BIPA and people counting: why a non-biometric counter sits outside Illinois' biometric privacy law

Why BIPA keeps catching non-US vendors out

Illinois' Biometric Information Privacy Act, usually written as BIPA and codified at 740 ILCS 14, is the US state privacy law that European and global vendors most often miss. It sits below the radar because it is not a federal statute, it predates the GDPR by nearly a decade (it was passed in 2008), and it applies to private entities operating in a single state. Yet it has produced more high-value privacy litigation than any other US state law, and it reaches any private entity that collects or stores biometric identifiers from an Illinois resident, regardless of where that entity is headquartered.

For a vendor selling people counting into US retail chains, shopping centres, airports, or stadiums, BIPA matters for a simple reason: if the counting method captures a biometric identifier as the statute defines it, the deployment in Illinois carries a private right of action, statutory damages per violation, and a written-consent regime that is stricter than most non-US vendors have ever built for. If the counting method does not capture a biometric identifier, BIPA does not apply to it at all. The difference between those two outcomes is sensor choice.

This article is informational and is not legal advice. BIPA classification is fact-specific and is decided by Illinois courts, not by vendor documentation. Engage US counsel for any actual deployment classification, contract drafting, or risk assessment.

What follows is a plain-language walk through what BIPA does, what counts as a biometric identifier under the Act, how the damages structure works, what two well-known Illinois Supreme Court rulings established, and why a people counter that uses no face, fingerprint, voiceprint, retina or iris scan, or hand geometry sits outside the scope of the statute.

What BIPA actually regulates

BIPA regulates the collection, storage, use, and disclosure of biometric identifiers and biometric information by private entities. Section 15 of the Act sets out the operative duties. Five are worth knowing in plain English:

• Written policy (Section 15(a)). A private entity in possession of biometric identifiers or biometric information must develop a publicly available written policy that sets retention schedules and destruction guidelines.
• Notice and written consent (Section 15(b)). Before collecting a biometric identifier, the entity must inform the individual in writing of the collection, the specific purpose, and the period of storage, and obtain a written release.
• No sale or profit (Section 15(c)). A private entity may not sell, lease, trade, or otherwise profit from a person's biometric identifier or biometric information.
• Limited disclosure (Section 15(d)). Disclosure to a third party requires the individual's consent, completion of a financial transaction the individual requested, statutory authority, or a valid warrant or subpoena.
• Reasonable care (Section 15(e)). Biometric identifiers and biometric information must be stored, transmitted, and protected using the reasonable standard of care within the industry, and in a manner at least as protective as how the entity stores other confidential and sensitive information.

All five duties are gated on the same threshold question: does the entity possess a biometric identifier or biometric information as the Act defines those terms? If the honest answer is no, none of the Section 15 duties attach. If the answer is yes, all of them do.

What counts as a biometric identifier under BIPA

BIPA's definitions are narrower than informal usage of the word biometric. The statute is explicit about what is in scope, what is out, and how the two are related.

Biometric identifier (Section 10):

The Act defines a biometric identifier as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. That is a closed list. The statute then sets out an explicit list of items that are not biometric identifiers, including writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, and physical descriptions such as height, weight, hair colour, or eye colour. Photographs are notably out of the statutory definition of biometric identifier, although Illinois courts have considered whether scans derived from photographs can themselves be biometric identifiers.

Biometric information (Section 10):

Biometric information is defined as any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Information based on a non-biometric source, such as a count or a transaction record, is excluded by the definition itself.

Practical reading:

The statutory scope is people-identifying physical measurements. Counting that a person passed through a doorway is not on the list. Estimating that a corridor holds 14 people right now is not on the list. Recording that the average visitor in a gallery stays 8 minutes is not on the list. None of those involve a retina, iris, fingerprint, voiceprint, hand geometry, or face geometry, and none of them produce information that could be used to identify a particular individual. They are operational counts, not biometric identifiers.

Where a counting system goes wrong on BIPA is at the sensor: if the system reads face geometry to recognise that the same person walked in twice, or extracts a face template from a video frame for re-identification, the data being processed lands squarely inside the statutory definition. The fact that the entity calls the output a count does not change the input.

How BIPA damages work

BIPA's bite is in Section 20. The Act provides a private right of action: any person aggrieved by a violation may sue for liquidated damages, attorneys' fees, and other relief the court deems appropriate. The statutory damages structure has two tiers:

• $1,000 per violation for a negligent violation, or actual damages if greater.
• $5,000 per violation for an intentional or reckless violation, or actual damages if greater.

Attorneys' fees, costs, and expert witness fees are recoverable, which is what makes BIPA cases viable as class actions. The combination of a private right of action, statutory minimums, fee-shifting, and class certification has made BIPA one of the most active areas of US privacy litigation since 2019, with settlements in the hundreds of millions of dollars across multiple matters.

Two Illinois Supreme Court rulings worth knowing

Two cases reshaped how BIPA is litigated. Both are real public rulings; the summaries below describe them at a high level and intentionally do not invent quotations or details. Read the opinions themselves, with counsel, before relying on either one for any specific position.

Rosenbach v Six Flags Entertainment Corp. (Illinois Supreme Court, 2019).

Rosenbach addressed the threshold question of who has standing to sue under BIPA. The defendant argued that a plaintiff had to show actual injury beyond a bare procedural violation of the Act's notice and consent requirements. The Illinois Supreme Court held that a person whose statutory rights under Section 15 were violated qualified as aggrieved within the meaning of Section 20, even without separate actual damages. The practical effect was to open the door to BIPA class actions based on notice-and-consent failures alone, which until then had been an open question.

Cothron v White Castle System, Inc. (Illinois Supreme Court, 2023).

Cothron addressed how to count violations. The defendant argued that a violation accrued only on the first capture of a biometric identifier. The Illinois Supreme Court held that a separate claim accrues each time a private entity scans or transmits a biometric identifier without the required consent. The practical effect was to multiply potential damages dramatically in cases with high collection frequency, by combining per-scan accrual with the per-violation statutory minimums in Section 20. Subsequent Illinois legislative work and pending amendments may adjust how this rule operates going forward; consult current counsel for the live position.

The combined message of the two cases is that BIPA does not need an actual data breach or identity theft to trigger meaningful liability, and that the violation clock can run on every scan rather than every individual. That is why the threshold question, namely whether the system captures a biometric identifier in the first place, is the only question that matters for many vendors.

Where people counters fall on the BIPA line

Counting systems sold under the same label can take very different sensing approaches. The BIPA analysis follows the sensor, not the marketing.

Systems that read face geometry to identify or re-identify visitors.

If the system extracts a face template, a hashed face vector, or any other scan of facial geometry, and uses it to match a person across visits or to recognise the same individual at multiple doors, the data being processed is a scan of face geometry, which the BIPA definition lists explicitly. Notice and written consent under Section 15(b) attach before collection. A written retention and destruction policy under Section 15(a) is required. The deployment needs to be set up to support all five Section 15 duties from day one.

Systems that store fingerprints, hand geometry, or voiceprints.

Time-and-attendance terminals, kiosks that read a thumbprint, and any system that captures a voiceprint sit inside the definition for the same reason. BIPA's largest publicly reported settlements involve fingerprint-based time clocks deployed in Illinois workplaces.

Systems that count without any biometric identifier.

A method that does not capture a retina, iris, fingerprint, voiceprint, hand geometry, or face geometry, and that does not produce information based on any of those, is outside the statutory definition. The output is an operational count: how many people entered, how many are present, how long they stayed. None of that is a biometric identifier under Section 10. None of it is biometric information under Section 10. The Section 15 duties therefore do not attach to the counting activity itself.

That third category is the safe deployment posture for a US retailer or operator that does not want BIPA exposure on its counting line. It is also the posture this article assumes for the rest of the discussion.

How Ariadne fits

Ariadne is camera-free. The measurement does not capture face geometry, fingerprints, voiceprints, retina or iris scans, or hand scans. None of the five categories in the BIPA definition is in scope at the sensor.

Ariadne measures this with Hybrid Fusion, its patented camera-free method. Time-of-Flight depth sensing counts every visitor at the entrances, capturing geometry rather than images, while patented phone signal sensing follows movement through the interior, detecting the signals a phone emits even in airplane mode. The sensor streams both feeds to Ariadne, where Hybrid Fusion combines them into one trajectory per visit and computes counts, dwell, and paths. The streams carry no identifier: no MAC address, no device ID, no biometric data, and no camera is involved. Identifiers are stored only when a visitor explicitly opts in, which keeps the method GDPR-friendly and outside biometric territory.

For a US deployment, the practical readout against BIPA is direct. No face is captured anywhere in the measurement path, so no scan of face geometry is produced. The Time-of-Flight sensing reads geometry rather than images, so no fingerprint, voiceprint, iris, or retina is captured. Phone signal sensing detects radio emissions, not hand geometry. No demographic detection (age, gender, emotion estimation) is performed, which keeps the deployment out of areas that, while not directly listed in BIPA, attract attention in adjacent US privacy regimes. Identifiers are stored only when a visitor explicitly opts in, for example by accepting a guest Wi-Fi terms-of-service, which a US controller can simply choose not to enable.

The fusion that turns the two streams into counts, dwell, and paths runs centrally in the Ariadne platform, not on the sensor itself. Nothing in that pipeline introduces a biometric identifier that was not present at capture, because the capture step did not produce one to begin with. The detail of what is processed, where, and under which contractual arrangement is set out in the Ariadne privacy policy, and the solution overview sits on the people counting page.

A short BIPA-readiness checklist

If you are evaluating a counting vendor for a US deployment that includes Illinois locations, these are the questions worth putting in writing before signing.

1. Does the system capture face geometry? Face detection in a viewfinder is one thing; extracting and storing a scan of face geometry to recognise an individual is another. You want a clear no, with evidence of how the sensor works.
2. Does the system capture fingerprints, voiceprints, retina or iris scans, or hand geometry? For a counter, the answer should be no across the board. Confirm it in the data sheet, not in the sales deck.
3. Is any image of a visitor stored or transmitted? Images are out of the BIPA definition of biometric identifier, but a system that stores images is one configuration change away from extracting biometrics from them. A method that never captures images closes that door.
4. Are demographic attributes inferred? Age, gender, and emotion inference sit outside BIPA's narrow definition but pull other US statutes and Federal Trade Commission attention into scope. A clean no keeps adjacent regimes simpler.
5. What does the data-processing agreement say about Illinois deployments? Even where the system does not capture biometric identifiers, the controller-processor agreement should explicitly reflect what is captured and what is not, so that a future Illinois plaintiff is met with a written record that matches the deployment reality.
6. Who is the contracting US counsel? BIPA classification is a question for US lawyers admitted to practice. A vendor that points you at a written policy, names its US counsel, and is willing to put a representation about its sensor capabilities into the master services agreement is taking the question seriously.

Related US privacy regimes worth noting in passing

BIPA is the most active state law in this area, but it is not the only one. A short orientation, with the same caveat that none of this is legal advice:

• Texas CUBI. The Capture or Use of Biometric Identifier Act covers similar territory in Texas, but with enforcement reserved to the Attorney General and no private right of action. The reputational stakes can still be significant.
• Washington HB 1493. Washington State has its own biometric identifiers statute, again with enforcement by the Attorney General rather than a private right of action.
• State comprehensive privacy laws. California (CCPA / CPRA), Colorado, Connecticut, Utah, Virginia, and a growing list of others define biometric information within their broader frameworks. None replicate the BIPA private right of action plus statutory minimums combination, but each carries its own obligations where biometric data is processed.
• FTC enforcement. The Federal Trade Commission has used Section 5 of the FTC Act to bring biometric-related enforcement actions against companies whose claims about biometric processing did not match what they did. The deterrent value is independent of any state statute.

A vendor that has structurally chosen not to capture biometric identifiers at all clears the BIPA threshold and most of the adjacent regimes in the same step. That is the position this article describes, and it is the position the Ariadne deployment occupies by design.

FAQ

Is BIPA only about Illinois residents?

BIPA applies to private entities operating in Illinois, regardless of where the entity is headquartered. The protected class is individuals whose biometric identifiers or biometric information are collected, stored, or used in connection with Illinois activity. Most of the major BIPA litigation has involved either Illinois-based plaintiffs or out-of-state defendants whose operations touched Illinois. Counsel will give you the operative analysis for your specific deployment footprint.

Are photographs covered by BIPA?

The statutory definition of biometric identifier in Section 10 explicitly excludes photographs. However, scans of face geometry derived from photographs have been the subject of significant Illinois litigation, with courts considering whether the derived templates fall within the definition. The cautious reading is that a system that extracts face geometry from any source, including a photograph, is processing the regulated data category, while a system that stores a photograph and does nothing with it is not. As ever, this is a question for counsel rather than a vendor blog.

Does a Time-of-Flight depth sensor capture biometric data?

A Time-of-Flight sensor used as a counting device fires infrared pulses and measures return distance to reconstruct geometry above the sensor. Used as Ariadne deploys it, the output is a count of objects crossing a threshold, with roughly 30 centimetre resolution. It does not produce a fingerprint, voiceprint, retina or iris scan, hand scan, or scan of face geometry. None of the five categories in the BIPA definition is in scope. A Time-of-Flight sensor could in principle be used to capture a high-resolution scan of someone's face or hand; the question is what the system actually does with the data, not what the underlying sensor could theoretically support. The Ariadne configuration is not used to capture biometric identifiers.

Does the deployment use cameras?

No. Ariadne counts with Hybrid Fusion: Time-of-Flight depth sensing plus patented phone signal sensing, never cameras. Time-of-Flight captures geometry rather than images, and signal sensing captures no MAC address by default, so the measurement involves no video, no faces, and no biometric data.

Is this article legal advice?

No. This article is informational only. BIPA classification and risk assessment are fact-specific and should be done with qualified US counsel for your specific deployment, sensor configuration, and contractual arrangements.