Not All Biometric Privacy Laws Are Created Equal
23 states passed or expanded biometric privacy laws by 2025.[1] But the protections vary wildly.
Illinois lets you sue for $5,000 per violation. Texas requires consent but you can't sue - only the Attorney General can. California includes biometric data as "sensitive" but enforcement is weak.[2][3]
Your face, fingerprints, and iris scans are worth protecting. This guide breaks down which states actually do.
🗺️ The Three Tiers of Protection
Tier 1: Standalone Biometric Laws
3 states with dedicated biometric privacy statutes
- Illinois (strongest)
- Texas
- Washington
These laws specifically target biometric data collection with strict requirements.
Tier 2: Comprehensive Privacy Laws
20+ states classify biometric as "sensitive data"
- Colorado, California, Virginia
- Delaware, New Jersey, Oregon
- And 14 more states
Biometric data gets extra protections under broader privacy frameworks.
Tier 3: Specific Use Restrictions
City and employment-specific laws
- New York City (commercial use)
- Portland (facial recognition ban)
- Maryland, NY State (employers)
Limited scope but strong protections for specific contexts.
⚖️ Tier 1: The Heavy Hitters (Standalone Laws)
Illinois: The Gold Standard (BIPA)
Law: Biometric Information Privacy Act (740 ILCS 14/1)[4]
Effective: October 3, 2008
Why it matters: The only biometric law with a strong private right of action
What BIPA Requires:
- Written policy: Published retention schedule and data destruction guidelines
- Written consent: Not just digital opt-in - actual written release
- No data sales: Can't sell or profit from biometric data
- Security standards: Must protect biometric data at least as well as other confidential info
What You Can Do:
- Sue directly: Private right of action - you don't need the state
- $1,000 per negligent violation
- $5,000 per intentional/reckless violation
- Attorney fees: Company pays your lawyer if you win
Real impact: Since 2019, over 1,500 BIPA lawsuits filed. Facebook paid $650 million (2020). Meta paid $1.4 billion to Texas in 2024 using CUBI.[2]
2024 Amendment Weakens BIPA: August 2024 changes (SB2979) limit liability to a single recovery per violation instead of a "per scan" basis, eliminating the per-scan multiplication of statutory damages, and allow electronic signatures as valid consent.[5]
Texas: Consent Required, But You Can't Sue (CUBI)
Law: Capture or Use of Biometric Identifier Act (TEX. BUS. & COM. CODE § 503.001)[6]
Effective: September 1, 2009
The catch: No private right of action
What CUBI Requires:
- Notice: Inform before capturing biometric data
- Consent: Get permission before collection
- Destruction: Delete within one year after purpose satisfied
- No sales: Can't sell biometric identifiers without consent
What You Can't Do:
- Sue directly: Only Texas Attorney General can enforce
- Civil penalties: Up to $25,000 per violation - but paid to state, not you
July 2024: Texas AG announced $1.4 billion settlement with Meta for alleged CUBI violations - the largest biometric privacy settlement ever.[2]
June 2025: Texas enacted AI law outlawing biometric collection without permission.[1]
Washington: Similar to Texas, Plus Health Data Protections
Law: Biometric Privacy Protection Act (WASH. REV. CODE §§ 19.375.010)[7]
Effective: July 23, 2017
Added layer: My Health My Data Act (effective March 31, 2024) covers biometric data[7]
What Washington Requires:
- Notice and consent: Before enrolling biometric identifiers for commercial purposes
- Security safeguards: Reasonable protection standards
- No data sales: Without consent
Enforcement:
- Attorney General only: No private lawsuits
- Some private action: California and Washington allow residents to sue in certain cases[1]
🏛️ Tier 2: Comprehensive Privacy Laws (20+ States)
These states classify biometric data as "sensitive data" requiring consent before processing. They don't have standalone biometric laws, but offer meaningful protections.
