Are public photos exempt from BIPA when resold as data?

Availability to the public does not automatically permit commercial template extraction. BIPA focuses on biometric identifiers and disclosed purposes — mugshot-to-geometry pipelines remain high risk without compliant consent and retention policies.

Does BIPA apply outside Illinois?

BIPA protects Illinois residents regardless of where the vendor sits. Other states have similar laws — many buyers apply the strictest national rule.

Are voiceprints covered?

Yes — relevant for call-center audio, virtual assistants, and some clickstream adjacencies. Treat voice like face unless counsel confirms exclusion.

What sample-file test should buyers run?

Require BIOMETRIC=0 attestation, scan column names and embedding fields, and confirm suppression methodology in writing before pilot delivery.

How does GSDSI position identity products on biometrics?

Review maid feed and core email file specs, sourcing methodology, and privacy policy during pilot process — do not activate undisclosed geometry fields.

Illinois BIPA for Data Vendors

Illinois BIPA (Biometric Information Privacy Act) requires informed written consent before collecting, capturing, or disclosing a person's biometric identifier — including face geometry templates derived from photographs. Raw images may fall outside some definitions, but mathematical templates used for matching often qualify. Texas CUBI and Washington's biometric privacy law add parallel duties. Commercial data vendors must geofence, purge, or block Illinois residents' biometrics absent documented consent — not merely add a disclaimer in a data dictionary. Identity products that ingest social, retail, or mugshot-derived media need explicit BIOMETRIC=0 attestations for buyer samples.

Key Takeaways

Photos are not automatically safe — face geometry templates are often biometric identifiers under BIPA.
Written consent, public retention schedules, and destruction timelines are mandatory for covered collection.
Liquidated damages remain material even after SB 2979 reforms limited some recovery paths.
Buyers should ban undisclosed face vectors in RFPs and require template-suppression methodology.
Never blend biometric-derived marketing fields with criminal offender files without explicit public-records use cases.

What Counts as a Biometric Identifier in Commercial Feeds

BIPA defines biometric identifiers to include retina or iris scans, fingerprints, voiceprints, and scans of face geometry. Commercial products may ship embeddings, 128-dimensional face vectors, or "facial similarity scores" derived from photos — each can trigger BIPA when linked to an Illinois resident. Voiceprints matter for call-center and conversational-intent products. PADFAA separately treats biometrics as sensitive for foreign-adversary transfer bans. Map fields in data dictionaries with explicit biometric flags.

Deduplication and fraud vendors sometimes store perceptual hashes of faces — shorter than full templates but still usable for matching. Legal teams should treat novel hash types as biometric until counsel says otherwise. Column names like face_vec, embedding, or similarity_score are discovery magnets even when vendors label them "internal only."

Face templates — mathematical representations for 1:N or 1:1 matching.
Voiceprints — models trained on audio segments tied to individuals.
Palm and fingerprint — uncommon in marketing feeds but present in some fraud and workforce products.
Derived scores — "likelihood same person" built from geometry without storing the template may still be high risk — counsel should review.

BIPA requires a written policy made available to the public, establishing a retention schedule and guidelines for permanent destruction when the initial purpose expires. Consent releases must describe the specific purpose and length of storage. Vendors cannot rely on generic marketing privacy policies that never mention biometrics. The Illinois Attorney General BIPA enforcement track record includes large settlements against tech vendors — data resellers face buyer questions even when they did not operate the camera.

Retention limits should propagate to buyers' derivative tables and model features — not only the vendor's warehouse. Contract clauses should require buyers to delete biometric fields on termination and certify no re-identification from residual embeddings.

After Illinois SB 2979, some BIPA claims require harm showings — but regulatory and buyer expectations did not relax. Enterprise security questionnaires still demand pre-collection controls. Vendors should not interpret reform headlines as permission to ship experimental face-match columns.

Controls Data Vendors Should Implement

State geofence — detect Illinois residence signals and suppress biometric fields pre-delivery.
Template suppression — document algorithms that refuse to generate geometry from licensed images.
Source prohibition — ban undisclosed scrapes of social video, retail CCTV, or mugshot corpora for marketing SKUs.
Incident logging — record discoveries of biometric leakage in QA and remediation timelines.
SKU labeling — separate public-records or fraud use cases from activation products in products catalog text.

