Biometric Data Privacy Laws by State

State-level biometric privacy law in the United States forms a fragmented but consequential regulatory landscape governing how organizations collect, store, use, and destroy biometric identifiers — including fingerprints, retinal scans, facial geometry, and voiceprints. No comprehensive federal biometric privacy statute exists as of 2024, leaving states as the primary legislative actors. The resulting patchwork creates compliance complexity for employers, technology vendors, healthcare providers, and any organization operating across state lines that processes biometric data from residents.

Definition and scope

Biometric data, as defined under Illinois's Biometric Information Privacy Act (BIPA, 740 ILCS 14), refers to retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, or any other biological identifier used to identify an individual. This definition has served as the template for state legislation across the country, though individual states have expanded or narrowed the covered categories.

The scope of biometric privacy law extends across sectors: workforce management systems using fingerprint time clocks, retail environments deploying facial recognition, financial services using voiceprint authentication, and healthcare facilities capturing iris scans. The privacy providers maintained by sector-specific registries reflect the breadth of industries subject to these rules.

Jurisdictional scope is determined primarily by the residence of the data subject rather than the physical location of the collecting entity. A Texas employer collecting fingerprints from employees who are Texas residents falls under the Texas Capture or Use of Biometric Identifier Act (CUBI, Tex. Bus. & Com. Code § 503.001), even if the employer's servers are located elsewhere.

Core mechanics or structure

State biometric privacy statutes share a structural core built around four operational obligations: notice, consent, data handling, and destruction.

Notice requires that a collecting entity inform individuals — in writing — prior to collection that biometric data is being collected, the specific purpose for collection, and the duration of storage.

Consent obligations range from written consent before collection (Illinois BIPA) to opt-out frameworks (as used in some general consumer privacy laws that incorporate biometrics as a sensitive data category, such as the Colorado Privacy Act, C.R.S. § 6-1-1301 et seq.).

Data handling rules govern third-party disclosure. Illinois BIPA prohibits profit from biometric data and bars disclosure without consent, except to service providers under contract (740 ILCS 14/15(c)–(d)). Washington's My Health MY Data Act (ESHB 1155, enacted 2023) extends health-adjacent biometric protections with comparable third-party restrictions.

Destruction mandates require permanent deletion of biometric data within defined windows — typically 3 years after the last interaction or when the purpose for collection has been fulfilled, whichever comes first (Illinois BIPA § 15(a)).

Private rights of action distinguish Illinois BIPA from most state equivalents. Statutory damages under BIPA reach $1,000 per negligent violation and $5,000 per intentional or reckless violation (740 ILCS 14/20), which has driven a litigation volume exceeding 3,000 BIPA class action lawsuits filed in Illinois federal and state courts since 2010 (tracked by the Illinois Courts).

Causal relationships or drivers

The proliferation of state biometric laws is causally linked to three structural conditions.

First, the failure of Congress to pass federal biometric legislation — including proposed measures such as the National Biometric Information Privacy Act introduced in 2020 (S. 4400, 116th Congress) — transferred regulatory momentum entirely to states, creating a competitive dynamic in which states legislate independently to fill the federal vacuum.

Second, the commercial deployment of facial recognition and fingerprint-based authentication at scale — driven by smartphone adoption and workforce management platforms — expanded the population of affected consumers to a scale that made legislative inaction electorally costly.

Third, the litigation record under Illinois BIPA demonstrated that private rights of action produce enforcement outcomes that state agency enforcement often does not. High-profile settlements — including a $650 million settlement by Facebook (now Meta) in 2021 (Patel v. Facebook, N.D. Cal.) and a $92 million settlement by TikTok — established financial exposure that accelerated corporate compliance investment and lobbying pressure on legislators in other states.

The privacy provider network purpose and scope framework used by sector registries reflects these regulatory drivers by categorizing covered entities according to the states in which they collect data from residents.

Classification boundaries

Biometric privacy statutes occupy a distinct classification within the broader consumer privacy law landscape. Three tiers are operationally significant:

Standalone biometric statutes — Illinois BIPA, Texas CUBI, Washington H.B. 1493 (2017, facial recognition for commercial purposes) — regulate only biometric data and carry independent enforcement mechanisms.

Omnibus consumer privacy laws with biometric provisions — California Consumer Privacy Act as amended by CPRA (Cal. Civ. Code § 1798.100 et seq.), Colorado CPA, Virginia Consumer Data Protection Act (Va. Code § 59.1-571 et seq.), Connecticut Data Privacy Act — classify biometrics as "sensitive data" requiring opt-in consent for processing, but enforcement is vested in the state attorney general, not in private plaintiffs.

Sector-specific laws with biometric adjacency — HIPAA (45 C.F.R. § 164) covers biometric data when it functions as a health identifier; FERPA covers biometric data collected in educational settings.

The critical classification boundary is whether a statute creates a private right of action. Illinois BIPA does. Texas CUBI does not — enforcement rests with the Texas Attorney General. Washington H.B. 1493 also does not include a private right of action. This distinction determines litigation exposure more than any other variable.

Tradeoffs and tensions

The most contested tension in state biometric law involves the scope of covered entities relative to the definitions of biometric "collection." Illinois courts have held that a vendor who receives biometric data from a client entity can itself be a "private entity" subject to BIPA — a reading that extends liability up and down supply chains (Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186).

