23 States Now Have Biometric Privacy Laws: Here's What Protects You (And What Doesn't)

Not All Biometric Privacy Laws Are Created Equal

23 states passed or expanded biometric privacy laws by 2025.[1] But the protections vary wildly.

Illinois lets you sue for $5,000 per violation. Texas requires consent but you can't sue - only the Attorney General can. California includes biometric data as "sensitive" but enforcement is weak.[2][3]

Your face, fingerprints, and iris scans are worth protecting. This guide breaks down which states actually do.

🗺️ The Three Tiers of Protection

Tier 1: Standalone Biometric Laws

3 states with dedicated biometric privacy statutes

  • Illinois (strongest)
  • Texas
  • Washington

These laws specifically target biometric data collection with strict requirements.

Tier 2: Comprehensive Privacy Laws

20+ states classify biometric as "sensitive data"

  • Colorado, California, Virginia
  • Delaware, New Jersey, Oregon
  • And 14 more states

Biometric data gets extra protections under broader privacy frameworks.

Tier 3: Specific Use Restrictions

City and employment-specific laws

  • New York City (commercial use)
  • Portland (facial recognition ban)
  • Maryland, NY State (employers)

Limited scope but strong protections for specific contexts.

⚖️ Tier 1: The Heavy Hitters (Standalone Laws)

Illinois: The Gold Standard (BIPA)

Law: Biometric Information Privacy Act (740 ILCS 14/1)[4]

Effective: October 3, 2008

Why it matters: The only biometric law with a strong private right of action

What BIPA Requires:

  1. Written policy: Published retention schedule and data destruction guidelines
  2. Written consent: Not just digital opt-in - actual written release
  3. No data sales: Can't sell or profit from biometric data
  4. Security standards: Must protect biometric data at least as well as other confidential info

What You Can Do:

  • Sue directly: Private right of action - you don't need the state
  • $1,000 per negligent violation
  • $5,000 per intentional/reckless violation
  • Attorney fees: Company pays your lawyer if you win

Real impact: Since 2019, over 1,500 BIPA lawsuits filed. Facebook paid $650 million (2020). Meta paid $1.4 billion to Texas in 2024 using CUBI.[2]

2024 Amendment Weakens BIPA: August 2024 changes (SB2979) limit liability to a single recovery per violation instead of a "per scan" basis, eliminating the per-scan multiplication of statutory damages, and allow electronic signatures as valid consent.[5]

Texas: Consent Required, But You Can't Sue (CUBI)

Law: Capture or Use of Biometric Identifier Act (TEX. BUS. & COM. CODE § 503.001)[6]

Effective: September 1, 2009

The catch: No private right of action

What CUBI Requires:

  1. Notice: Inform before capturing biometric data
  2. Consent: Get permission before collection
  3. Destruction: Delete within one year after purpose satisfied
  4. No sales: Can't sell biometric identifiers without consent

What You Can't Do:

  • Sue directly: Only Texas Attorney General can enforce
  • Civil penalties: Up to $25,000 per violation - but paid to state, not you

July 2024: Texas AG announced $1.4 billion settlement with Meta for alleged CUBI violations - the largest biometric privacy settlement ever.[2]

June 2025: Texas enacted AI law outlawing biometric collection without permission.[1]

Washington: Similar to Texas, Plus Health Data Protections

Law: Biometric Privacy Protection Act (WASH. REV. CODE §§ 19.375.010)[7]

Effective: July 23, 2017

Added layer: My Health My Data Act (effective March 31, 2024) covers biometric data[7]

What Washington Requires:

  1. Notice and consent: Before enrolling biometric identifiers for commercial purposes
  2. Security safeguards: Reasonable protection standards
  3. No data sales: Without consent

Enforcement:

  • Attorney General only: No private lawsuits
  • Some private action: California and Washington allow residents to sue in certain cases[1]

🏛️ Tier 2: Comprehensive Privacy Laws (20+ States)

These states classify biometric data as "sensitive data" requiring consent before processing. They don't have standalone biometric laws, but offer meaningful protections.

