TL;DR: Amazon's Ring launched "Familiar Faces" facial recognition in December 2025, but three places blocked it outright: Illinois, Texas, and Portland, Oregon. These states have biometric privacy laws that require consent before scanning someone's face. Everywhere else? Your mail carrier, your neighbor's kid, and every delivery driver gets their faceprint uploaded to Amazon's servers without permission.
Where Ring Can't Deploy Facial Recognition
Ring's Familiar Faces feature catalogs up to 50 faces of people who visit your door. You label them ("Mom," "Delivery Guy," "Neighbor") and get alerts like "Sarah at Front Door" instead of generic motion notifications. Convenient for owners. Not so much for everyone being scanned.
Three jurisdictions have laws strong enough to stop it:
- Illinois: The Biometric Information Privacy Act (BIPA) requires written consent before capturing anyone's face geometry. You violate it, they can sue you. $1,000 per negligent scan, $5,000 per intentional one.
- Texas: The Capture or Use of Biometric Identifier Act (CUBI) mandates informed consent before commercial collection. The state attorney general can hit violators with up to $25,000 per offense. Google paid $1.375 billion and Meta paid $1.4 billion in Texas biometric settlements.
- Portland, Oregon: Banned facial recognition outright in September 2020, covering both government and private use in public accommodations. Effective January 2021, businesses and residents can't deploy facial recognition systems in public-facing spaces.
Amazon proactively disabled Familiar Faces in these areas. They know the legal exposure. The Electronic Frontier Foundation noted that Ring would face liability because the feature "necessarily requires its cameras to collect a faceprint from every person who comes into view."
Illinois: The Gold Standard
BIPA passed in 2008 (before Ring existed) and it's still the toughest biometric law in the country. Key provisions:
- Private companies need written, informed consent before collecting biometric identifiers
- Must explain what data they're collecting and why
- Must disclose retention periods
- Individuals have a private right of action: they can sue directly without waiting for the attorney general
That private right of action is what makes BIPA different. In most states, you'd need the AG to pursue enforcement. In Illinois, any person scanned without consent can file suit. Facebook learned this the hard way, paying $650 million in 2021 for its photo-tagging facial recognition system.
If you're in Illinois and a neighbor's Ring camera scans your face with Familiar Faces enabled, you could potentially sue the neighbor. That's why Amazon won't let it happen.
Texas: The Big Dollar Settlements
CUBI has been on the books since 2009, but enforcement ramped up dramatically under Attorney General Ken Paxton. Unlike Illinois, individuals can't sue: only the state can enforce. But when Texas enforces, it enforces hard.
Google's $1.375 billion settlement in 2024 came from Nest cameras that allegedly "indiscriminately captured the face geometry of any Texan" who appeared on camera. Sound familiar? That's exactly what Ring's Familiar Faces does.
Meta paid $1.4 billion in 2024 for its photo-tagging system. These aren't slap-on-the-wrist settlements. Texas treats biometric privacy violations seriously, at least when companies have deep pockets.
CUBI requires that anyone collecting biometric data for commercial purposes must inform and obtain consent before collection, destroy data within a year of the purpose expiring, and protect data with reasonable security measures.
Portland: The Outright Ban
Portland went further than consent requirements. In September 2020, the city council passed two ordinances banning facial recognition technology entirely: one for city bureaus, one for private entities.
The private entity ban covers "places of public accommodation" (any facility used by the public, including stores, restaurants, and yes, the spaces around doorbell cameras that capture public sidewalks and streets).
Exceptions exist for user verification on personal devices, compliance with federal/state laws, and automatic face detection in social media apps (like when your phone camera finds faces for focus). But doorbell facial recognition that catalogs visitors? That's a violation.
Enforcement includes a private right of action for damages or $1,000 per day of violation, whichever is greater. Portland residents can sue both Ring camera owners and potentially Amazon for deploying the technology within city limits.
Everywhere Else: You're Fair Game
As of March 2026, 20 states have comprehensive privacy laws. Most include some protections for biometric data as "sensitive" information. But there's a catch: most rely on state AG enforcement rather than private rights of action, and most allow "consent" buried in terms of service.
Maryland's Online Data Privacy Act (effective October 2025) shows promise. It restricts biometric data collection unless "strictly necessary" for providing a requested service. The EFF argues it "essentially prohibits" companies from collecting biometric data from bystanders. But Maryland hasn't been tested against Ring yet.
If you're not in Illinois, Texas, Portland, or Quebec (Canada, where it's also blocked), your face is getting scanned, uploaded, and stored whether you consent or not. Amazon dumps liability on users with vague warnings about "consent obligations" and language saying you're responsible for using Ring products "consistent with local law."
Translation: if your neighbor's Ring camera scans your face and your state law requires consent, that's your neighbor's legal problem. Amazon just built the surveillance infrastructure.
The Consent Problem
Ring camera owners opt in. Everyone else doesn't get a choice.
Friends, family, delivery drivers, mail carriers, political canvassers, kids selling cookies, people walking past on the sidewalk: none of them consented to facial geometry capture. Amazon can't obtain their consent. Ring camera owners can't obtain their consent. But the scanning happens anyway.
The EFF put it plainly: "Companies need affirmative consent before running face recognition on you." Ring can't get it from the majority of people its cameras capture. In most states, that doesn't matter. In Illinois, Texas, and Portland, it does.
This is the core argument driving biometric privacy law. You can't meaningfully consent to face scanning that happens automatically, in public, by devices you don't own and may not even notice. The only real consent is knowing, informed, and given before capture, not after.
What You Can Do
If you're in Illinois, Texas, or Portland: Ring Familiar Faces is already blocked. You're protected by law. If a neighbor somehow enables it anyway (through VPNs or other workarounds), document it. You may have grounds for legal action.
If you're anywhere else:
- Push your state legislature for biometric privacy laws with private rights of action. Illinois-style laws work because individuals can sue.
- Check if your state has any pending biometric legislation. 16 states have comprehensive privacy laws requiring opt-in consent for sensitive data, but "opt-in" definitions vary.
- Ask Ring-owning neighbors not to enable Familiar Faces. Awkward conversation, but it's your face.
- Wear hats, sunglasses, or masks if you want to avoid biometric capture. This shouldn't be necessary. It is. See how to beat facial recognition for what actually works.
If you own a Ring camera: Don't enable Familiar Faces. You're creating a biometric database of everyone who approaches your door. Your delivery driver didn't consent to have their faceprint on Amazon's servers. Your neighbor's kids didn't consent. Nobody walking by consented.
And if Amazon gets breached (something that's happened before), those faceprints are out there permanently.
Why This Matters Beyond Ring
Ring isn't the only company deploying residential facial recognition. It's just the biggest. Where Ring goes, others follow. If Familiar Faces normalizes doorbell biometric surveillance, expect the same from Nest, Wyze, Arlo, and every competitor.
State biometric laws are the only consistent defense. The federal government hasn't passed comprehensive biometric privacy legislation. The FTC can pursue enforcement after violations happen, but can't proactively block deployments. Only states with strong laws (and willing attorneys general or private rights of action) can stop it before it starts.
Illinois, Texas, and Portland proved it works. Amazon evaluated the legal risk and decided not to deploy. That's the model. Make biometric surveillance legally expensive, difficult, and risky. Companies respond to liability exposure.
If you're in one of the 47 other states, your legislature hasn't given you that protection yet. Maybe it's time to ask why.
References
- EFF - The Legal Case Against Ring's Face Recognition Feature
- TechCrunch - Amazon's Ring Rolls Out Controversial AI-Powered Facial Recognition
- Fox News - Amazon Ring Gets AI Upgrade with Controversial Facial Recognition Feature
- Illinois General Assembly - Biometric Information Privacy Act (BIPA)
- Texas Attorney General - Capture or Use of Biometric Identifier Act
- Portland.gov - Chapter 34.10: Face Recognition Technologies by Private Entities
- Cooley - Maryland's State Privacy Law Takes Effect October 2025
- Ring - Familiar Faces Support Article