Effective Now
- California - CCPA/CPRA
- Virginia - VCDPA
- Connecticut - CTDPA
- Utah - UCPA (Dec 31, 2023)
- Oregon - OCPA (July 1, 2024)
- Montana - MCDPA
- Florida - Big Tech focus
Effective 2025
- Colorado - July 1, 2025[8]
- Delaware - Jan 1, 2025[9]
- New Jersey - Jan 15, 2025[9]
- Iowa - Jan 1, 2025
- Nebraska - Jan 1, 2025
- New Hampshire - Jan 1, 2025
- Minnesota - July 31, 2025[10]
- Tennessee - July 1, 2025[10]
- Maryland - Oct 1, 2025[10]
Effective 2026
- Rhode Island - Jan 1, 2026[11]
- Indiana - Jan 1, 2026[12]
- Kentucky - 2026[10]
Colorado: The Strongest Tier 2 Law
Effective: July 1, 2025[8]
Why it stands out: Colorado's 2024 amendments align closest to Illinois BIPA
Requirements:
- Written consent: Required before collecting biometric data
- Retention schedule: Written policy mandated
- Data security: Protocol for responding to breaches
- Transparency: Disclose how biometric data is collected, used, and shared
- No sales: Prohibits selling biometric data
The catch: No private right of action - Attorney General enforcement only[8]
Delaware: Strong Consent Requirements
Law: Delaware Personal Data Privacy Act (DPDPA)[9]
Effective: January 1, 2025
Biometric protections: Genetic or biometric data classified as sensitive
Requirement: Explicit consent required before processing biometric data
New Jersey: Similar to Delaware
Law: New Jersey Data Privacy Act (NJDPA)[9]
Effective: January 15, 2025
Definition: "Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual"
Requirement: Consumer consent required
Oregon: One of the Strongest
Law: Oregon Consumer Privacy Act (OCPA)[13]
Effective: July 1, 2024
Status: "One of the strongest data privacy laws passed to date"
Protections: Biometric data, sensitive and personal data, children's data
Requirement: Opt-in before companies collect face, eye, and voice data[1]
California: Broad but Weak Enforcement
Law: California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
Status: Expressly governs processing of biometric information
Enforcement: Allows residents to sue in certain cases[1]
The problem: Complex requirements, limited enforcement resources
Virginia & Connecticut: AG Enforcement Only
Similarity: Both classify biometric data as sensitive
Limitation: Enforcement through state attorneys general only - no private lawsuits[1]
Iowa: Weakest Tier 2 Law
Law: Iowa Consumer Data Protection Act (ICDPA)[13]
Effective: January 1, 2025
Weakness: "One of the most business-friendly" laws with weaker data protections
Missing right: Doesn't grant consumers the right to delete or correct data collected by third parties
🏙️ Tier 3: City and Employment-Specific Laws
New York City
Law: Biometric Identifier Information Law (Administrative Code, Title 22, Chapter 12)[7]
Effective: July 9, 2021
Requirements:
- Clear signage disclosing biometric collection
- Cannot sell or profit from customer biometric data
Penalties:
- $500 per negligent violation
- $5,000 per intentional violation
- Plus reasonable attorney fees
Limitation: No automatic private right of action for just collecting biometric data. No requirement for written consent like BIPA.[14]
Portland, Oregon
Law: Portland City Code, Title 34[7]
Focus: Facial recognition ban
Prohibition: Bars facial recognition use in places of public accommodation by private entities
Damages: $1,000 per day for violations[7]
Maryland: Employer Protections
Law: Labor and Employment Code § 3-717[7]
Prohibition: Employers cannot use facial recognition service during job interviews without applicant consent
Scope: Employment context only
New York State: Employment Fingerprint Restrictions
Law: N.Y. LAB. LAW § 201-a[7]
Rule: Restricts employer fingerprint requirements as condition of employment
Exception: Unless provided by other laws
📜 Pending Legislation: What's Coming
States with Proposed Biometric Privacy Laws
New York State (S.B. 1422): Introduced January 9, 2025. Would create Illinois BIPA-like state law. Includes retina/iris scans, fingerprints, voiceprints, hand/face geometry.[14]
Michigan (S.B. 359): Proposed June 2025. Would define biometric data as automatic measurements of biological characteristics including fingerprints, voiceprints, eye retinas, irises. Not yet enacted.[12]
Missouri (S.B. 554, H.B. 407, H.B. 500): Creates "Biometric Data Privacy Act" with requirements for private entities and cause of action.[15]
Massachusetts (H.D. 3523, S.D. 1455): Companion bills to regulate biometric data processing. S.B. 2204 would provide $5,000 minimum statutory damages similar to BIPA.[7][15]
Pennsylvania (H.B. 596): Requires retail and entertainment venues to disclose biometric collection via signage.[7]
Nebraska (L.B. 204): Would prohibit requiring biometric data submission; requires consent and retention policies.[7]
🔍 What Counts as "Biometric Data"?
Always Included
- Fingerprints
- Hand geometry/palm prints
- Retina/iris scans
- Facial geometry/face scans
- Voiceprints
- DNA/genetic information
Sometimes Included
- Gait analysis
- Keystroke patterns
- Voice recordings (vs voiceprints)
- Behavioral biometrics
- Heart rate patterns
- Ear shape
Usually Excluded
- Photos/videos (if not analyzed)
- Audio recordings (if not analyzed)
- Writing samples
- Physical descriptions
- Demographic data
Key distinction: Rhode Island specifically excludes "digital or physical photographs or audio or video recordings" from biometric data definition.[11]
Illinois proposed expansion: H.B. 2984 would include "neural data" as biometric identifier.[7]
⚡ The Enforcement Gap: Who Can Actually Stop Violations?