Effective Now

  • California - CCPA/CPRA
  • Virginia - VCDPA
  • Connecticut - CTDPA
  • Utah - UCPA (Dec 31, 2023)
  • Oregon - OCPA (July 1, 2024)
  • Montana - MCDPA
  • Florida - Big Tech focus

Effective 2025

  • Colorado - July 1, 2025[8]
  • Delaware - Jan 1, 2025[9]
  • New Jersey - Jan 15, 2025[9]
  • Iowa - Jan 1, 2025
  • Nebraska - Jan 1, 2025
  • New Hampshire - Jan 1, 2025
  • Minnesota - July 31, 2025[10]
  • Tennessee - July 1, 2025[10]
  • Maryland - Oct 1, 2025[10]

Effective 2026

  • Rhode Island - Jan 1, 2026[11]
  • Indiana - Jan 1, 2026[12]
  • Kentucky - 2026[10]

Colorado: The Strongest Tier 2 Law

Effective: July 1, 2025[8]

Why it stands out: Colorado's 2024 amendments align closest to Illinois BIPA

Requirements:

  • Written consent: Required before collecting biometric data
  • Retention schedule: Written policy mandated
  • Data security: Protocol for responding to breaches
  • Transparency: Disclose how biometric data is collected, used, and shared
  • No sales: Prohibits selling biometric data

The catch: No private right of action - Attorney General enforcement only[8]

Delaware: Strong Consent Requirements

Law: Delaware Personal Data Privacy Act (DPDPA)[9]

Effective: January 1, 2025

Biometric protections: Genetic or biometric data classified as sensitive

Requirement: Explicit consent required before processing biometric data

New Jersey: Similar to Delaware

Law: New Jersey Data Privacy Act (NJDPA)[9]

Effective: January 15, 2025

Definition: "Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual"

Requirement: Consumer consent required

Oregon: One of the Strongest

Law: Oregon Consumer Privacy Act (OCPA)[13]

Effective: July 1, 2024

Status: "One of the strongest data privacy laws passed to date"

Protections: Biometric data, sensitive and personal data, children's data

Requirement: Opt-in before companies collect face, eye, and voice data[1]

California: Broad but Weak Enforcement

Law: California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)

Status: Expressly governs processing of biometric information

Enforcement: Allows residents to sue in certain cases[1]

The problem: Complex requirements, limited enforcement resources

Virginia & Connecticut: AG Enforcement Only

Similarity: Both classify biometric data as sensitive

Limitation: Enforcement through state attorneys general only - no private lawsuits[1]

Iowa: Weakest Tier 2 Law

Law: Iowa Consumer Data Protection Act (ICDPA)[13]

Effective: January 1, 2025

Weakness: "One of the most business-friendly" laws with weaker data protections

Missing right: Doesn't grant consumers the right to delete or correct data collected by third parties

🏙️ Tier 3: City and Employment-Specific Laws

New York City

Law: Biometric Identifier Information Law (Administrative Code, Title 22, Chapter 12)[7]

Effective: July 9, 2021

Requirements:

  • Clear signage disclosing biometric collection
  • Cannot sell or profit from customer biometric data

Penalties:

  • $500 per negligent violation
  • $5,000 per intentional violation
  • Plus reasonable attorney fees

Limitation: No automatic private right of action for just collecting biometric data. No requirement for written consent like BIPA.[14]

Portland, Oregon

Law: Portland City Code, Title 34[7]

Focus: Facial recognition ban

Prohibition: Bars facial recognition use in places of public accommodation by private entities

Damages: $1,000 per day for violations[7]

Maryland: Employer Protections

Law: Labor and Employment Code § 3-717[7]

Prohibition: Employers cannot use facial recognition service during job interviews without applicant consent

Scope: Employment context only

New York State: Employment Fingerprint Restrictions

Law: N.Y. LAB. LAW § 201-a[7]

Rule: Restricts employer fingerprint requirements as condition of employment

Exception: Unless provided by other laws

📜 Pending Legislation: What's Coming

States with Proposed Biometric Privacy Laws

New York State (S.B. 1422): Introduced January 9, 2025. Would create Illinois BIPA-like state law. Includes retina/iris scans, fingerprints, voiceprints, hand/face geometry.[14]

Michigan (S.B. 359): Proposed June 2025. Would define biometric data as automatic measurements of biological characteristics including fingerprints, voiceprints, eye retinas, irises. Not yet enacted.[12]

Missouri (S.B. 554, H.B. 407, H.B. 500): Creates "Biometric Data Privacy Act" with requirements for private entities and cause of action.[15]

Massachusetts (H.D. 3523, S.D. 1455): Companion bills to regulate biometric data processing. S.B. 2204 would provide $5,000 minimum statutory damages similar to BIPA.[7][15]

Pennsylvania (H.B. 596): Requires retail and entertainment venues to disclose biometric collection via signage.[7]

Nebraska (L.B. 204): Would prohibit requiring biometric data submission; requires consent and retention policies.[7]

🔍 What Counts as "Biometric Data"?

