Biometric Data Privacy FAQ: BIPA, CCPA & Compliance Guide (2026)

Biometric data encompasses biological or behavioral characteristics that can be used to identify individuals. Different privacy laws define biometric data with varying scope, but the core concept covers physical traits that are unique to each person and largely permanent.

Key legal definitions include:

• Illinois BIPA (740 ILCS 14/10): Defines "biometric identifiers" as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry. Notably excludes writing samples, written signatures, photographs, human biological samples used for valid scientific testing, demographic data, tattoo descriptions, and physical descriptions (height, weight, hair color, eye color)
• California CCPA (Civil Code Section 1798.140(b)): Defines "biometric information" more broadly to include physiological, biological, or behavioral characteristics including imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted
• Texas CUBI (Business & Commerce Code Section 503.001): Covers "biometric identifiers" including retina or iris scans, fingerprints, voiceprints, records of hand or face geometry, and any data derived from these
• EU GDPR (Article 9): Classifies biometric data processed for unique identification as a "special category" of personal data requiring explicit consent or another specific legal basis

The critical distinction in biometric data is that, unlike passwords, social security numbers, or credit card numbers, biometric identifiers are inherently tied to the individual and cannot be changed if compromised. Once a fingerprint database is breached, the affected individuals cannot simply get new fingerprints. This permanence is why biometric data receives heightened legal protection compared to other categories of personal information.

The Illinois Biometric Information Privacy Act (BIPA), codified at 740 ILCS 14, is the most significant and frequently litigated biometric privacy law in the United States. Enacted in 2008, BIPA was the first state law to regulate the collection, use, and storage of biometric data by private entities, and it remains the gold standard due to its private right of action and substantial statutory damages.

BIPA imposes the following requirements on private entities that collect biometric data:

• Written policy (Section 15(a)): Develop and make publicly available a written policy establishing a retention schedule and guidelines for permanently destroying biometric data when the initial purpose has been satisfied or within 3 years of the individual's last interaction with the entity, whichever comes first
• Informed consent (Section 15(b)): Before collecting biometric data, inform the subject in writing of the specific purpose and length of collection, storage, and use, and obtain a written release from the subject or their legally authorized representative
• Prohibition on sale (Section 15(c)): No private entity may sell, lease, trade, or otherwise profit from a person's biometric data unless the subject provides consent
• Prohibition on disclosure (Section 15(d)): May not disclose biometric data without consent, unless required by law or to complete a financial transaction authorized by the subject
• Security measures (Section 15(e)): Store, transmit, and protect biometric data using reasonable standards of care, at least as protective as measures used for other confidential and sensitive information

What makes BIPA uniquely powerful is its private right of action (Section 20): any aggrieved person may recover $1,000 per negligent violation or $5,000 per intentional or reckless violation, plus attorneys' fees and costs. In Rosenbach v. Six Flags Entertainment Corp. (2019), the Illinois Supreme Court held that a plaintiff does not need to allege actual injury beyond the statutory violation itself - the mere failure to obtain consent before collecting biometric data is sufficient to bring a claim. This has fueled a massive wave of class action litigation, with settlements regularly reaching tens of millions of dollars.

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides significant protections for biometric information. Under the CCPA framework, biometric information is classified as "sensitive personal information," which triggers heightened obligations for businesses that collect or process it.

Key CCPA protections for biometric data include:

• Right to limit use (Section 1798.121): Consumers have the right to direct businesses to limit the use of their sensitive personal information, including biometric data, to purposes necessary to perform the services or provide the goods reasonably expected by the consumer
• Right to know (Section 1798.110): Consumers can request disclosure of what biometric information has been collected about them, the sources, the business purposes, and any third parties with whom it has been shared
• Right to delete (Section 1798.105): Consumers can request deletion of their biometric information, subject to certain exceptions
• Notice requirements (Section 1798.100): Businesses must provide notice at or before the point of collection specifying the categories of sensitive personal information collected and the purposes of collection
• Link to limit use: Businesses must provide a clear and conspicuous link on their homepage titled "Limit the Use of My Sensitive Personal Information"

Unlike Illinois BIPA, the CCPA does not provide a broad private right of action for biometric data violations. Private lawsuits under the CCPA are limited to data breach scenarios involving unencrypted or unredacted personal information (Section 1798.150). Enforcement of other CCPA provisions, including biometric data protections, falls to the California Privacy Protection Agency (CPPA) and the California Attorney General, who can impose administrative fines of up to $7,500 per intentional violation. Businesses that process biometric data should conduct regular cybersecurity audits and risk assessments as required by CPRA regulations.

