The Biometric Trap
How Guest Screening Could Cost You $50,000 in Illinois
Guest screening is supposed to protect your property. ID verification. Background checks. Facial recognition to match the selfie to the passport.
Standard stuff. Until it isn't.
If you're screening guests with facial recognition and any of them are Illinois residents, you're sitting on a legal landmine that could detonate at any moment.
The BIPA Problem Nobody Warned You About
The Illinois Biometric Information Privacy Act (BIPA) is the most aggressive biometric privacy law in the country. And it has a private right of action, meaning individuals can sue companies directly. No need to wait for regulators.
The damages are statutory: $1,000 per person for negligent violations, $5,000 per person for reckless or intentional violations.
Here's the math that should terrify you: if you screened 5,000 Illinois guests without proper consent, your base exposure is $5 million for negligent violations. If a court finds you ignored known BIPA requirements, that jumps to $25 million.
Commercial litigation analysis confirms these aren't theoretical numbers. Companies have paid massive settlements.
Get more insights like this
Weekly STR tech updates. No spam.
The 2024 Amendment Changed the Math (But Not Enough)
Good news: Illinois passed Public Act 103-0769 in August 2024, limiting recovery to one violation per person rather than per scan.
Under the old interpretation, every time your screening tool scanned a guest's face, it was a separate violation. Scan 10 times across multiple bookings? 10 violations. The new law caps it at one recovery per person.
But "per person" across thousands of guests is still catastrophic exposure.
The law also clarified that electronic consent (click-through agreements) is acceptable. That's helpful. But only if your consent flow actually meets the requirements.
Hospitality Is Already Being Targeted
This isn't theoretical. The hospitality sector is actively in the crosshairs.
Harrah's Joliet Casino was sued for using facial recognition without proper written policy or consent. Hollywood Casino faced nearly identical litigation.
More directly relevant: attorneys are actively recruiting Illinois Airbnb users for mass arbitration regarding identity verification processes. The advertised potential recovery? Up to $5,000 per person.
The allegation is straightforward: collecting facial scans during ID verification without meeting BIPA's disclosure and consent requirements.
What BIPA Actually Requires
If you collect biometric identifiers (including facial geometry from photos), BIPA requires:
- Written notice informing the person that their biometric data is being collected
- Written consent from the person
- A publicly available retention schedule specifying when the data will be destroyed
- No selling or profiting from the biometric data
Most screening tools handle step 1 and 2 in a click-through flow. But steps 3 and 4 are where operators often fail.
Do you know where your guest screening vendor stores facial data? How long they keep it? Whether they've published a retention schedule?
The FCRA Trap (Yes, There's Another One)
BIPA is the flashy risk, but FCRA is the quiet one.
The Fair Credit Reporting Act applies when you use a background check to make a decision about a guest. If you deny a booking based on screening results, you're required to send an adverse action notice.
FTC guidance for landlords specifies the requirements:
- Name, address, and phone number of the screening company
- Statement that the screening company didn't make the denial decision
- Notice of the guest's right to dispute and get a free copy of the report
This applies even if the background check was only a partial factor in the decision. Miss the notice requirement, and you've got FCRA exposure.
Vendor Compliance Varies Wildly
I reviewed public policies for major guest screening vendors. The differences are stark.
Safely's biometric policy is explicit: they "may collect, store, and use your facial geometry for purposes of identification and fraud prevention." Retention: destroyed when the purpose is satisfied or after 3 years, whichever comes first. They also state they follow FCRA guidelines for denied guests.
For other major vendors like Autohost and Truvi, I couldn't find publicly accessible BIPA policies in my research. That doesn't mean they're non-compliant, but it does mean you need to ask directly.
The absence of a public policy doesn't protect you. BIPA liability can extend to the company deploying the technology, not just the vendor providing it.
The Multi-Jurisdiction Patchwork
Illinois isn't the only risk:
| Jurisdiction | Control Required | Enforcement |
|---|---|---|
| Illinois (BIPA) | Written notice, consent, public retention schedule | Private right of action: $1k-$5k per person |
| New York City | Conspicuous signage, no selling data | Private right of action |
| Portland, OR | Total ban on private facial recognition use | $1,000/day fines |
| Texas/Washington | Notice and consent, data security | AG enforcement only |
Portland's outright ban on private use of facial recognition in places of public accommodation is the most extreme. If you're operating STRs there, facial verification should be disabled entirely.
The Processing Nexus Risk
Here's a curveball: recent legal developments suggest plaintiffs located outside Illinois may be able to bring BIPA claims if the alleged processing occurred on servers within Illinois.
Gibson Dunn's 2025 privacy outlook notes this "processing nexus" theory is gaining traction. Where does your screening vendor's data center live? If it's in Illinois, you may have BIPA exposure regardless of where your guests reside.
The Action Plan
Immediate (Days 1-30):
- Review vendor contracts. Confirm if they collect facial geometry.
- Request written statement on vendor's BIPA compliance status.
- Update your privacy policy to mention biometric collection, retention, and destruction.
Operational Changes (Days 31-60):
- Implement "per person" consent in the booking flow, separate from general Terms of Service.
- Create an adverse action email template for denied guests with all FCRA requirements.
- Geo-fence Portland properties to disable facial recognition.
Ongoing:
- Prefer vendors that perform on-device verification or delete facial templates immediately after matching.
- Track biometric law developments in New York, Massachusetts, and Missouri (pending legislation).
The Bottom Line
Guest screening is supposed to reduce risk. But if you're using facial verification without proper consent flows and retention policies, you've created a new risk that could dwarf any property damage a bad guest might cause.
$1,000 to $5,000 per person. Thousands of guests screened. The math adds up fast.
The attorneys recruiting Airbnb users in Illinois aren't doing it for fun. They see the exposure. They know operators haven't prepared.
Don't be the case study.
Discussion