Feature Data Privacy
Biometric Data in Financial Services: The BIPA Exemption Isn't as Broad as Your Vendors Think
Financial institutions have a GLBA-based exemption from Illinois' Biometric Information Privacy Act — but courts are actively splitting on whether that exemption extends to your KYC and identity verification vendors. Two unsettled circuit questions, $100M+ in recent settlements, and what your vendor contracts need to say before the 7th Circuit decides.
Table of Contents
TL;DR
- Illinois BIPA exempts financial institutions subject to GLBA — but courts are actively splitting on whether that exemption extends to KYC vendors, biometric authentication providers, and other third-party processors
- Davis v. Jumio Corp. (2023) held that a KYC vendor wasn’t protected by the financial institution exemption even when its client bank was; the 7th Circuit is sitting on Cisneros v. Nuance Communications without a decision since October 2025 oral argument
- BIPA violations run $1,000 per negligent violation and $5,000 per intentional violation with a private right of action and no actual-harm requirement — Clearview AI settled for $51.75M, Motorola Solutions for $47.5M
- Texas TRAIGA (effective January 1, 2026) added a GLBA carve-out for voiceprints only — facial geometry and fingerprints captured by financial institution vendors remain covered
The compliance assumption most financial institutions are operating on: the GLBA-based BIPA exemption covers us and our vendors, because our vendors are processing biometric data on our behalf.
That assumption is legally contested, and two pending circuit-level decisions will determine whether it holds. Until they land, the exemption’s extension to third-party vendors remains unsettled — which means your KYC platform, your voice biometrics provider, and your mobile authentication vendor may each be carrying BIPA exposure your vendor agreement doesn’t address.
Here’s what the law actually says, where the courts have gone, and what your vendor contracts need to do about it.
What BIPA Actually Requires — and Who’s Exempt
Illinois’ Biometric Information Privacy Act, in force since 2008, applies to any private entity that collects, captures, purchases, or obtains biometric identifiers or biometric information from an individual. The required steps before collection:
- Inform the subject in writing that biometric data is being collected
- Inform the subject of the specific purpose and length of time for which the data will be used
- Obtain a written release from the subject
After collection, BIPA prohibits selling, leasing, trading, or otherwise profiting from biometric data. It requires reasonable security measures protecting stored data. And it requires destruction within the earlier of (a) the initial purpose being fulfilled or (b) three years from last interaction with the subject.
The enforcement mechanism is what makes BIPA unusual: a private right of action for any person aggrieved by a violation. Damages are $1,000 per negligent violation and $5,000 per intentional or reckless violation. No actual harm required. The class action math — multiply either figure by millions of affected consumers — explains the settlement figures.
The financial institution exemption: BIPA Section 25(c) carves out “any financial institution or affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act and the regulations promulgated thereunder.” Banks, credit unions, insurance companies, mortgage companies — all exempt from BIPA for data subject to GLBA’s Title V provisions.
The question the courts are fighting about: does “financial institution or affiliate” extend to non-affiliated vendors processing biometric data on behalf of an exempt institution?
The Split That’s Keeping Compliance Counsel Up at Night
Two cases frame the contested ground.
Davis v. Jumio Corp. (N.D. Ill. 2023): A consumer sued Jumio, a KYC identity verification vendor, for BIPA violations arising from facial geometry collection during identity verification for a bank client. Jumio argued it was protected by the BIPA financial institution exemption because it was processing biometric data as a service provider to an exempt bank.
The court rejected the argument. The financial institution exemption, the court held, applies to financial institutions and their affiliates — not to third-party service providers whose bank clients are exempt. Jumio was not itself a financial institution subject to GLBA, and the exemption did not travel through the client relationship. Jumio faced direct BIPA exposure notwithstanding that its bank client would not.
The implication for financial institutions: your vendors are not necessarily exempt just because you are. If a vendor faces a BIPA class action for biometric data collected in your customer onboarding flow, the bank may not be named — but the vendor is, and you have a service relationship with that vendor and potentially indemnification exposure in the other direction.
Cisneros v. Nuance Communications (7th Cir.): Nuance provides voice biometrics technology to financial institution clients — its platform collects voiceprints for voice authentication during customer service calls. The 7th Circuit heard oral argument on whether Nuance is protected by the BIPA financial institution exemption in October 2025. No decision has been issued.
Cisneros is the highest-stakes pending case on vendor exemption scope. A 7th Circuit ruling that the exemption extends to vendors processing biometric data on behalf of exempt institutions would significantly reduce BIPA class action exposure across the vendor ecosystem. A ruling that the exemption applies only to the financial institution itself — consistent with Davis — would have the opposite effect.
Dorsey’s June 2026 analysis of the BIPA financial institution exemption describes the current state as “genuinely uncertain” pending 7th Circuit resolution. Until Cisneros lands, institutions should not assume the exemption travels to vendors.
The Settlement Landscape — Why This Matters Now
The BIPA settlement pace in 2025–2026 makes clear this isn’t a theoretical risk.
Clearview AI — $51.75M (settlement approved March 2026): Clearview’s facial recognition database, built by scraping publicly available images, generated class action litigation across multiple states. The $51.75M settlement is structured as a share of Clearview’s equity rather than a cash payment, given Clearview’s financial position — but it establishes the scale of facial biometric class action exposure for data aggregators.
Motorola Solutions FaceSearch — $47.5M (mid-2025): Motorola’s FaceSearch product, used by law enforcement and enterprise clients to identify individuals from facial images, settled BIPA class claims. The settlement covered Illinois residents whose facial geometry was captured without compliant consent.
Biometric Impressions — $12.1M (settlement approved October 2025): A biometric timekeeping company. Employee fingerprint collection without compliant BIPA consent is the classic BIPA fact pattern — and it keeps settling for eight figures.
YouTube / Google — $6M (August 2025): Illinois-specific settlement for a face blur feature in YouTube video editing that collected facial geometry. Google’s Illinois-specific settlement is notable for its relatively small size relative to YouTube’s user base — reflecting the limited Illinois-specific exposure.
Neutrogena / Kenvue — $4.7M (~11,000 Illinois residents): The per-capita math — roughly $430 per claimant — illustrates why plaintiffs’ counsel pursues biometric class actions even for consumer-facing companies with modest Illinois user counts.
For financial services companies and their vendors: the settlement pool increasingly includes fintech companies and identity verification providers. The KYC deepfake landscape is driving broader adoption of facial geometry collection for liveness detection and identity verification — and each of those implementations is a potential BIPA class.
Texas CUBI and TRAIGA — The State Framework That Changed in 2026
Illinois is the most litigated biometric privacy state because of BIPA’s private right of action. But Texas’ Capture or Use of Biometric Identifier Act covers employers and commercial entities collecting fingerprints, voiceprints, retinal scans, iris scans, and hand or face geometry from Texas residents.
CUBI’s key provisions: Informed consent before capture; prohibition on sale or disclosure for profit; destruction within one year of purpose being fulfilled or employee departure. Enforcement is AG-only — there’s no CUBI private right of action — with civil penalties up to $25,000 per violation.
Texas TRAIGA (signed 2025, effective January 1, 2026) amended CUBI in a way that matters specifically for financial institutions. TRAIGA added a GLBA carve-out for voiceprints captured by financial institutions. A bank collecting voiceprints for voice authentication in its IVR system now has a Texas-law exemption parallel to BIPA’s.
The carve-out’s limits matter: it applies to voiceprints only. Facial geometry from KYC selfie matching, fingerprints from mobile banking biometrics, and retinal or hand geometry from physical access controls remain covered by CUBI regardless of financial institution status under TRAIGA.