Private Right of Action (You Can Sue)
States:
- Illinois (strongest)
- New York City (limited)
- California, Washington (certain cases)
Why it matters: Don't need to wait for government action. Lawyers work on contingency.
Attorney General Only
States:
- Texas, Washington (primary)
- Colorado, Virginia, Connecticut
- Most Tier 2 states
The problem: Limited resources. Enforcement is political. Companies know odds are low.
Real-World Impact
Illinois (with private action):
- 1,500+ lawsuits since 2019
- $650M Facebook settlement
- Companies actually comply
Other states:
- Handful of AG actions
- Limited settlements
- Widespread non-compliance
💼 What These Laws Actually Protect (Real Examples)
Time Clocks and Employee Tracking
Scenario: Your employer requires fingerprint scan to clock in/out
Protected in Illinois: Company must get written consent, post retention policy, and faces $1,000-$5,000 per scan if they don't. You can sue directly.[4]
Protected in Texas: Company needs consent and must delete within a year. But only Texas AG can enforce.[6]
Protected in Colorado (July 2025): Written consent required, but no private lawsuit.[8]
Not protected in most states: Company can require it as condition of employment
Facial Recognition at Stores and Venues
Scenario: Store uses facial recognition to track shoppers or identify shoplifters
Protected in NYC: Must post clear signage. Can't sell your facial data. You can sue for $500-$5,000 per violation.[7]
Banned in Portland: Private entities can't use facial recognition in public accommodations. $1,000/day penalty.[7]
Protected in Illinois, Texas, Washington: Need consent before collecting facial geometry
Protected in Tier 2 states: If law is in effect, facial data is "sensitive" requiring consent
Social Media Photo Tagging
Scenario: Facebook/Instagram suggests tagging friends using face recognition
Illinois: Facebook paid $650 million in 2020 for BIPA violations related to facial recognition tagging[2]
Texas: Meta paid $1.4 billion in 2024 for CUBI violations[2]
Other states: Generally protected under Tier 2 laws if facial recognition creates unique biometric template
Gym Membership and Access Control
Scenario: Gym uses fingerprint or face scan for entry
Protected in Illinois: Multiple gyms sued under BIPA for fingerprint scanners without proper consent
Protected in states with laws: Generally requires consent and retention policy
The catch: You might have to choose between giving consent or not using the gym
Voice Assistants and Smart Home Devices
Scenario: Alexa, Siri, Google Assistant storing voiceprints
Legal gray area: Depends if voice recordings become "voiceprints" (unique biometric templates)
Illinois approach: If unique voiceprint is created and stored, BIPA applies
Most state laws: Require consent for voiceprint creation
🛡️ How to Use These Laws to Protect Yourself
If You Live in Illinois
- Know your rights: Any biometric collection requires written consent and retention policy
- Read before signing: Look for BIPA consent forms (usually separate from main agreement)
- Check retention policies: Company must post how long they keep data and when they delete it
- Document violations: Save emails, take photos of missing disclosures
- Find a lawyer: Many BIPA lawyers work on contingency (you don't pay unless you win)
- Act fast: Claims typically must be filed within 1-5 years of violation
If You Live in Texas or Washington
- Look for consent requests: Companies should ask before collecting biometric data
- Document violations: Take screenshots, save communications
- File AG complaint: Contact state Attorney General with evidence
- Don't expect lawsuits: You can't sue directly, only the AG can
- Consider moving data out of state: For critical services, use providers in states with stronger laws
If You Live in Colorado (After July 1, 2025)
- Expect consent requests: Written consent required for biometric collection
- Ask about retention: Companies must have written policy
- File AG complaint: If company violates requirements
- Leverage the law: Even without private lawsuits, companies face regulatory risk
If You Live in Tier 2 States
- Check effective date: Know when your state's law kicks in
- Opt out when possible: Even with consent requirements, opting out is better
- Read privacy policies: Look for "sensitive data" or "biometric" sections
- File complaints: Most states have AG or privacy enforcement office
- Use Illinois/Texas companies: If given choice, pick vendors subject to stronger laws
If Your State Has No Law
- Avoid biometric services: Use passwords, PINs, physical keys instead
- Check company policies: Some voluntarily follow BIPA standards everywhere
- Opt out of facial recognition: Request manual review at airports, stores
- Use cash: Avoid biometric payment systems
- Contact legislators: Push for state biometric privacy law
- Consider relocation: For high-risk professions, state choice matters
⚠️ The Loopholes and Exemptions
What These Laws DON'T Protect
Government use: Most biometric privacy laws only apply to private companies. Police, TSA, immigration can still use facial recognition without consent in many states.