Facial recognition technology is one of the most heavily scrutinized applications of biometric data processing, drawing attention from lawmakers, regulators, and civil liberties organizations. The regulatory landscape is evolving rapidly at the local, state, federal, and international levels.

City and Local Bans:

• San Francisco, CA (2019): First major city to ban government use of facial recognition, including by police and city agencies
• Boston, MA (2020): Banned government use of facial recognition technology
• Portland, OR (2020): Banned both government and private-sector use of facial recognition in public accommodations, the most comprehensive local ban
• King County, WA (2021): Banned government use with limited exceptions for law enforcement under court order
• Several other cities including Minneapolis, New Orleans, and Albany have enacted similar restrictions

State-Level Regulation:

• Illinois BIPA: Requires informed written consent before collecting facial geometry data, with statutory damages for violations. This applies to private entities using facial recognition for identification purposes
• Washington State (RCW 19.375): Requires government entities to file notices of intent before using facial recognition, conduct impact assessments, obtain warrants for ongoing surveillance, and produce annual reports
• Texas and Virginia: Have biometric privacy laws that restrict commercial use of facial recognition data without consent

International Regulation:

• EU AI Act: Classifies real-time remote biometric identification in publicly accessible spaces as a prohibited AI practice, with narrow exceptions for law enforcement under strict conditions
• GDPR: Requires explicit consent or another specific legal basis under Article 9 for processing biometric data for identification purposes

Consent requirements for biometric data collection vary significantly across jurisdictions, but the trend is clearly toward requiring affirmative, informed consent before any biometric data is collected or processed. Understanding these requirements is essential for compliance.

Illinois BIPA (most stringent):

• Requires written informed consent before any collection of biometric identifiers
• The entity must inform the subject in writing of: (1) the specific purpose for collection, and (2) the length of time the biometric data will be stored and used
• Must obtain a written release from the subject or their legally authorized representative
• Consent must be obtained before collection - retroactive consent is insufficient

Texas CUBI:

• Requires informed consent before capturing biometric identifiers for a commercial purpose
• Does not specifically require written consent, but written documentation is recommended
• No private right of action - enforcement is solely by the Texas Attorney General, who can impose penalties up to $25,000 per violation

California CCPA/CPRA:

• Requires notice at or before the point of collection identifying the categories of biometric information collected and the purposes
• Must provide consumers the right to limit the use of sensitive personal information including biometric data
• For employees and job applicants, specific notice requirements apply

EU GDPR:

• Requires explicit consent under Article 9(2)(a) for processing biometric data for identification, unless another exception applies
• Consent must be freely given, specific, informed, and unambiguous
• Must be as easy to withdraw consent as to give it

Best practice for multi-jurisdictional compliance: implement Illinois BIPA-level consent requirements across all jurisdictions, as this satisfies the most stringent standard and provides protection against the evolving legal landscape.

Clearview AI became the most prominent biometric privacy controversy by building a facial recognition database of over three billion images scraped from social media platforms, news sites, and other publicly available internet sources without the knowledge or consent of the individuals depicted. The company sold access to this database primarily to law enforcement agencies but also to private companies, enabling identification of individuals from photographs.

