Filter by Category

How to Enforce Your Right to Opt Out of AI Model Training Using Illinois Biometric Data Under BIPA in 2026

Illinois residents can seek statutory damages of $1,000 per negligent violation and $5,000 per reckless/intentional violation under the Biometric Information Privacy Act (BIPA). In 2026, that leverage increasingly applies to AI systems trained on “biometric identifiers” or “biometric information,” including face geometry extracted from images and videos. This guide explains how to opt out, preserve evidence, and enforce your rights through demand letters, complaints, and litigation under BIPA.

Why BIPA matters for AI model training in 2026

AI model training often begins with ingestion at scale: photos, videos, audio clips, and “derived” features pulled from that media. When the data pipeline includes identifying biological characteristics—such as face geometry, fingerprints, iris patterns, or voiceprints—Illinois’s Biometric Information Privacy Act (BIPA), 740 ILCS 14, can provide one of the strongest state-law enforcement tools in the U.S.

BIPA is uniquely plaintiff-friendly because it is built around affirmative duties (notice, written consent, retention schedules, and limitations on dissemination), and it authorizes statutory damages without requiring proof of actual financial loss. In the AI era, that structure is particularly consequential: many AI-training harms are difficult to monetize, but the statutory scheme is designed to deter unauthorized collection and use.

What counts as “opting out” under BIPA (and what doesn’t)

BIPA does not use the term “opt out” in the way some consumer privacy laws do. Instead, BIPA generally requires informed written consent (often called a “written release”) before a private entity collects, captures, purchases, receives through trade, or otherwise obtains a person’s biometric identifier or biometric information.

In practical terms, enforcing an “opt out” in 2026 typically means one or more of the following:

Withholding consent (refusing to sign a biometric release; toggling off biometric features; declining “face/voice” enrollment).
Revoking prior consent and demanding cessation of collection/use and deletion consistent with the entity’s retention schedule and BIPA’s destruction requirement.
Demanding compliance artifacts: the publicly available retention schedule and written policy required by BIPA, plus confirmation of deletion and non-dissemination.
Enforcing rights through litigation when the entity collected/used biometrics for AI training without the required written release and policies.

Important limitation: if a company never had proper written consent in the first place, your enforcement posture is not merely “opt-out”—it is “unlawful collection/use,” which can unlock statutory damages, attorneys’ fees, and injunctive relief.

Biometric data used in AI training: what triggers BIPA

Covered biometrics under BIPA

BIPA’s core definitions focus on:

Biometric identifiers (e.g., retina/iris scans, fingerprints, voiceprints, scans of hand or face geometry).
Biometric information (information based on a biometric identifier used to identify an individual).

AI training can implicate these definitions when a system extracts face geometry vectors (“face embeddings”), creates a voiceprint template for speaker identification, or uses similar biometric templates to recognize or verify individuals.

Common AI-training scenarios that can create BIPA exposure

In 2026, attorneys increasingly see BIPA claims tied to “secondary use” of biometrics—data initially captured for one reason (login, security, attendance) later used or shared for model development.

Examples:

Face recognition in apps and platforms: an app generates a “face template” from user selfies for account recovery, then reuses those templates to improve a face-matching model.
Voice features in customer service: a company records calls and generates voiceprints for authentication, then uses those voiceprints (or derived embeddings) to train a speaker-recognition model.
Workplace timekeeping: a vendor collects fingerprints or face scans for time clocks, then uses aggregated templates to refine matching algorithms.
Video analytics: cameras used for access control extract face geometry; the vendor stores templates and uses them to train detection/recognition systems.

Whether a specific dataset or feature vector qualifies as “biometric identifier” or “biometric information” is fact-intensive. But if identification is part of the system’s function or the templates are used to recognize individuals, BIPA risk rises sharply.

BIPA’s key compliance duties that matter for “AI training opt-out” enforcement

To understand enforcement, start with the obligations that private entities must meet when handling Illinois biometrics:

1) Publicly available retention schedule and destruction guidelines

BIPA requires a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometrics when the initial purpose for collection has been satisfied or within a defined time period.

2) Written notice and written release before collection

Before collecting or obtaining biometrics, an entity must inform the person (in writing) that biometrics are being collected or stored; inform them of the purpose and length of term; and obtain a written release.

3) Limits on disclosure and profit

BIPA restricts disclosure and dissemination of biometrics and prohibits profiting from a person’s biometric identifier or information.

4) Reasonable security measures

Entities must store, transmit, and protect biometrics using a reasonable standard of care and in a manner at least as protective as how they treat other confidential information.

For AI model training disputes, the pressure points tend to be: (a) whether a written release existed that clearly covered training; (b) whether retention/destruction rules existed and were followed; and (c) whether biometrics were disclosed to vendors, annotators, or model developers without compliant consent and controls.

Step-by-step: how to enforce your “opt-out” and deletion demands in 2026

Step 1: Identify the likely biometric collection point

Start with the moment your biometrics were most likely captured:

Workplace onboarding (time clocks, access control)
App enrollment (Face ID-like features inside the app, selfie verification)
Customer support authentication (voice ID)
Photo/video platforms with tagging or recognition

Write down dates, devices, locations, and the names of any vendors involved. In many BIPA cases, the vendor relationship is central.

Step 2: Collect and preserve evidence before you complain

Preservation is crucial because terms, consent flows, and vendor lists change frequently.

Screenshot the consent screens (including toggles, checkboxes, and any “I agree” text).
Download or print policies: biometric policy/retention schedule, privacy policy, and any AI/training disclosures.
Save emails or onboarding packets referencing biometrics.
Keep call logs and any “voice authentication” prompts.
Document denial options: whether you could proceed without enrolling biometrics.

For workplace systems, keep copies of employee handbooks, HR notices, and any vendor names on the device or signage.

Step 3: Make a targeted written demand (revocation + deletion + training stop)

Even though BIPA is consent-forward rather than opt-out-forward, a well-crafted demand can set up key issues: knowledge, timing, retention, and ongoing use.

A demand typically requests:

Confirmation whether the entity collected or obtained your biometric identifier/information.
A copy (or link) to the entity’s BIPA-required retention and destruction policy.
Confirmation of the specific purpose(s) for collection and whether AI training/model improvement was included.
Identification of all third parties with whom biometrics were shared or who processed them.
Deletion/destruction of your biometric data and templates, and cessation of any ongoing processing or training use.
Preservation of evidence (a litigation hold) if you believe violations occurred.

Companies may respond with generalized privacy language. A strong letter narrows the issues: “Do you maintain a face geometry template? Was it used to train or fine-tune any model? What retention timer applies? When will destruction be completed?”

Step 4: Evaluate whether the “consent” was actually BIPA-compliant

In AI settings, purported consent often fails because it is:

Not written (e.g., implied consent or continued use).
Not informed (no clear purpose and duration; no disclosure of training).
Bundled or coerced (workplace or essential service “take it or leave it” enrollment without alternatives can create factual disputes).
After-the-fact (obtaining consent after collection or after templates were created).

If the company cannot produce a specific written release covering the relevant biometric capture and use, that gap often becomes the cornerstone of enforcement.

Step 5: Consider the enforcement path: individual claim, class action, or agency leverage

BIPA is commonly enforced through civil litigation, including class actions when the same biometric workflow affected many people. In 2026, AI training pipelines frequently scale across thousands or millions of users, making class treatment a recurring strategic consideration.

Factors influencing the best path include: