Biometric privacy law in the US is a patchwork of state statutes, each with different scope, requirements, and enforcement mechanisms. Illinois BIPA gets the most attention because it’s the most litigated, but several other states have enacted meaningful protections.
The Three-Tier Framework
State biometric laws generally fall into three tiers by enforcement strength:
Tier 1 — Private Right of Action: Illinois (BIPA). Private plaintiffs can sue. This is why BIPA generates so much litigation.
Tier 2 — AG Enforcement Only: Texas (CUBI), Washington, several others. Only the state AG can enforce. Fewer lawsuits, but real regulatory risk.
Tier 3 — Privacy Law Coverage: California (CPRA), Virginia, Colorado, and others that cover biometric data as a category within broader privacy statutes.
Illinois BIPA
Full name: Biometric Information Privacy Act (740 ILCS 14)
Enacted: 2008
Covers: Biometric identifiers: retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, and biometric information derived from them
Key requirements: Written consent before collection; written policy on retention/destruction; no unauthorized disclosure; destruction within 3 years or when purpose is fulfilled
Enforcement: Private right of action + AG enforcement
Penalties: $1,000-$5,000 per violation (plus 2024 cap of $30,000 per claimant per defendant)
Litigation: $3B+ in settlements to date
Texas CUBI
Full name: Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code §503)
Enacted: 2009
Covers: Biometric identifiers: retina or iris scans, fingerprints, voiceprints, records of hand or face geometry
Key requirements: Informed consent before collection; prohibition on sale or profit; cannot disclose without consent; must destroy within one year or when purpose is fulfilled
Enforcement: AG enforcement only (no private right of action)
Penalties: $25,000 per violation
Notable case: Texas AG v. Meta Platforms (2022-2025): $1.4 billion settlement over Meta’s Tag Suggestions feature that used facial recognition without consent. The largest privacy settlement in US history.
Washington
Washington My Health MY Data Act (2023) created new protections for health data including biometric data tied to health conditions. Washington also passed the Washington Biometric Privacy Law in 2017 (RCW 19.375), now enhanced by the My Health My Data Act provisions.
Requirements: Informed consent; no disclosure without consent; destruction when no longer needed
Enforcement: AG enforcement + private right of action for commercial entities
California
California doesn’t have a standalone biometric law, but BIPA-equivalent protections exist under:
- CCPA/CPRA: Biometric data is a “sensitive personal information” category; consumers have rights to limit its use and sale
- CPPA rulemaking: Forthcoming ADMT rules will add layers for AI-based biometric processing
What’s Coming: The Federal Gap
There has been federal biometric legislation proposed but not enacted. The American Data Privacy and Protection Act (ADPPA) would have created a federal floor for biometric data protection. Without federal preemption, companies must navigate the patchwork state-by-state.
Compliance Strategy for Multi-State Operations
Step 1: Map your biometric data. What biometric data do you collect, where, from whom, and for what purpose?
Step 2: Identify applicable laws by state. For each state where you have employees or customers from whom you collect biometric data, identify the applicable law.
Step 3: Build to the highest standard. BIPA’s requirements (written consent, written policy, destruction schedule) satisfy most other state requirements. Building to BIPA standards is a reasonable multi-state approach.
Step 4: Add state-specific elements. Texas CUBI has a one-year destruction requirement vs. BIPA’s three years. Note and comply with the stricter standard.
Step 5: Vendor diligence. Many biometric data violations involve vendor-processed data. Ensure vendors have appropriate data processing agreements.
The Key Differences Table
| Jurisdiction | Private Suit | AG Suit | Consent Required | Destruction Window |
|---|---|---|---|---|
| Illinois (BIPA) | Yes | Yes | Yes (written) | 3 years or purpose end |
| Texas (CUBI) | No | Yes | Yes (informed) | 1 year or purpose end |
| Washington | Yes (commercial) | Yes | Yes | When no longer needed |
| California (CPRA) | Limited | Yes | Opt-out for sale/share | As needed |
Understanding the patchwork is the first step. Compliance requires mapping your data practices to each applicable law.
This article is for informational purposes only and does not constitute legal advice. Always consult qualified counsel before making compliance decisions. Try the free compliance checker →
Keep the Ledger coming.
A weekly edition of new regulations, enforcement actions, and compliance deadlines — delivered every Friday. Free forever. No tracking pixels.