Biometric Data Protection Laws by State

Biometric data protection law in the United States operates through a patchwork of state-level statutes rather than a single federal framework, creating compliance obligations that vary significantly by jurisdiction. This page maps the legislative landscape across states that have enacted dedicated biometric privacy laws, identifies the core structural elements common to those regimes, and outlines the decision points that determine which law — or combination of laws — applies to a given organization or data practice. The stakes are substantial: Illinois' Biometric Information Privacy Act (BIPA) alone has generated class-action litigation exposing defendants to statutory damages that aggregate into the hundreds of millions of dollars.

Definition and scope

Biometric data, under the statutes that govern it, refers to physiological or behavioral characteristics that can be used to identify an individual. Illinois' Biometric Information Privacy Act (740 ILCS 14) defines biometric identifiers to include retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, and biometric information derived from those identifiers. Texas' Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code §503.001) and Washington's My Health MY Data Act (SB 1155, 2023) each define the category similarly but with structural differences in enforcement and covered entities.

Scope varies along two primary axes: the type of data collected and the type of entity collecting it. BIPA applies to private entities — not state or local government agencies — operating in Illinois or collecting data from Illinois residents. Texas law applies to persons who capture biometric identifiers "for a commercial purpose." California's Consumer Privacy Act (CCPA), as amended by Proposition 24 (CPRA), folds biometric data into its broader "sensitive personal information" category, which carries opt-in consent requirements rather than the standalone private right of action found in Illinois.

As of 2024, at least 5 states — Illinois, Texas, Washington, Colorado, and Montana — have enacted laws with explicit biometric provisions. The Illinois law remains the most litigated and the most structurally specific, setting the de facto benchmark against which other states' frameworks are measured. Practitioners navigating multi-state operations can consult the Data Protection Providers for jurisdiction-indexed service providers operating in this space.

How it works

State biometric privacy statutes generally operate through a four-phase compliance structure:

1. Notice — The covered entity must inform the individual, in writing, that biometric identifiers or biometric information are being collected or stored, and must state the specific purpose and duration of collection.
2. Consent — Written consent (or, under CPRA, opt-in consent for sensitive data) must be obtained before collection occurs. Illinois requires a signed release; Texas requires only that the person be informed and given an opportunity to prohibit capture.
3. Retention and destruction schedule — BIPA (740 ILCS 14/15(a)) mandates that entities develop a publicly available written policy establishing a retention schedule and guidelines for permanent destruction. Data must be destroyed when the initial purpose is fulfilled or within 3 years of the individual's last interaction, whichever occurs first.
4. Prohibition on sale or profit — All major state statutes prohibit the sale, lease, trade, or profiting from biometric identifiers. This distinguishes biometric data from general personal data under statutes like California's CCPA, which permits certain data transactions with opt-out rights intact.

The National Institute of Standards and Technology (NIST) Privacy Framework provides a voluntary governance reference that organizations use to operationalize these statutory requirements into internal data management practices, though the Framework itself carries no enforcement authority.

Common scenarios

Workplace time-and-attendance systems — Employers using fingerprint or facial recognition for timekeeping operate under BIPA if any employee resides or works in Illinois, regardless of the employer's headquarters. This is the dominant BIPA litigation scenario, with class actions certified against employers in manufacturing, retail, and healthcare.

Healthcare and clinical settings — Retinal scans or fingerprint verification for electronic health record access intersect both state biometric statutes and HIPAA's Security Rule. Where biometric data is used as an authentication mechanism for protected health information, both regulatory regimes apply in parallel.

Retail facial recognition — Stores deploying facial recognition for loss prevention in Illinois must comply with BIPA's consent and notice provisions. Texas retailers face similar obligations under Tex. Bus. & Com. Code §503, though Texas enforcement is limited to the state Attorney General, unlike Illinois' private right of action.

Financial services identity verification — Firms using voiceprint or facial geometry for customer authentication face layered obligations: state biometric law where applicable, federal financial privacy rules under the Gramm-Leach-Bliley Act (GLBA), and, for certain consumer reporting functions, the Fair Credit Reporting Act (FCRA).

The full scope of service providers operating in data protection compliance roles is indexed through the reference.

Decision boundaries

The threshold questions that determine applicable law follow a defined logic:

Illinois vs. Texas vs. Washington — Illinois is the only state with a private right of action for biometric privacy violations, creating statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation (740 ILCS 14/20). Texas and Washington vest enforcement authority exclusively in the state Attorney General, with no individual plaintiff standing.

Biometric-specific law vs. general privacy law — California's CPRA treats biometric data as sensitive personal information within its general consumer privacy statute, not under a standalone biometric-specific act. This means CPRA's administrative enforcement through the California Privacy Protection Agency (CPPA) applies rather than a separate biometric enforcement body.

Exemption analysis — All major state statutes contain exemptions for data covered by HIPAA, financial regulatory frameworks, and specific governmental uses. An organization subject to HIPAA for its clinical biometric data may fall outside the state statute for that subset while remaining fully subject to it for non-clinical applications.

Residency vs. collection geography — Whether jurisdiction attaches based on where the data subject resides, where collection physically occurs, or where the collecting entity operates varies by statute. Illinois courts have applied BIPA extraterritorially where the individual's biometric data was collected in Illinois, even by an out-of-state company. Practitioners navigating these distinctions can reference the How to Use This Data Protection Resource page for service-sector orientation.