Illinois BIPA and Texas CUBI are the two most consequential state biometric privacy laws in the US. Both restrict how companies can collect and use biometric identifiers, but they use very different enforcement models — with dramatically different risk profiles for companies.
Side-by-Side Comparison
| Feature | Illinois BIPA | Texas CUBI |
|---|---|---|
| Enacted | 2008 | 2009 |
| Biometric identifiers covered | Retinal/iris scans, fingerprints, voiceprints, hand/face geometry | Retinal/iris scans, fingerprints, voiceprints, hand/face geometry |
| Consent requirement | Written informed consent | Informed consent (not required to be written) |
| Sale/profit prohibition | Yes | Yes |
| Destruction requirement | 3 years or purpose end (whichever is first) | 1 year or purpose end (whichever is first) |
| Private right of action | Yes | No |
| AG enforcement | Yes | Yes only |
| Per-violation penalty | $1,000-$5,000 | Up to $25,000 |
| Per-claimant cap | $30,000 (2024 amendment) | N/A |
| Extraterritorial reach | De facto, courts have extended | Yes (proven in Meta case) |
The Private Right of Action Difference
This is the most significant structural difference. BIPA’s private right of action allows any individual to sue directly for violations. This enables class actions by plaintiffs’ attorneys who can aggregate thousands of individual claims.
Texas CUBI’s AG-only enforcement model means:
- No class actions by private plaintiffs
- No BIPA-style litigation wave (hundreds of class actions filed annually in Illinois)
- But: the AG can bring enforcement actions with massive per-violation penalties
For companies: Illinois BIPA risk is primarily about plaintiffs’ class action lawsuits. Texas CUBI risk is primarily about AG enforcement. Both have produced multi-hundred-million dollar settlements.
Consent Requirements
BIPA explicitly requires written consent — a signed written release obtained before collection. Courts have interpreted this strictly: verbal consent is insufficient.
Texas CUBI requires informed consent but doesn’t specify that it must be in writing. This is a meaningful difference in practice: Texas CUBI is slightly easier to satisfy on the consent element, but the substance (the person must be informed before collection and agree) is similar.
Best practice: Obtain written consent in both states. If you’re operating in both Illinois and Texas, build your consent process to meet the BIPA standard (written, specific, before collection) and you’ll satisfy CUBI as well.
The Destruction Timeline
BIPA: 3 years after the initial purpose is satisfied, or when no longer needed, whichever is first.
CUBI: 1 year after the initial purpose is satisfied, or when no longer needed, whichever is first.
Texas is stricter on timing. A company that collected fingerprints for employee timekeeping must delete them within one year after the employment relationship ends (when the purpose is satisfied) — not three years as BIPA allows.
Extraterritorial Application
Both laws have been applied to companies headquartered outside the state:
BIPA: Illinois courts have applied BIPA to non-Illinois companies when Illinois residents were affected, though the extraterritorial scope is still being litigated.
CUBI: The Meta settlement definitively established that Texas will pursue California-headquartered companies for CUBI violations affecting Texas residents. The AG need not show any Texas business presence.
Operating in Both States: The Compliance Overlap
If you operate in both Illinois and Texas, build to the stricter standard on each element:
- Consent: Written, explicit, before collection (BIPA standard)
- Destruction timeline: 1 year after purpose (CUBI standard)
- Disclosure: Cover BIPA’s written policy requirement (CUBI doesn’t require this)
- Vendor agreements: Both states’ disclosure restrictions require appropriate data processing agreements
Meeting both laws simultaneously isn’t complicated — the requirements are aligned in substance. The main differences are in enforcement mechanism, not the underlying obligations.
This article is for informational purposes only and does not constitute legal advice. Always consult qualified counsel before making compliance decisions. Try the free compliance checker →
Keep the Ledger coming.
A weekly edition of new regulations, enforcement actions, and compliance deadlines — delivered every Friday. Free forever. No tracking pixels.