National security exemptions: Federal agencies often exempt from state laws
Photos and videos (sometimes): If not analyzed for biometric templates, regular photos/videos often excluded[11]
Employment requirements: In some states, employers can make biometric data a condition of employment (though they still need consent)
Security purposes: Some proposed laws would exempt vehicle safety tech, autonomous vehicles, security systems[7]
Small businesses: Some state laws only apply above revenue/data thresholds
Pre-existing data: Laws typically aren't retroactive - data collected before effective date may be grandfathered
🔮 What's Coming: The Future of Biometric Privacy
More States Adopting Laws
Expect 10+ more states to pass comprehensive privacy laws with biometric protections by 2026.
States actively considering: New York, Michigan, Missouri, Massachusetts, Pennsylvania[7][15]
Federal Preemption Risk
Congress could pass weak federal biometric law that overrides strong state protections.
Watch for industry lobbying to cap damages and eliminate private rights of action.
Weakening Existing Laws
Illinois already weakened BIPA in August 2024.[5]
Proposed Illinois amendments would exempt time clocks, vehicle safety tech, autonomous vehicles.[7]
Companies lobby every session to carve out exemptions.
Neural Data: The Next Frontier
Illinois H.B. 2984 proposes adding "neural data" to biometric identifiers.[7] This would cover:
- Brain-computer interfaces
- EEG data
- Neural patterns
- Thought recognition technology
As brain-reading tech advances, expect biometric laws to expand beyond physical characteristics.
📊 By the Numbers: What Actually Happens
Litigation (Illinois BIPA)
- 1,500+ lawsuits since 2019[2]
- $650M Facebook settlement (2020)[2]
- $1,000-$5,000 per violation
- Most settle to avoid precedent
AG Enforcement (Texas)
- $1.4B Meta settlement (2024)[2]
- Up to $25,000 per violation[6]
- Few total actions
- Limited resources
Compliance Reality
- High in Illinois: Companies fear lawsuits
- Medium in TX/WA: Major companies comply
- Low in Tier 2: Many ignore requirements
- None elsewhere: No law, no compliance
🎯 The Bottom Line
23 states have some biometric privacy protection. Only 3 give you real power.
Illinois is the gold standard: Written consent, retention policies, and you can sue for $1,000-$5,000 per violation. Over 1,500 lawsuits prove it works. Facebook paid $650 million. Even with 2024 amendments weakening it, BIPA still has teeth.
Texas and Washington require consent but you can't sue. Only the Attorney General can enforce. Texas got $1.4 billion from Meta, but that's rare. Most violations go unpunished.
20+ states with comprehensive privacy laws classify biometric data as "sensitive." Colorado (July 2025) is strongest. Delaware and New Jersey (early 2025) require explicit consent. But without private lawsuits, enforcement is weak.
The rest of the country? Nothing. Companies can collect your face, fingerprints, and DNA without asking.
If you have a choice, live in Illinois. If not, check your state's effective date. File complaints when companies violate. Push for stronger laws. And whenever possible, opt out.
Your face is yours. Most states just don't protect it yet.
📚 References
- NPR - 23 states pass laws regulating facial and biometric data (August 2025)
- Illinois Business Law Journal - BIPA vs. CUBI Comparative Analysis (August 2024)
- Epstein Becker Green - Biometric Backlash: Rising Wave of BIPA Litigation
- Illinois General Assembly - Biometric Information Privacy Act (740 ILCS 14/)
- Faegre Drinker - Illinois amends BIPA to limit damages (August 2024)
- BCLP - U.S. Biometric Laws & Pending Legislation Tracker (2025)
- BCLP - State-by-state biometric law details and pending legislation
- NPR - Colorado biometric law requirements (July 2025)
- Eye On Privacy - 5 State Privacy Laws Effective January 2025
- BigID - 8 State Privacy Laws Going into Effect in 2025
- Moore & Van Allen - Rhode Island Data Transparency and Privacy Protection Act
- White & Case - Indiana becomes seventh state with comprehensive privacy law
- Benesch Law - Privacy Points: 2024 Recap and 2025 Outlook
- NY State Senate - Bill S1422: Biometric Privacy Act (2025)
- Missouri Senate - SB554 Biometric Information Privacy Act (2025)