Buyer Diligence and Sample-File Tests

Request: (1) BIOMETRIC=0 attestation on sample files, (2) methodology memo for template suppression, (3) list of sources that could introduce face geometry, (4) incident history, and (5) contractual indemnity boundaries (indemnity cannot override statute). Test joins with maid feed and core email file to ensure enrichment does not reintroduce banned vectors from third-party packs. For risk analytics, scope risk management separately from marketing activation.

Public mugshots and media still images are not a free pass: converting them to geometry templates for commercial resale remains high risk without BIPA-grade consent chains. Pair review with FCRA vs non-FCRA when fraud or employment contexts appear.

OCR and document-ingestion pipelines can accidentally extract face geometry from driver's licenses or benefits letters in KYC workflows — segregate those pipelines from marketing SKUs. If your fraud team needs biometrics, license a separate product schedule with explicit permitted use and destruction rules rather than reusing maid feed delivery paths.

Multistate Patchwork Beyond Illinois

Texas Capture or Use of Biometric Identifier (CUBI) and Washington's biometric law impose notice and consent variants. Other states proposed biometric bills in 2025–2026 sessions tracked by IAPP. National models trained on Illinois geometry without suppression export legal debt into every activation. Many enterprise buyers apply Illinois-grade controls nationwide when unsure. Document national suppression in sourcing methodology and trust materials so sales engineers do not promise face-match features absent legal approval.

Retail media and CPG analytics sometimes experiment with in-store vision vendors — those pipelines may produce geometry even when buyers only license aggregated foot traffic. Contract upstream prohibitions on biometric derivation for marketing SKUs. For global mobility programs, confirm visit data is not fused with facial recognition outputs from mall Wi-Fi or camera partners without BIPA-grade consent chains.

Class counsel historically targeted collectors first, then pursued data recipients in discovery. Even without direct BIPA liability, receivers may face document requests and deposition topics about known biometric fields. A clean BIOMETRIC=0 attestation reduces friction but must be truthful — spot-check embeddings in pilot files.

Model-training buyers should ask whether historical geometry was purged from training corpora when Illinois residents were later identified — forward-looking suppression does not cure datasets already baked into weights. Some teams maintain geography-aware retrain schedules when BIPA exposure is discovered late.

Insurance and gig-economy identity checks are frequent sources of incidental biometrics — brokers purchasing fraud or identity packs should require source-level attestations that geometry was never generated, not only that it was removed before delivery.

Add BIPA reps and warranties with defined survival periods and audit hooks — generic privacy reps do not mention biometric identifiers and fail security review. Buyers should require annual re-certification because source mix changes when brokers onboard new media or fraud partners mid-year. Pair warranties with technical sampling in every renewal, not only initial pilot, and reserve termination rights when samples reveal undeclared geometry columns.

Buyers building location, foot-traffic, or geofence programs can scope POI data with polygon coverage, brand hierarchy, and daily refresh before production licensing.

Frequently Asked Questions

Are public photos exempt from BIPA when resold as data?: Availability to the public does not automatically permit commercial template extraction. BIPA focuses on biometric identifiers and disclosed purposes — mugshot-to-geometry pipelines remain high risk without compliant consent and retention policies.
Does BIPA apply outside Illinois?: BIPA protects Illinois residents regardless of where the vendor sits. Other states have similar laws — many buyers apply the strictest national rule.
Are voiceprints covered?: Yes — relevant for call-center audio, virtual assistants, and some clickstream adjacencies. Treat voice like face unless counsel confirms exclusion.
What sample-file test should buyers run?: Require BIOMETRIC=0 attestation, scan column names and embedding fields, and confirm suppression methodology in writing before pilot delivery.
How does GSDSI position identity products on biometrics?: Review maid feed and core email file specs, sourcing methodology, and privacy policy during pilot process — do not activate undisclosed geometry fields.