Key enforcement actions and legal proceedings against Clearview AI:

• ACLU v. Clearview AI (Illinois, 2020-2022): The ACLU and other organizations filed a class action under BIPA. The case resulted in a landmark settlement in which Clearview AI agreed to permanently stop selling access to its database to private entities and most government entities nationwide, while maintaining limited law enforcement access under certain conditions
• Australian Privacy Commissioner (2021): Found Clearview AI violated the Privacy Act 1988 by collecting Australians' sensitive biometric information without consent and ordered the company to cease collection and destroy data of Australians
• Canadian Privacy Commissioners (2021): Joint investigation by federal, Alberta, British Columbia, and Quebec commissioners found Clearview AI violated Canadian privacy law through collection without knowledge or consent
• French CNIL (2022): Fined Clearview AI 20 million euros for unlawful processing of personal data under the GDPR
• Italian Garante (2022): Fined Clearview AI 20 million euros for GDPR violations
• UK ICO (2022): Fined Clearview AI over 7.5 million pounds for unlawful processing of UK residents' data

The Clearview AI cases have significant implications: they established that publicly available photos are still subject to biometric privacy laws, that scraping public images to build facial recognition databases requires consent under BIPA and GDPR, and that enforcement of biometric privacy laws has real teeth. Companies developing AI or machine learning systems that process facial images should review their data collection practices carefully in light of these precedents.

Employers are among the most frequent collectors of biometric data, using fingerprint scanners for time-and-attendance tracking, facial recognition for building access control, and voice recognition for secure authentication. However, this collection is subject to biometric privacy laws that impose significant compliance obligations.

Illinois BIPA and Employment:

• Employers in Illinois must obtain written informed consent from each employee before collecting biometric data for timekeeping or any other purpose
• In Cothron v. White Castle System, Inc. (Ill. 2023), the Illinois Supreme Court held that a separate BIPA violation occurs each time biometric data is scanned or transmitted without consent, not just at initial collection - dramatically increasing potential damages
• Major BIPA employment settlements include: BNSF Railway ($228 million jury verdict, 2022), Facebook/Meta ($650 million settlement for photo tagging, 2021), TikTok ($92 million settlement, 2021), and Topgolf ($8.5 million settlement for fingerprint time clocks, 2023)
• Employers must implement written consent processes, retention policies, and data destruction protocols for all biometric data collected from employees

Other State Requirements:

• New York City: Local Law 3 (2021) requires commercial establishments that collect biometric identifying information from customers to post clear signage at entrances
• California: Under the CCPA, employees have the right to notice about biometric data collection and the right to limit use of their sensitive personal information
• Maryland: Employers cannot use facial recognition during job applicant interviews without obtaining a signed waiver

Best practices for employers: provide written notice explaining what biometric data is collected and why, obtain signed written consent before enrollment in biometric systems, maintain a written biometric data retention and destruction policy, store biometric data with encryption and access controls, conduct data protection impact assessments, and consider whether alternative non-biometric solutions (badge systems, PIN codes) can serve the same purpose with less legal risk.

A biometric data breach carries uniquely severe and permanent consequences that distinguish it from breaches involving other types of personal data. When passwords are compromised, users can change them. When credit card numbers are stolen, banks can issue new cards. But when fingerprints, facial geometry, or iris scans are compromised, the affected individuals cannot change their biological characteristics - the harm persists for life.

Legal consequences of a biometric data breach:

• State breach notification laws: The majority of states now include biometric data in their breach notification statutes, requiring organizations to notify affected individuals and, in many cases, the state attorney general when biometric data is compromised
• BIPA liability: Under Illinois BIPA Section 15(e), organizations must store, transmit, and protect biometric data using reasonable standards of care. Failure to protect biometric data from breach can result in statutory damages of $1,000-$5,000 per violation
• CCPA private right of action: Under California Civil Code Section 1798.150, consumers can bring private lawsuits for data breaches involving unencrypted biometric information, seeking statutory damages of $100-$750 per consumer per incident or actual damages, whichever is greater
• GDPR penalties: Breaches involving biometric data can trigger fines of up to 20 million euros or 4% of annual global turnover under the GDPR, plus individual right to compensation
• Class action exposure: Biometric data breaches frequently result in class action lawsuits, with settlements and verdicts reaching hundreds of millions of dollars

Security measures for biometric data:

• Use template-based storage (mathematical representations) rather than storing raw biometric images
• Implement strong encryption for data at rest and in transit
• Apply strict access controls with multi-factor authentication for any system accessing biometric databases
• Conduct regular security audits and penetration testing
• Consider using on-device biometric processing where possible, avoiding centralized biometric databases entirely
• Implement data minimization - collect and retain only the biometric data necessary for the specific purpose

Building a comprehensive biometric data compliance program is essential for any organization that collects, stores, or processes biometric identifiers. Given the patchwork of state and international laws, a compliance program should be designed to meet the most stringent applicable requirements while remaining practical to implement.

Core compliance program elements:

1. Written biometric data policy: Develop a publicly available policy that identifies what biometric data you collect, the specific purposes for collection, the retention schedule, and destruction procedures. Under BIPA, data must be destroyed when the purpose has been satisfied or within 3 years of last interaction
2. Consent and notice procedures: Create standardized written notices and consent forms that comply with the most stringent applicable law. Notices should identify the specific biometric data collected, the purpose, the duration of storage, and any third parties who will have access. Obtain signed written consent before any collection
3. Data security measures: Implement encryption for biometric data at rest and in transit, strict access controls, multi-factor authentication for systems handling biometric data, regular security assessments, and audit logging of all access to biometric databases
4. Vendor management: If third-party vendors process biometric data on your behalf, ensure contracts include data protection obligations, security requirements, breach notification provisions, and indemnification for privacy law violations
5. Employee training: Train all employees who handle biometric data on proper collection procedures, consent requirements, security protocols, and incident reporting
6. Incident response plan: Develop procedures specific to biometric data breaches, including notification timelines, affected individual communications, and regulatory reporting requirements
7. Regular audits: Conduct periodic assessments of compliance with biometric data policies, review consent records for completeness, verify data destruction schedules are being followed, and test security measures
8. Documentation and record-keeping: Maintain detailed records of all consent forms, policy versions, training records, vendor agreements, and audit results to demonstrate compliance in the event of regulatory inquiry or litigation

The landscape of state biometric privacy laws continues to evolve rapidly. As of 2026, the regulatory approaches vary significantly in scope, enforcement mechanisms, and specific requirements:

Dedicated Biometric Privacy Laws:

• Illinois BIPA (740 ILCS 14): The gold standard - requires written consent, written policy, prohibits sale of biometric data. Private right of action with statutory damages ($1,000 negligent, $5,000 intentional). Per-scan accrual of violations per Cothron v. White Castle (2023)
• Texas CUBI (Bus. & Com. Code 503.001): Requires informed consent before capturing biometric identifiers for commercial purposes. Mandates destruction within reasonable time. No private right of action - enforcement by AG with penalties up to $25,000 per violation
• Washington (RCW 19.375): Requires consent before enrolling biometric identifiers in a database for commercial purposes. Prohibits sale of biometric data. No private right of action - AG enforcement only

Comprehensive Privacy Laws Covering Biometric Data:

• California CCPA/CPRA: Classifies biometric data as sensitive personal information. Right to limit use, right to delete, right to know. Private right of action limited to data breaches. CPPA and AG enforcement for other violations
• Virginia VCDPA: Biometric data is sensitive data requiring opt-in consent. Data protection assessments required. No private right of action - AG enforcement
• Colorado CPA: Biometric data is sensitive data requiring opt-in consent. Universal opt-out mechanism required. AG and DA enforcement
• Connecticut CTDPA: Similar to Virginia - biometric data as sensitive data requiring consent. AG enforcement
• Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Delaware, New Jersey, New Hampshire, Maryland: Comprehensive privacy laws with biometric data provisions, varying consent and enforcement mechanisms

Local Ordinances:

• New York City Local Law 3 (2021): Requires commercial establishments collecting biometric identifying information (fingerprints, facial recognition, etc.) from customers to post clear, conspicuous signage at entrances. Provides a private right of action with $500 per negligent violation and $5,000 per intentional violation
• Portland, OR: Prohibits private entities in places of public accommodation from using facial recognition technology