Biometric Data Privacy Laws by State

Biometric data privacy laws in the United States operate through a fragmented state-level framework, with no single federal statute governing the collection, storage, or commercialization of biometric identifiers such as fingerprints, retinal scans, facial geometry, and voiceprints. This page maps the active statutory landscape across US jurisdictions, identifies the structural elements common to enforceable biometric laws, and distinguishes the regulatory tiers that determine compliance obligations for organizations operating across state lines. The absence of federal preemption makes state-by-state analysis essential for any entity handling biometric data at scale.

Definition and Scope

Biometric identifiers are physiological or behavioral characteristics that are unique to an individual and can be used for automated recognition. The Illinois Biometric Information Privacy Act (740 ILCS 14/) — the most litigated biometric statute in the US — defines biometric identifiers to include retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, and biometric information derived from these identifiers. Texas and Washington adopted structurally similar definitions in their respective statutes.

The scope of state biometric laws varies substantially. Illinois covers private entities with no employee or revenue threshold. Texas's Capture or Use of Biometric Identifier Act (Texas Business & Commerce Code §503.001) applies to persons who capture biometric identifiers for commercial purposes. Washington's My Health MY Data Act (ESHB 1155, 2023) expands scope to include health data that can be derived from biometric inputs. As of 2024, 3 states — Illinois, Texas, and Washington — maintain dedicated biometric privacy statutes, while states including California, Colorado, Virginia, Connecticut, and Montana address biometric data within broader comprehensive privacy laws.

The practical compliance boundary turns on whether an organization collects a biometric identifier (a raw data point) versus biometric information (a processed template or derivative). Both categories trigger obligations under Illinois BIPA. Understanding this distinction is foundational to personal data classification and sensitive data handling standards programs.

Core Mechanics or Structure

Biometric privacy statutes share four structural elements: notice requirements, written consent, retention and destruction schedules, and prohibition on sale or profit from biometric data.

Notice and Consent: Before collecting a biometric identifier, covered entities must inform the subject in writing of the specific purpose and duration of collection. Illinois BIPA at §15(b) requires a written release executed by the subject or their authorized representative. Texas requires informed consent but does not mandate written form in all circumstances.

Retention Schedules: Illinois BIPA §15(a) requires covered entities to establish and publicly disclose a written retention schedule and guidelines for permanently destroying biometric identifiers. Destruction must occur within 3 years of the last interaction with the subject or when the initial purpose is fulfilled, whichever comes first.

Prohibition on Commercialization: All three dedicated biometric statutes prohibit selling, leasing, trading, or otherwise profiting from biometric identifiers. This prohibition is absolute under Illinois BIPA and has been the basis for class action litigation resulting in settlements including the $650 million Facebook/Meta settlement in 2021 (In re Facebook Biometric Information Privacy Litigation, N.D. Cal.).

Security Standards: Illinois BIPA §15(e) requires that biometric data be stored, transmitted, and protected using the same or more protective standard as the entity uses to protect other confidential and sensitive information, benchmarked against applicable industry standards.

These mechanics interface directly with consent management frameworks and data retention and deletion policies in enterprise privacy programs.

Causal Relationships or Drivers

The proliferation of state biometric laws traces to three converging forces: the expansion of workplace biometric timekeeping, consumer-facing facial recognition in retail and entertainment, and the demonstrated inadequacy of general consumer protection law to address biometric harms.

Illinois enacted BIPA in 2008 following concerns about the commercial use of fingerprint data by financial institutions and the bankruptcy of a biometric data custodian, which left individuals with no recourse for data deletion. The absence of a federal biometric standard — unlike the federal framework for health data under HIPAA — created the regulatory vacuum that state legislatures moved to fill.

The private right of action in Illinois BIPA, which allows recovery of $1,000 per negligent violation and $5,000 per intentional or reckless violation (740 ILCS 14/20), became the primary litigation driver. Federal courts interpreted "violation" on a per-scan, per-transmission basis following the Illinois Supreme Court's ruling in Cothron v. White Castle System, Inc. (2023), exponentially increasing potential liability exposure.

Texas and Washington statutes vest enforcement authority exclusively in the state attorney general, eliminating the private right of action that makes Illinois unique. This structural difference has suppressed litigation in those states while Illinois courts processed thousands of class filings.

The FTC has addressed biometric data through Section 5 of the FTC Act, issuing a policy statement on biometric information in 2023, signaling federal enforcement attention without creating a statutory right of action.

Classification Boundaries

Biometric privacy obligations depend on which legal category a data element falls into across applicable jurisdictions.

Dedicated Biometric Statutes apply in Illinois, Texas, and Washington as standalone laws. These impose the most specific obligations and, in Illinois's case, the most severe penalties.

Comprehensive State Privacy Laws treat biometric data as a category of sensitive personal information requiring opt-in consent: California (CPRA, Cal. Civ. Code §1798.121), Colorado (CPA, C.R.S. §6-1-1303), Virginia (VCDPA, Va. Code §59.1-578), Connecticut (CTDPA), and Montana, Texas (dual coverage), and Oregon all classify biometric identifiers as sensitive data. Under these laws, processing sensitive data requires either opt-in consent or a recognized legal basis.

Sector-Specific Federal Overlaps: Biometric data collected in healthcare settings may simultaneously fall under HIPAA if the data constitutes part of a protected health record. Employment-context biometric data intersects with Equal Employment Opportunity Commission guidance on surveillance and employee privacy rights.

