BIPA & biometric hiring in 2026
Consent, retention, and the mistakes driving nine-figure settlements.

BIPA & Biometric Hiring in 2026: What Employers Need to Know
Biometric technology is becoming a standard part of modern hiring. Employers are using facial verification, fingerprint authentication, and identity matching to prevent fraud, streamline onboarding, and verify that the right person is completing the hiring process.
While these tools improve security and reduce identity fraud, they also introduce significant privacy obligations. Employers must ensure biometric data is collected, stored, and deleted in compliance with applicable state laws—especially the Illinois Biometric Information Privacy Act (BIPA).
What is BIPA?
The Illinois Biometric Information Privacy Act (BIPA) is the nation's most comprehensive biometric privacy law. It regulates how private companies collect, store, use, share, and destroy biometric identifiers such as:
- Facial geometry scans
- Fingerprints
- Retina or iris scans
- Voiceprints
- Hand geometry
If your hiring process captures or stores any of these identifiers for applicants or employees in Illinois, BIPA likely applies.
Employer requirements
Before collecting biometric information, employers should:
- Inform applicants in writing that biometric data will be collected.
- Clearly explain why the data is being collected and how long it will be retained.
- Obtain informed written (or valid electronic) consent.
- Publish a biometric data retention and destruction policy.
- Store biometric data securely.
- Never sell or profit from biometric information.
What's new for 2026?
Illinois amended BIPA in 2024 to reduce the risk of "per-scan" damages. Instead of treating every fingerprint or facial scan as a separate violation, repeated collection of the same biometric identifier using the same method is generally treated as a single violation. Electronic consent is also expressly recognized. These changes reduced litigation exposure, but they did not remove employers' obligations to obtain consent and maintain compliant biometric privacy practices.
Beyond Illinois
Biometric privacy is no longer just an Illinois issue.
Several states have enacted biometric or broader privacy laws, while others regulate specific hiring practices such as facial recognition during interviews or employee fingerprint collection. Employers hiring nationally should review state-specific requirements before deploying biometric hiring technology.
Best practices
- Collect only the biometric information you actually need.
- Obtain clear consent before collection.
- Use encrypted storage and strict access controls.
- Delete biometric data according to your published retention schedule.
- Regularly review vendor compliance and security practices.
- Train HR and recruiting teams on biometric privacy requirements.
How Cleo helps
Cleo uses biometric verification to help confirm that the person completing the hiring process is the real applicant—not someone impersonating them. When biometric verification is used, Cleo supports compliant workflows by presenting required disclosures, collecting authorization, maintaining audit trails, and helping employers apply the appropriate privacy requirements based on the hiring location.
Compliance Note: This guide provides general information and is not legal advice. Biometric privacy laws continue to evolve, and employers should consult legal counsel before implementing biometric technologies in hiring or onboarding.