A second structural tension exists between employee privacy interests and operational business needs. Fingerprint timekeeping systems, long used to prevent buddy-punching in manufacturing and hospitality, became primary BIPA litigation targets because employers typically failed to execute written consent agreements before deployment. The 2023 Illinois Supreme Court ruling in Cothron v. White Castle System, Inc. (2023 IL 128004) held that a separate BIPA claim accrues each time biometric data is collected or transmitted without consent — a ruling with implications for per-violation damages calculations that industry groups estimated could produce damages in the billions of dollars for a single employer.

A third tension is legislative: states with strong tech-sector lobbying have passed laws that preempt local biometric ordinances (as Texas does) or have delayed implementation timelines, while states with labor-aligned legislatures have preserved or expanded private rights of action.

The how to use this privacy resource section of this reference network addresses how these regulatory distinctions map to the service categories indexed in the network.

Common misconceptions

Misconception: Biometric data is only regulated if stored digitally. BIPA's text does not limit its application to digital storage. Courts have held that the obligation to protect biometric data applies regardless of the storage medium.

Misconception: Compliance with HIPAA eliminates biometric privacy obligations. HIPAA's biometric de-identification standard (removal of biometric identifiers under the Safe Harbor method, 45 C.F.R. § 164.514(b)) is a data de-identification rule, not a biometric data governance framework. A covered entity that de-identifies biometric data under HIPAA may still face BIPA obligations if the data was collected from Illinois residents prior to de-identification.

Misconception: Texas CUBI mirrors BIPA in enforcement. Texas CUBI carries no private right of action. Enforcement is exclusively by the Texas Attorney General, with civil penalties up to $25,000 per violation (Tex. Bus. & Com. Code § 503.001), making the risk profile fundamentally different from Illinois.

Misconception: Facial recognition in public spaces is uniformly unregulated. Portland, Oregon enacted a city ordinance in 2020 banning private entities from using facial recognition in public-facing spaces within city limits, demonstrating that regulation operates at the municipal level in the absence of state law.

Checklist or steps (non-advisory)

The following sequence reflects the operational review structure applied when mapping biometric data practices to applicable state law:

  1. Identify data types collected — Enumerate each identifier captured (fingerprint, facial geometry, voiceprint, iris scan, gait) and confirm whether each meets the statutory definition in each relevant jurisdiction.
  2. Map collection locations to state residency — Determine the states of residence of individuals from whom biometric data is collected, not merely the state where collection infrastructure is located.
  3. Identify applicable statutory tier — Determine whether a standalone biometric statute, an omnibus privacy law's biometric provision, or a sector-specific law (HIPAA, FERPA) governs each data type and subject population.
  4. Audit consent documentation — Confirm whether written consent was obtained prior to collection; document the form and date of consent for each covered population.
  5. Review vendor and third-party agreements — Confirm data processing agreements address biometric data restrictions on disclosure, profit, and destruction.
  6. Establish retention and destruction schedules — Document the destruction window applicable under each relevant statute and confirm that automated or procedural deletion mechanisms are in place.
  7. Assess private right of action exposure — Identify jurisdictions where individuals retain a private right to sue and quantify per-violation statutory damages applicable to the collected population.
  8. Verify state-specific exemptions — Confirm whether any exemptions apply (e.g., employee exemptions under CCPA/CPRA prior to 2023, or financial institution exemptions under Gramm-Leach-Bliley-adjacent state laws).

Reference table or matrix

State Primary Statute Biometric Identifiers Covered Private Right of Action Consent Model Max Statutory Damages
Illinois BIPA, 740 ILCS 14 Fingerprint, retina/iris, voiceprint, face/hand geometry Yes Opt-in written consent $5,000/intentional violation
Texas CUBI, Tex. Bus. & Com. Code § 503 Fingerprint, voiceprint, retina/iris, face/hand geometry No (AG enforcement) Informed consent required $25,000/violation (AG)
Washington H.B. 1493 (facial recognition, commercial); My Health MY Data Act (2023) Face geometry; health-related biometrics No (AG enforcement) Notice + consent Penalties via AG
California CCPA/CPRA, Cal. Civ. Code § 1798.100 All biometric identifiers as sensitive data Limited (data breach; AG/CPPA for violations) Opt-in for sensitive data $7,500/intentional violation (Cal. Civ. Code § 1798.155)
Colorado CPA, C.R.S. § 6-1-1301 Biometrics as sensitive data No (AG enforcement) Opt-in for sensitive data $20,000/violation (AG)
Virginia VCDPA, Va. Code § 59.1-571 Biometrics as sensitive data No (AG enforcement) Opt-in for sensitive data $7,500/violation (AG)
Connecticut CTDPA, Public Act 22-15 Biometrics as sensitive data No (AG enforcement) Opt-in for sensitive data $5,000/violation (AG)
New York No standalone biometric statute; NYC Admin. Code § 22-1202 (private sector facial recognition in commercial establishments) Face recognition in commercial spaces (NYC only) Yes (NYC ordinance) Notice (signage) required $500–$5,000/violation
 ·   · 

References

Read Next

Employee Privacy Rights in the Workplace ANA › Professional Services Authority › National Cyber › National Privacy Employee Privacy Rights in the Workplace Employee privacy... Health Data Privacy Beyond HIPAA ANA › Professional Services Authority › National Cyber › National Privacy Health Data Privacy Beyond HIPAA Health data privacy in the... Location Data Privacy: Legal and Compliance Considerations ANA › Professional Services Authority › National Cyber › National Privacy Location Data Privacy: Legal and Compliance Considerations...