Exempt Categories: Photographs, physical descriptions written in text, and demographic data inferred from observation (as distinct from automated capture) generally fall outside biometric statute definitions. Security credentials that do not involve biometric capture — such as PINs or passwords — are excluded.

Tradeoffs and Tensions

The Illinois private right of action model produces the most robust enforcement but creates substantial litigation risk for small and mid-size employers that adopted biometric timekeeping without full legal review. The per-violation exposure model, confirmed post-Cothron, can produce aggregate liability disproportionate to actual harm — a tension acknowledged in legislative reform debates in Springfield that had not produced statutory amendment as of mid-2024.

Attorney general–only enforcement in Texas and Washington limits accountability when agencies lack resources to pursue widespread low-level violations. Civil society organizations have documented that this creates a deterrence gap for consumer-facing biometric applications in retail.

Opt-in consent requirements conflict with operational deployment models for facial recognition in high-throughput environments such as airports, stadiums, and transit hubs, where collecting individual written consent is logistically impractical. This tension has driven industry lobbying for standardized federal preemption. The broader framing of federal preemption debates appears in coverage of national privacy legislation outlook.

Biometric data's permanence — unlike a password or account number, a compromised fingerprint cannot be reissued — creates asymmetric harm that standard breach notification frameworks do not address adequately. This distinguishes it from the general data breach notification requirements landscape.

Common Misconceptions

Misconception: HIPAA covers biometric data in healthcare contexts comprehensively. HIPAA's definition of protected health information does not categorically encompass biometric identifiers unless they are linked to a patient's medical record. A hospital's employee fingerprint timekeeping system is not automatically subject to HIPAA and may instead fall under Illinois BIPA or a comparable state statute.

Misconception: Obtaining employee consent during onboarding satisfies BIPA indefinitely. Illinois BIPA requires consent to be tied to a specific, disclosed purpose and duration. Consent obtained for timekeeping cannot be repurposed for identity verification in a different operational context without a new disclosure and release.

Misconception: Anonymizing biometric data eliminates regulatory obligations. Biometric templates that have been processed or hashed but can still be used to uniquely identify an individual remain within scope of most biometric statutes. True de-identification sufficient to exit regulatory scope requires standards-level validation; see de-identification and anonymization for applicable frameworks.

Misconception: Only large technology companies face biometric law exposure. The majority of Illinois BIPA class actions have targeted mid-market employers in manufacturing, food service, and logistics sectors that deployed fingerprint timeclocks. The 2023 Illinois Supreme Court ruling in Tims v. Black Horse Carriers confirmed a 5-year statute of limitations for BIPA claims, extending the lookback window for employer liability.

Checklist or Steps

The following sequence represents the operational structure of a biometric data compliance review under applicable state statutes. It is a reference framework, not legal advice.

  1. Inventory biometric data touchpoints — Identify all systems that capture, store, transmit, or process biometric identifiers, including timekeeping, access control, customer authentication, and surveillance platforms.

  2. Map applicable state laws — For each data subject's state of residence or location of capture, determine whether a dedicated biometric statute (Illinois, Texas, Washington) or a comprehensive privacy law with biometric provisions (California, Colorado, Virginia, Connecticut, Oregon, Montana) applies.

  3. Audit existing consent instruments — Verify that written disclosures specify the purpose, storage duration, and any third-party disclosures. Assess whether consent forms meet the written release standard under Illinois BIPA §15(b) or the informed consent standard under Texas §503.001.

  4. Confirm retention and destruction schedules — Establish documented schedules providing for destruction of biometric data within 3 years of last interaction or upon fulfillment of the original purpose under Illinois standards.

  5. Assess third-party vendor contracts — Review data processing agreements with biometric technology vendors to confirm contractual prohibitions on secondary use, sale, or lease of biometric data. Cross-reference with vendor privacy management standards.

  6. Document security controls — Confirm that biometric data storage and transmission protections meet or exceed the organization's general data security standard and applicable industry benchmarks referenced in Illinois BIPA §15(e).

  7. Establish a subject request process — Define procedures for responding to requests for access, deletion, or information about biometric data use. Align with data subject access requests and right-to-deletion requirements protocols.

  8. Review and update as new statutes take effect — Monitor legislative activity in states including Maryland, New York, and Massachusetts, where biometric privacy bills have been introduced in multiple legislative sessions.

Reference Table or Matrix

State Statute / Provision Biometric Definition Private Right of Action Penalty Range Enforcement Body
Illinois BIPA, 740 ILCS 14/ Retina, iris, fingerprint, voiceprint, face/hand geometry Yes $1,000 (negligent) / $5,000 (intentional) per violation Private litigants / courts
Texas Bus. & Com. Code §503.001 Retina, iris, fingerprint, voiceprint, face geometry No Up to $25,000 per violation Attorney General
Washington My Health MY Data Act, ESHB 1155 (2023) Biometric data as subset of consumer health data Yes (limited) Civil penalties via AG; private right for some violations Attorney General / private
California CPRA, Cal. Civ. Code §1798.121 Biometric as sensitive personal information Limited (data breach context) Up to $7,500 per intentional violation (CPPA enforcement) CA Privacy Protection Agency
Colorado CPA, C.R.S. §6-1-1303 Biometric as sensitive data No Up to $20,000 per violation Attorney General
Virginia VCDPA, Va. Code §59.1-578 Biometric as sensitive data No Up to $7,500 per violation Attorney General
Connecticut CTDPA Biometric as sensitive data No Up to $5,000 per violation Attorney General
Montana MCDPA, SB 384 (2023) Biometric as sensitive data No Civil penalties via AG Attorney General

References

📜 9 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator