Biometric Data Protection Laws by State

Biometric data — fingerprints, facial geometry, iris scans, voiceprints, and similar physiological identifiers — occupies the most sensitive tier of personal data regulated under US law. Unlike a password or account number, biometric identifiers cannot be reissued after a breach. This page maps the state-level statutory landscape governing biometric data collection, storage, consent, and enforcement, covering the states with enacted legislation, the structural differences between those laws, and the decision boundaries that determine which framework applies to a given organization or dataset. For a broader view of US data protection laws and how biometric regulation fits within them, that reference provides the federal and cross-sectoral context.

Definition and scope

Biometric data, for statutory purposes, refers to measurable biological or behavioral characteristics that can identify a specific individual. State laws diverge on exactly which modalities qualify. Illinois' Biometric Information Privacy Act (BIPA), 740 ILCS 14, defines "biometric identifier" to include retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, and biometric information derived from those identifiers. Texas' Capture or Use of Biometric Identifier Act (CUBI), Texas Business & Commerce Code § 503.001, and Washington's My Health MY Data Act (effective 2023) use comparable definitions, though Washington's law is embedded within a broader health data statute.

Photographs, physical descriptions, and demographic data generally fall outside biometric identifier definitions — BIPA explicitly excludes writing samples, written signatures, and photographs. This exclusion matters for organizations that process security-camera footage: raw video does not trigger BIPA, but facial recognition processing applied to that footage does.

As of 2024, the states with standalone or significant biometric-specific statutes include Illinois, Texas, and Washington. A wider group of states — including California, Colorado, Virginia, Connecticut, and Utah — address biometric data as a sensitive data category within their general consumer privacy frameworks rather than through dedicated biometric statutes, requiring explicit opt-in consent before processing.

How it works

The structural mechanism of biometric data laws operates through four phases:

Notice: The collecting entity must inform individuals — in writing or through a publicly available policy — that biometric data is being collected, the specific purpose, and the retention period. BIPA requires this notice before or at the time of collection (740 ILCS 14/15(b)).
Consent: Collection requires a written release from the individual, or in the case of minors, a legal guardian. Texas' CUBI and Washington's law also require affirmative consent, though Texas does not create a private right of action — enforcement rests with the state Attorney General.
Retention and destruction: BIPA mandates destruction of biometric data within 3 years of collection or when the initial purpose for collection is fulfilled, whichever comes first. Organizations must maintain a publicly available retention schedule. This schedule requirement is one of the most commonly litigated compliance gaps.
Prohibition on sale or profit: BIPA prohibits the sale, lease, trade, or profit from biometric identifiers. Texas CUBI contains a parallel prohibition. California's CPRA, while not a biometric-specific statute, treats biometric data as sensitive personal information subject to opt-out rights under its cross-reference framework — see CCPA/CPRA compliance reference for the California-specific mechanics.

A key structural contrast: Illinois BIPA is the only US biometric statute with a private right of action, allowing individuals to sue for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation (740 ILCS 14/20). Texas and Washington channel enforcement exclusively through the Attorney General, which produces fundamentally different litigation exposure profiles for covered entities.

Common scenarios

Biometric data statutes most frequently engage with the following operational situations:

Workplace timekeeping: Employers using fingerprint or hand-geometry scanners for employee time-and-attendance systems were the earliest major BIPA litigation target. The Illinois Supreme Court's ruling in Rosenbach v. Six Flags (2019) confirmed that a technical statutory violation — even without tangible harm — constitutes an injury sufficient for a BIPA claim.
Retail facial recognition: Retailers deploying facial recognition for loss-prevention purposes must satisfy notice, consent, and retention requirements in Illinois and Washington. A facial recognition deployment in a Texas store without required consent notice triggers CUBI enforcement authority in the Texas Attorney General's office.
Healthcare biometric identifiers: Healthcare facilities using fingerprint or iris authentication for patient record access must coordinate biometric compliance with HIPAA data protection requirements, which govern the same underlying patient records but do not substitute for state biometric law obligations.
Financial sector access controls: Banks and financial institutions using voice biometrics for customer authentication must satisfy applicable state biometric law in addition to financial sector data protection obligations under the Gramm-Leach-Bliley Act.
Consumer device enrollment: Mobile applications or consumer devices collecting facial geometry or fingerprints for authentication face the broadest compliance surface — apps distributed nationally must satisfy BIPA for Illinois residents, Texas CUBI for Texas residents, and the consent provisions of any general state privacy law covering the app's other user base.

Decision boundaries

Determining which biometric framework applies requires resolving four threshold questions:

1. Where is the individual located?
State biometric statutes follow the residency or location of the data subject, not the primary location of the collecting entity. An organization headquartered in California collecting fingerprints from Illinois employees is subject to BIPA for those employees.

2. Does a dedicated biometric statute apply, or a general consumer privacy law?
Illinois, Texas, and Washington have biometric-specific statutes with distinct obligations. California, Colorado, Virginia, Connecticut, and Utah treat biometric data as sensitive personal information under their general state data privacy laws, triggering opt-in consent but not the same retention-schedule or destruction mandates found in BIPA.

3. Does a sectoral exemption apply?
BIPA exempts information collected under HIPAA (if used for treatment, payment, or operations) and information subject to FCRA. These exemptions are narrow and have been the subject of litigation. The HIPAA exemption does not cover all healthcare-adjacent biometric uses.

4. Does the private right of action apply?
Only Illinois BIPA provides individual plaintiffs standing to sue. Texas and Washington violations are enforceable only by the respective state Attorney Generals, with civil penalties up to $25,000 per violation under Texas CUBI (Texas Business & Commerce Code § 503.001(d)). This structural difference directly affects litigation risk assessment, insurance requirements, and the priority organizations assign to compliance programs. Organizations tracking data protection penalties and enforcement patterns should distinguish between attorney-general-only enforcement regimes and statutes with embedded private rights of action, as class action exposure under BIPA has resulted in settlements exceeding $100 million in cases involving large employee populations.

References

📜 7 regulatory citations referenced · 🔍 Monitored by ANA Regulatory Watch · View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator