometric data programs face dual GDPR-BIPA compliance obligations.

State Enforcement Agency: Illinois Attorney General (BIPA enforcement) — private right of action is primary BIPA enforcement mechanism
BIPA enforcement is primarily through private lawsuits; IL AG can also pursue enforcement; no Illinois state privacy agency; GDPR enforced by EU supervisory authorities separately

State Penalties: BIPA: $1,000 per negligent violation, $5,000 per intentional/reckless violation, plus attorneys' fees — class action exposure can reach hundreds of millions. GDPR fines apply additionally for EU biometric data.
Federal Penalties: GDPR: up to €20M or 4% of global annual turnover for most serious violations; biometric data violations typically draw higher fines as special category data

How Federal + Illinois Law Overlap

GDPR applies to Illinois businesses processing EU resident personal data. BIPA applies to Illinois businesses collecting biometric data from employees, customers, or others in Illinois. GDPR classifies biometric data processed for unique identification as a 'special category' requiring explicit consent or another specific exception — paralleling BIPA's consent requirement. A unified biometric data policy can satisfy both frameworks.

Additional Illinois Requirements Beyond Federal Law

BIPA (740 ILCS 14) requires written policy for biometric data retention/destruction schedule before collection
BIPA requires written release (consent) before collecting biometric identifiers from any individual
BIPA private right of action: $1,000 per negligent violation, $5,000 per intentional violation — class actions are the primary enforcement mechanism
BIPA applies to fingerprints, retina scans, iris scans, voiceprints, and hand geometry — these are also GDPR special categories when used for unique ID
Illinois Personal Information Protection Act (PIPA) — breach notification for IL businesses
No comprehensive Illinois consumer privacy law as of 2026; GDPR is the primary privacy framework for EU data

Key Compliance Requirements for Illinois

GDPR applicability check for EU resident data processing — Illinois tech companies with EU users are frequently subject
Biometric data: comply with both BIPA (written policy + consent) and GDPR Art. 9 (explicit consent) simultaneously
Publish GDPR-compliant Privacy Notice disclosing biometric data collection and processing basis
BIPA written policy must specify retention schedule and destruction timeline — GDPR also requires data retention limits
Data subject rights: GDPR requests within 30 days; BIPA does not have a response deadline but consent requirements are pre-collection
GDPR transfer mechanisms required for biometric data transferred from EU to Illinois processing systems

Common Violations in Illinois

Biometric data collection (employee fingerprints, facial recognition) without BIPA-required written consent — class action risk is extreme
GDPR special category violation for processing EU resident biometric data without explicit consent
Cookie consent failures for EU-facing Illinois websites using analytics and behavioral tracking
Failure to assess GDPR applicability for Illinois companies with EU-facing digital products
Ad-tech GDPR violations at Chicago-area digital marketing companies

Recent GDPR Enforcement in Illinois

2023 — Meta Platforms / Facebook (Menlo Park, operating in IL)

Illinois BIPA class action for facial recognition Tag Suggestions feature; collected biometric identifiers from IL users without written consent

Penalty: $650,000,000 class action settlement — largest BIPA settlement in history

Source: Illinois Courts

2022 — BNSF Railway (Fort Worth, TX, IL operations)

BIPA violation for collecting truck driver fingerprints for facility access without proper written policy or consent

Penalty: $228,000,000 jury verdict (later reduced); case illustrates BIPA's application to employer fingerprint systems

Source: Illinois Courts

2024 — Illinois-based AI and facial recognition companies

GDPR enforcement by EU DPAs for processing EU resident facial recognition data; Clearview AI banned from EU operations

Penalty: EU DPA fines and processing bans for biometric data collection without legal basis

Source: EU DPAs

Check Your GDPR Readiness in Illinois

Take our free compliance quiz to see how your organization stacks up against GDPR requirements in Illinois.

Take the Free Quiz → Risk Calculator →

Frequently Asked Questions

How do BIPA and GDPR overlap for Illinois businesses?

Both BIPA and GDPR treat biometric data with heightened protection and require explicit consent before collection. BIPA requires a written policy and written consent for any biometric collection in Illinois. GDPR Article 9 prohibits processing biometric data for unique identification without explicit consent (or another specific exception). Illinois businesses using biometric systems must satisfy both consent requirements simultaneously.

What was the Meta BIPA settlement and why does it matter?

Meta (Facebook) settled an Illinois BIPA class action for $650 million in 2021 over its Tag Suggestions facial recognition feature, which collected biometric identifiers from Illinois users without written consent. This is the largest BIPA settlement ever. It demonstrates that BIPA class actions can reach hundreds of millions of dollars and that any Illinois-facing technology collecting facial data faces extreme financial risk.

Does GDPR apply to Illinois businesses?

Yes, if your Illinois business processes personal data of EU residents. Chicago-based technology, financial services, and media companies frequently have EU customers or EU employee data. Any Illinois company with EU users, EU investors, or EU business operations may be subject to GDPR. The combination of GDPR and BIPA makes Illinois one of the most complex privacy compliance environments in the US.

What is Illinois's state data privacy law?

As of 2026, Illinois does not have a comprehensive consumer privacy law equivalent to California's CPRA. BIPA is the most significant privacy law, covering biometric data with a strong private right of action. The Illinois Personal Information Protection Act (PIPA) covers breach notification. Illinois companies with EU data must rely primarily on GDPR as the privacy framework, supplemented by BIPA for biometrics.

What GDPR fines apply to biometric data violations?

Under GDPR, biometric data processed for unique identification is a 'special category' under Article 9. Violations involving special category data typically attract higher fines — up to €20 million or 4% of global annual turnover. EU DPAs have imposed substantial fines for biometric data violations; Clearview AI received bans across multiple EU countries. Illinois businesses with EU facial recognition or biometric systems face GDPR's highest fine tier.