The practical map:
| Biometric Type | BIPA Status (FI) | BIPA Status (Vendor) | Texas CUBI (post-TRAIGA) |
|---|---|---|---|
| Facial geometry | Exempt | Contested | Covered |
| Fingerprint | Exempt | Contested | Covered |
| Voiceprint | Exempt | Contested | Exempt (FI only) |
| Retinal scan | Exempt | Contested | Covered |
Beyond Illinois and Texas, approximately 20 states now protect biometric data under consumer privacy frameworks — though most lack private rights of action and follow enforcement-only models. The state privacy law enforcement landscape covers the multi-state coordination dynamics for 2026.
What Your Vendor Contracts Are Missing
The gap between BIPA’s actual scope and what most vendor agreements address is large.
A typical KYC vendor agreement says something like: vendor will maintain reasonable security for customer data and comply with applicable law. That’s not what BIPA compliance requires — and it doesn’t allocate responsibility clearly enough to matter in litigation.
What your biometric data vendor agreements should include:
1. Explicit BIPA compliance representation. The vendor should represent either (a) that it maintains a compliant BIPA program covering consent collection, retention, and destruction, or (b) that it contends the financial institution exemption applies and articulate its legal basis. Vague “we comply with applicable law” representations don’t give you a basis for indemnification claims if the vendor’s BIPA position collapses.
2. Biometric data retention and destruction schedule. BIPA requires destruction within three years or fulfillment of purpose, whichever comes first. Your vendor contract should require the vendor to maintain and produce a written retention schedule, confirm timelines for destruction of your customers’ biometric data, and notify you when data is destroyed. You need to be able to demonstrate compliance with the destruction requirement, not just represent that your vendor handles it.
3. Consent documentation requirements. If the vendor collects biometric data directly from your customers — which is the typical structure for KYC selfie flows — the contract should specify who bears responsibility for obtaining BIPA-compliant consent: the institution, the vendor, or both. The consent disclosure language, the mechanism for obtaining written release, and the documentation of consent should all be addressed.
4. No-sale and no-profit prohibition. BIPA prohibits vendors from selling, leasing, trading, or profiting from biometric data. Your vendor contract should include an explicit prohibition on commercializing biometric data collected in connection with your relationship, beyond the contracted service.
5. Breach notification for biometric data. Unauthorized access to biometric data triggers notification obligations under Illinois law and the breach notification frameworks applicable to financial institutions. Your vendor contract should include a biometric-specific notification window — separate from or faster than the general breach notification requirement — given the sensitivity of biometric data and its non-replaceable nature. A customer whose credit card is breached can get a new card. A customer whose facial geometry is breached cannot get a new face.
6. Indemnification for third-party BIPA claims. If the Davis v. Jumio analysis holds — vendor is not exempt — your vendor faces potential class action exposure from BIPA claims arising from biometric data collected during your customer onboarding. Your agreement should clearly allocate who defends and who pays. Most standard vendor agreements are silent or one-sided on this; it’s a negotiated provision.
The vendor data processing agreement requirements covers the full set of data processing agreement provisions; biometric-specific requirements layer on top of the standard GDPR/CCPA DPA framework.
The Examiner Angle
Biometric data compliance isn’t a theoretical exam topic for financial institutions. The CFPB, OCC, and FDIC have all addressed biometric data use in the context of consumer protection, fair lending, and data security — and state examiners in Illinois (IDFPR) and Texas (Texas DOB) have increasing visibility into biometric data practices through their financial institution oversight roles.
What examiners are asking and what you need to be able to answer:
“What biometric data does your institution collect, and where?” You need an inventory. Mobile authentication biometrics (fingerprint, face ID), KYC identity verification (facial geometry from selfie matching), voice authentication in IVR systems, and physical access controls (fingerprint badges) are each separate biometric data streams with separate consent, retention, and destruction obligations.
“Who are your biometric data vendors, and what do their contracts say?” This is the documentation gap most institutions have. The answer “we use [vendor] and we have a standard MSA” is not adequate. You need vendor-specific biometric data provisions.
