Your fingerprints, face geometry, iris patterns, and voiceprint are uniquely yours -- and unlike a password or credit card number, you cannot change them if they are compromised. As biometric technology becomes embedded in everything from smartphone unlocks to workplace time clocks, a patchwork of state laws has emerged to protect this sensitive data. Understanding these laws is essential for anyone who wants to maintain control over their most personal identifiers.
What Counts as Biometric Data?
Biometric data refers to measurable physical or behavioral characteristics used to identify individuals. The most commonly regulated types include:
- Fingerprints: Used in smartphone authentication, workplace access, and law enforcement databases
- Face geometry (faceprints): Captured by facial recognition systems in phones, airports, retail stores, and social media platforms
- Iris and retina scans: Used in high-security environments and some consumer devices
- Voiceprints: Collected by voice assistants, call centers, and banking verification systems
- Hand geometry: Used in some physical access control systems
- Gait analysis and typing patterns: Emerging behavioral biometrics used for continuous authentication
Why Biometric Data Needs Special Protection
Unlike passwords or credit card numbers, biometric identifiers are immutable. If your Social Security number is stolen, you can request a new one. If your biometric data is compromised, you cannot get a new fingerprint or a new face. This is why a growing number of states treat biometric data as a special category requiring heightened consent and security requirements.
Illinois BIPA: The Gold Standard
The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, remains the strongest biometric privacy law in the country. BIPA applies to any private entity that collects, captures, purchases, or otherwise obtains biometric identifiers or biometric information from Illinois residents.
Key provisions of BIPA include:
- Written informed consent: Companies must inform individuals in writing about the specific purpose and duration of biometric data collection and obtain a written release before collecting the data
- Retention and destruction policies: Organizations must maintain a publicly available written policy establishing a retention schedule and guidelines for permanently destroying biometric data
- Prohibition on profiting: Companies cannot sell, lease, trade, or otherwise profit from biometric identifiers
- Private right of action: Individuals can sue directly for violations, with statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation
The private right of action is what sets BIPA apart, enabling individuals to sue directly rather than relying on state enforcement. This has led to thousands of class action filings and landmark settlements:
- Facebook (Meta) -- $650 million (2021): Facebook settled a class action involving 1.6 million Illinois residents whose facial geometry was captured through the platform's "Tag Suggestions" feature without proper consent
- Google -- $100 million (2022): Google settled claims that Google Photos' face-grouping feature violated BIPA by collecting facial geometry without consent
- Clearview AI -- $51.75 million equivalent (2025): Clearview AI agreed to a settlement valued at approximately $51.75 million, and as part of a separate ACLU settlement, was permanently banned from selling its facial recognition database to most private entities nationwide
In 2024, Illinois enacted reforms that shifted BIPA's damages model from a per-scan to a per-person framework. The Seventh Circuit confirmed in April 2026 that this amendment applies retroactively, significantly reducing potential damages in pending cases. Total BIPA settlements dropped from over $206 million in 2024 to approximately $136.6 million in 2025, and new filings fell from 427 to 150.
Texas CUBI: Attorney General Enforcement
The Texas Capture or Use of Biometric Identifier Act (CUBI), passed in 2009, regulates the collection of retina or iris scans, fingerprints, voiceprints, and records of hand or face geometry for commercial purposes. Key differences from BIPA include:
- No private right of action: Only the Texas Attorney General can enforce the law
- Consent need not be written: CUBI requires notice and consent but does not mandate written consent
- Penalties up to $25,000 per violation: Enforced through the AG's office
- Destruction requirement: Biometric data must be destroyed within a reasonable time, but no later than one year after the purpose for collection expires
In 2024, Texas updated its biometric regulations through the Responsible Artificial Intelligence Governance Act, which clarifies consent requirements when biometric data is collected or processed for AI systems.
Washington State Biometric Privacy Law
Washington's biometric privacy statute applies to biometric identifiers enrolled for commercial purposes -- meaning captured and stored in a database that matches the identifier to a specific individual. The law includes:
- Notice and consent requirements before enrolling biometric data
- Fines up to $7,500 per violation, enforced by the Washington Attorney General
- A broad security exception that exempts biometric data collected for security purposes
- No private right of action
New York City's Biometric Identifier Information Law
New York City's Local Law 3 of 2021 takes a different approach by targeting commercial establishments -- retail stores, restaurants, and entertainment venues -- that collect biometric data from customers. The law requires businesses to:
- Post a clear, conspicuous sign at all customer entrances disclosing the collection of biometric identifier information
- Refrain from selling, leasing, or profiting from customers' biometric data
Notably, this law does provide a private right of action. Customers can recover $500 per violation for failure to post proper notices, $500 per negligent violation of the ban on selling biometric data, and $5,000 per intentional or reckless violation of the sales prohibition.
Biometric Protections in Comprehensive State Privacy Laws
Beyond the dedicated biometric statutes, many states classify biometric data as "sensitive data" under their comprehensive privacy laws, requiring opt-in consent before collection:
- California (CCPA/CPRA): Classifies biometric data as sensitive personal information with enhanced rights
- Colorado: Amended its privacy act in 2025 to add specific biometric protections, including mandatory written retention policies, security controls, and incident response plans
- Connecticut, Virginia, Montana, Oregon, and others: Include biometric identifiers in their definitions of sensitive data requiring opt-in consent
As of 2026, twenty states have comprehensive privacy laws in effect, and most treat biometric data with heightened protections.
The SECURE Data Act: A Federal Approach
Introduced in April 2026, the SECURE Data Act (H.R. 8413) represents Congress's latest attempt to establish a federal privacy framework. If enacted, it would:
- Require opt-in consent before processing sensitive data, explicitly including biometric data processed for identification purposes
- Create a national data broker registry requiring brokers to register with the FTC and disclose their data practices
- Grant consumer rights to access, correct, and delete personal data, and to opt out of targeted advertising and data sales
- Potentially preempt state laws, replacing the current patchwork with a single federal standard
The bill's progress remains uncertain, but it signals growing federal recognition that biometric data requires specific protections.
Your Biometric Data May Already Be in Broker Databases
Data brokers collect and sell vast amounts of personal information, and your biometric data concerns do not exist in isolation. The same data brokers that trade your name, address, and phone number may also link to biometric-adjacent data -- photos, social media profiles with facial recognition tags, and device identifiers tied to biometric authentication. Reducing your overall data broker footprint helps limit the connections that can be drawn to your biometric identity.
Practical Steps to Protect Your Biometric Privacy
Regardless of which state you live in, you can take steps to safeguard your biometric data:
- Read biometric consent forms carefully: Before enrolling in any fingerprint or facial recognition system, understand what data is collected, how long it is stored, and who has access
- Opt out of facial recognition where possible: Disable facial recognition tagging on social media, and ask whether biometric alternatives exist at workplaces or gyms that use fingerprint scanners
- Know your state's protections: Check whether your state has a dedicated biometric law or classifies biometrics as sensitive data under its comprehensive privacy law
- Limit photo exposure online: Reduce the number of clear, front-facing photos of yourself on public profiles, which can be scraped for facial recognition databases
- Monitor for data broker exposure: Your personal data profiles on broker sites can be connected to biometric identifiers. Removing your information from data brokers reduces the overall risk
- Use biometric locks wisely: On-device biometric authentication (where the data stays on your device) is generally safer than cloud-based biometric systems
How PrivacyOn Helps Protect Your Broader Privacy
While no service can remove biometric data that has already been captured by a facial recognition company, you can reduce the surrounding personal data that makes biometric surveillance more dangerous. PrivacyOn removes your personal information -- names, addresses, phone numbers, email addresses, and family connections -- from over 100 data broker sites. By shrinking your data broker footprint, you make it harder for anyone to connect a faceprint or voiceprint back to your real identity, location, and personal details. In a landscape where biometric protections vary widely from state to state, proactive data removal is one of the most effective steps you can take today.