Always Included

  • Fingerprints
  • Hand geometry/palm prints
  • Retina/iris scans
  • Facial geometry/face scans
  • Voiceprints
  • DNA/genetic information

Sometimes Included

  • Gait analysis
  • Keystroke patterns
  • Voice recordings (vs voiceprints)
  • Behavioral biometrics
  • Heart rate patterns
  • Ear shape

Usually Excluded

  • Photos/videos (if not analyzed)
  • Audio recordings (if not analyzed)
  • Writing samples
  • Physical descriptions
  • Demographic data

Key distinction: Rhode Island specifically excludes "digital or physical photographs or audio or video recordings" from biometric data definition.[11]

Illinois proposed expansion: H.B. 2984 would include "neural data" as biometric identifier.[7]

⚡ The Enforcement Gap: Who Can Actually Stop Violations?

Private Right of Action (You Can Sue)

States:

  • Illinois (strongest)
  • New York City (limited)
  • California, Washington (certain cases)

Why it matters: Don't need to wait for government action. Lawyers work on contingency.

Attorney General Only

States:

  • Texas, Washington (primary)
  • Colorado, Virginia, Connecticut
  • Most Tier 2 states

The problem: Limited resources. Enforcement is political. Companies know odds are low.

Real-World Impact

Illinois (with private action):

  • 1,500+ lawsuits since 2019
  • $650M Facebook settlement
  • Companies actually comply

Other states:

  • Handful of AG actions
  • Limited settlements
  • Widespread non-compliance

💼 What These Laws Actually Protect (Real Examples)

Time Clocks and Employee Tracking

Scenario: Your employer requires fingerprint scan to clock in/out

Protected in Illinois: Company must get written consent, post retention policy, and faces $1,000-$5,000 per scan if they don't. You can sue directly.[4]

Protected in Texas: Company needs consent and must delete within a year. But only Texas AG can enforce.[6]

Protected in Colorado (July 2025): Written consent required, but no private lawsuit.[8]

Not protected in most states: Company can require it as condition of employment

Facial Recognition at Stores and Venues

Scenario: Store uses facial recognition to track shoppers or identify shoplifters

Protected in NYC: Must post clear signage. Can't sell your facial data. You can sue for $500-$5,000 per violation.[7]

Banned in Portland: Private entities can't use facial recognition in public accommodations. $1,000/day penalty.[7]

Protected in Illinois, Texas, Washington: Need consent before collecting facial geometry

Protected in Tier 2 states: If law is in effect, facial data is "sensitive" requiring consent

Social Media Photo Tagging

Scenario: Facebook/Instagram suggests tagging friends using face recognition

Illinois: Facebook paid $650 million in 2020 for BIPA violations related to facial recognition tagging[2]

Texas: Meta paid $1.4 billion in 2024 for CUBI violations[2]

Other states: Generally protected under Tier 2 laws if facial recognition creates unique biometric template

Gym Membership and Access Control

Scenario: Gym uses fingerprint or face scan for entry

Protected in Illinois: Multiple gyms sued under BIPA for fingerprint scanners without proper consent

Protected in states with laws: Generally requires consent and retention policy

The catch: You might have to choose between giving consent or not using the gym

Voice Assistants and Smart Home Devices

Scenario: Alexa, Siri, Google Assistant storing voiceprints

Legal gray area: Depends if voice recordings become "voiceprints" (unique biometric templates)

Illinois approach: If unique voiceprint is created and stored, BIPA applies

Most state laws: Require consent for voiceprint creation

🛡️ How to Use These Laws to Protect Yourself

If You Live in Illinois

  • Know your rights: Any biometric collection requires written consent and retention policy
  • Read before signing: Look for BIPA consent forms (usually separate from main agreement)
  • Check retention policies: Company must post how long they keep data and when they delete it
  • Document violations: Save emails, take photos of missing disclosures
  • Find a lawyer: Many BIPA lawyers work on contingency (you don't pay unless you win)
  • Act fast: Claims typically must be filed within 1-5 years of violation

If You Live in Texas or Washington

  • Look for consent requests: Companies should ask before collecting biometric data
  • Document violations: Take screenshots, save communications
  • File AG complaint: Contact state Attorney General with evidence
  • Don't expect lawsuits: You can't sue directly, only the AG can
  • Consider moving data out of state: For critical services, use providers in states with stronger laws

If You Live in Colorado (After July 1, 2025)

  • Expect consent requests: Written consent required for biometric collection
  • Ask about retention: Companies must have written policy
  • File AG complaint: If company violates requirements
  • Leverage the law: Even without private lawsuits, companies face regulatory risk

If You Live in Tier 2 States

  • Check effective date: Know when your state's law kicks in
  • Opt out when possible: Even with consent requirements, opting out is better
  • Read privacy policies: Look for "sensitive data" or "biometric" sections
  • File complaints: Most states have AG or privacy enforcement office
  • Use Illinois/Texas companies: If given choice, pick vendors subject to stronger laws

If Your State Has No Law

  • Avoid biometric services: Use passwords, PINs, physical keys instead
  • Check company policies: Some voluntarily follow BIPA standards everywhere
  • Opt out of facial recognition: Request manual review at airports, stores
  • Use cash: Avoid biometric payment systems
  • Contact legislators: Push for state biometric privacy law
  • Consider relocation: For high-risk professions, state choice matters

⚠️ The Loopholes and Exemptions

What These Laws DON'T Protect

Government use: Most biometric privacy laws only apply to private companies. Police, TSA, immigration can still use facial recognition without consent in many states.