“What is your retention and destruction schedule for biometric data?” BIPA specifies three years or purpose fulfillment. If you can’t produce a specific retention schedule and evidence that destruction is happening on that schedule, you have an exam gap.
“Have you reviewed vendor BIPA compliance positions?” Given the Davis v. Jumio analysis, examiners with BIPA sophistication will ask what you know about your vendors’ compliance positions and whether the exemption argument has legal support.
So What? Three Actions This Week
Inventory your biometric data streams. Map every context in which your institution or its vendors collect biometric data from customers, employees, or third parties: mobile app authentication, KYC identity verification flows, voice banking, IVR voice biometrics, physical access controls. For each, identify whether the biometric data is collected by you directly or by a third-party vendor on your behalf.
Pull your KYC and authentication vendor agreements. For each vendor that touches biometric data, review: Is there a BIPA compliance representation? A retention and destruction timeline? A no-sale provision? An indemnification clause for BIPA claims? If any of these are absent, they belong on the next vendor review agenda and the next contract renewal.
Document your consent mechanism. For biometric data collected from customers in your own digital banking channels — facial authentication in mobile banking, fingerprint login — confirm that the consent mechanism satisfies BIPA’s written consent requirement for Illinois-based customers. Digital consent mechanics (in-app disclosures with explicit accept) work for BIPA purposes if properly implemented; undisclosed data collection does not.
The Cisneros v. Nuance decision, when it arrives, will significantly clarify whether the vendor BIPA exposure is as large as Davis suggests. Until then, the prudent position — consistent with how state privacy law enforcement is trending — is to assume vendors are not automatically exempt and build the contract provisions accordingly.
The Data Privacy Compliance Kit includes vendor data processing agreement templates with biometric data addendum provisions, a biometric data inventory worksheet, and consent disclosure templates structured for BIPA, Texas CUBI, and multi-state biometric frameworks.
External sources: Dorsey: BIPA Financial Institution Exemption Analysis | Katten: BIPA Developments and Enforcement Landscape | Texas Attorney General: CUBI and TRAIGA | Recording Law: State Biometric Privacy Laws | Privacy World: 2025 BIPA Year in Review
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
Data Privacy Compliance Kit
Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
Are financial institutions exempt from BIPA?
What is the BIPA financial institution exemption exactly?
What biometric data do financial institutions typically collect?
What does Texas CUBI require for financial institutions using biometric data?
How large are recent BIPA settlements, and who's paying them?
What contract provisions should financial institutions require from biometric data vendors?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Data Privacy Compliance Kit
Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.
◆ Keep reading
Related posts.
Data Privacy
Connecticut's CDPA Took Effect Last Tuesday: Financial Account Data Is Now Sensitive Data, the Threshold Dropped to 35,000, and There's No 60-Day Grace Period
Connecticut's expanded CDPA took effect July 1, 2026. It lowered the applicability threshold from 100,000 to 35,000 consumers, reclassified financial account information as sensitive data requiring consent before processing or sale, eliminated the guaranteed 60-day cure period, and stripped the entity-level GLBA exemption from fintechs and nonbank lenders. Here's what changed and what your program needs to address this week.
Jul 8, 2026
Data Privacy
Minnesota's MCDPA Has Been Enforcing Since January — Your GLBA Exemption Doesn't Cover What You Think It Does
Minnesota's Consumer Data Privacy Act uses a data-level GLBA exemption, not an entity-level one. Non-bank fintechs have been exposed since January 31, 2026 — with no notice-to-cure period and $7,500-per-violation penalties.
Jul 2, 2026
Data Privacy
FTC Health Breach Notification Rule: What Non-HIPAA Health Data Holders Must Report and When
The FTC's 2024 amendments to the Health Breach Notification Rule dramatically expanded coverage to health apps, wellness platforms, and connected devices — with enforcement actions totaling $9+ million. Here's what every fintech and non-HIPAA health data holder needs to know.
Jun 30, 2026