Understanding the 2025 Illinois BIPA Landscape for Cannabis Dispensaries

The regulatory environment for cannabis dispensaries in Illinois has undergone a significant shift in 2025, following notable amendments to the state’s Biometric Information Privacy Act (BIPA) and landmark court decisions that are already influencing risk management and practical compliance strategies. With Illinois courts dismissing at least one high-profile biometric privacy lawsuit in light of the revised statute, dispensaries and cannabis businesses across the state must pivot quickly—aligning their ID scan workflows and biometric consent processes to the new reality while maintaining strict compliance with the Cannabis Regulation and Tax Act (CRTA).

Below, we break down what cannabis operators, compliance officers, and technology vendors need to know to avoid litigation and regulatory headaches as they handle customer identification and biometric data in 2025 and beyond.

BIPA Amendments: Key Changes for Cannabis Businesses

Illinois’ BIPA, long regarded as the strictest biometric privacy law in the nation, was amended by SB2979 in August 2024. Major changes include:

• Single Recovery Rule: Under the revised law, a business that improperly collects or discloses a person’s biometric identifier or information commits only one violation per individual—not per scan or transaction—dramatically reducing cumulative damage exposure (source).
• Electronic Consent Valid: The law now clarifies that electronic signatures—such as those captured on tablets, kiosks, or mobile devices—are valid for obtaining written informed consent to collect or use biometrics.
• Retroactive Application: Courts are already applying these amendments to pending lawsuits, as seen in early 2025 case dismissals (source). This brings much-needed certainty for dispensary operators grappling with evolving liability.

Bottom line: The core BIPA requirements remain—consumer notice, informed consent, data retention policies, and secure handling—but the risk landscape has shifted in favor of compliant businesses.

What Counts as a “Biometric Identifier” Under BIPA?

BIPA defines biometric identifiers to include data such as fingerprints, face geometry (not just photographs), iris or retina scans, and voiceprints. In the dispensary context, common biometric capture points include:

• ID-scanning devices with facial recognition or extraction of facial features
• Security cameras or check-in kiosks with automated face matching

Photographs alone are not covered—but if software analyzes, creates, or stores mathematical representations of a face (faceprints, templates), BIPA applies. As dispensaries frequently use ID scanners—sometimes with facial mapping—for age verification, careful distinction and mapping of system functionalities is critical for compliance (see more).

Dispensary ID Scan Systems: Compliance Workflows for 2025

Illinois law still requires digital ID scans to verify age and identification before entry and purchase (source). But under BIPA, vendors and cannabis businesses must:

1. Map Biometric Data Flows

• Inventory all technologies (hardware and software) that may capture, infer, or process biometric identifiers—not just store images.
• Work with vendors to understand if face matching, fingerprint recognition, or other biometric features are active or can be disabled.

2. Minimize Data Collection

• Disable non-essential biometric features by default. If age verification can be performed without templating a face or reading fingerprints, turn off those functions.

3. Written Informed Consent (Now Including Electronic)

• Use a clear, BIPA-compliant consent form—now allowed to be electronic—before capturing any biometric identifier.
• Disclose the purpose, storage period, and destruction policy.

4. Retention & Destruction Policies

• Post and adhere to a retention/destruction schedule for biometric data, and make it publicly available via signage or online (detailed summary).
• Retain biometric data only as long as strictly needed for legal age verification or entry.

5. Secure Handling and Vendor Contracts

• Restrict and log access to systems containing biometric data.
• Segregate storage of biometric data from broader customer records where possible.
• Ensure all age-verification and security vendors provide BIPA-compliant data processing agreements (DPAs) and deletion APIs.

6. Training and Signage

• Train staff to avoid capturing biometrics beyond what’s required (e.g., manual photo snaps that are not essential for compliance).
• Update privacy notices and in-store signage to include BIPA-mandated disclosures: what is collected, for what purpose, how it is stored, and when it will be destroyed.

What Does BIPA Mean for IL Cannabis Customers?

Consumers visiting licensed cannabis dispensaries in Illinois can expect:

• Mandatory ID scanning at entry and purchase.
• Notification and consent if any system collects biometric identifiers (face geometry, fingerprints).
• Detailed privacy policies onsite or online, describing data storage, retention, and destruction.
• Assurance that biometric data will not be sold, used for unrelated purposes, or kept beyond the legal retention period.

If a dispensary uses only basic photo capture for ID verification, BIPA obligations may not be triggered. But if the system extracts or analyzes unique physiological characteristics, consent and all other compliance steps apply.

Lessons from Early 2025 Court Rulings

The first wave of post-amendment BIPA litigation suggests that dispensaries and vendors deploying clear, consent-oriented workflows now face much less existential risk. Courts are increasingly inclined to dismiss lawsuits where operators can show:

• BIPA-consistent electronic consent was obtained
• Retention/destruction policies were posted and followed
• Non-essential biometric functions (e.g., face matching for analytics) were disabled by default

This trend is a relief for cannabis licensees but should not prompt compliance complacency. The amended law reduces (not eliminates) penalties and the litigation onslaught. Plaintiffs and regulators will still scrutinize consent processes, vendor diligence, and internal enforcement.

Action Steps for Dispensaries

For Operators and Compliance Teams:

1. Conduct a full audit of ID-scanning and security systems to detect any biometric processing.
2. Revise all consent workflows to match the amended law’s electronic signature provision.
3. Document and educate: Retain audit trails for consents, staff training logs, and system configurations.
4. Coordinate with vendors: Ensure contractual and technical controls match BIPA’s strictures. Require deletion capabilities and indemnification clauses as appropriate.
5. Review and update all public-facing privacy notices and signage to present clear, accurate information on biometric practices.

For Vendors:

• Offer clear configuration guidance to disable biometric features not strictly required for compliance.
• Update software to capture audit trails of electronic consent and support rapid data destruction.

For Consumers:

• Be prepared each visit to present ID and review biometric consent requests before allowing any scan that captures facial geometry or other markers.
• Ask dispensary staff about data retention and destruction policies if not clear from posted signage or privacy policies.

Looking Forward: Keeping Illinois Cannabis Compliance Litigation-Resistant in 2025

Dispensaries that proactively align their systems, policies, and training with the latest BIPA amendments are well positioned to weather regulatory scrutiny and litigation. The best practices are clear:

• Map and minimize biometric processing
• Consistently obtain and document consent (now electronically)
• Maintain transparent, public retention and destruction policies

As the landscape evolves further, regular audits and close vendor coordination will remain crucial. Stay ahead of the rules, and keep your compliance posture strong.

For ongoing updates, expert insights, and practical tools for Illinois BIPA cannabis compliance, dispensary ID scans, and biometric consent workflows, visit CannabisRegulations.ai.