National security exemptions: Federal agencies often exempt from state laws

Photos and videos (sometimes): If not analyzed for biometric templates, regular photos/videos often excluded[11]

Employment requirements: In some states, employers can make biometric data a condition of employment (though they still need consent)

Security purposes: Some proposed laws would exempt vehicle safety tech, autonomous vehicles, security systems[7]

Small businesses: Some state laws only apply above revenue/data thresholds

Pre-existing data: Laws typically aren't retroactive - data collected before effective date may be grandfathered

🔮 What's Coming: The Future of Biometric Privacy

More States Adopting Laws

Expect 10+ more states to pass comprehensive privacy laws with biometric protections by 2026.

States actively considering: New York, Michigan, Missouri, Massachusetts, Pennsylvania[7][15]

Federal Preemption Risk

Congress could pass weak federal biometric law that overrides strong state protections.

Watch for industry lobbying to cap damages and eliminate private rights of action.

Weakening Existing Laws

Illinois already weakened BIPA in August 2024.[5]

Proposed Illinois amendments would exempt time clocks, vehicle safety tech, autonomous vehicles.[7]

Companies lobby every session to carve out exemptions.

Neural Data: The Next Frontier

Illinois H.B. 2984 proposes adding "neural data" to biometric identifiers.[7] This would cover:

  • Brain-computer interfaces
  • EEG data
  • Neural patterns
  • Thought recognition technology

As brain-reading tech advances, expect biometric laws to expand beyond physical characteristics.

📊 By the Numbers: What Actually Happens

Litigation (Illinois BIPA)

  • 1,500+ lawsuits since 2019[2]
  • $650M Facebook settlement (2020)[2]
  • $1,000-$5,000 per violation
  • Most settle to avoid precedent

AG Enforcement (Texas)

  • $1.4B Meta settlement (2024)[2]
  • Up to $25,000 per violation[6]
  • Few total actions
  • Limited resources

Compliance Reality

  • High in Illinois: Companies fear lawsuits
  • Medium in TX/WA: Major companies comply
  • Low in Tier 2: Many ignore requirements
  • None elsewhere: No law, no compliance

🎯 The Bottom Line

23 states have some biometric privacy protection. Only 3 give you real power.

Illinois is the gold standard: Written consent, retention policies, and you can sue for $1,000-$5,000 per violation. Over 1,500 lawsuits prove it works. Facebook paid $650 million. Even with 2024 amendments weakening it, BIPA still has teeth.

Texas and Washington require consent but you can't sue. Only the Attorney General can enforce. Texas got $1.4 billion from Meta, but that's rare. Most violations go unpunished.

20+ states with comprehensive privacy laws classify biometric data as "sensitive." Colorado (July 2025) is strongest. Delaware and New Jersey (early 2025) require explicit consent. But without private lawsuits, enforcement is weak.

The rest of the country? Nothing. Companies can collect your face, fingerprints, and DNA without asking.

If you have a choice, live in Illinois. If not, check your state's effective date. File complaints when companies violate. Push for stronger laws. And whenever possible, opt out.

Your face is yours. Most states just don't protect it yet.

📚 References

  1. NPR - 23 states pass laws regulating facial and biometric data (August 2025)
  2. Illinois Business Law Journal - BIPA vs. CUBI Comparative Analysis (August 2024)
  3. Epstein Becker Green - Biometric Backlash: Rising Wave of BIPA Litigation
  4. Illinois General Assembly - Biometric Information Privacy Act (740 ILCS 14/)
  5. Faegre Drinker - Illinois amends BIPA to limit damages (August 2024)
  6. BCLP - U.S. Biometric Laws & Pending Legislation Tracker (2025)
  7. BCLP - State-by-state biometric law details and pending legislation
  8. NPR - Colorado biometric law requirements (July 2025)
  9. Eye On Privacy - 5 State Privacy Laws Effective January 2025
  10. BigID - 8 State Privacy Laws Going into Effect in 2025
  11. Moore & Van Allen - Rhode Island Data Transparency and Privacy Protection Act
  12. White & Case - Indiana becomes seventh state with comprehensive privacy law
  13. Benesch Law - Privacy Points: 2024 Recap and 2025 Outlook
  14. NY State Senate - Bill S1422: Biometric Privacy Act (2025)
  15. Missouri Senate - SB554 Biometric Information Privacy Act (2025)