Biometric data is fundamentally different from other types of personal information. You can change a password or get a new credit card number, but you cannot change your fingerprints, your face, or your unique voiceprint.
This permanence is precisely why biometric data attracts the most demanding legal protections in the United States. If a company fails to follow these strict rules, they face some of the largest legal settlements in data privacy history.
How Illinois’ BIPA Law Set The Standard For Biometric Privacy
The most important law in the country is the Illinois Biometric Information Privacy Act (BIPA). Passed in 2008, it set the standard for the whole nation. BIPA says any private company collecting biometrics from Illinois residents must do five things.
- First, give a written notice about the collection.
- Second, get a signed “written release” from the person before the data is taken.
- Third, create and share a public plan for how the data is stored and when it is destroyed.
- Fourth, never sell this data.
- Fifth, use strong security. BIPA lets individuals sue for “statutory damages.”
A company might pay $1,000 for a mistake or $5,000 for a reckless act, per person. Because the law allows for a “private right of action,” regular people can hire lawyers to sue companies directly.
This has turned BIPA into a major driver of class action lawsuits. This led to massive settlements, like $650 million against Facebook and $228 million against a major railway.
State Laws Beyond Illinois
While Illinois is the toughest jurisdiction, other states are catching up quickly with their own enforcement frameworks.
Texas And The CUBI Law
Texas has a law called CUBI (Capture or Use of Biometric Identifier). It requires prior consent and strictly bans the sale of biometric data. While only the Texas Attorney General can sue under CUBI, the office is extremely active.
In 2024, Google settled a major Texas case for over $1.4 billion regarding the unauthorized collection of biometric data.
Emerging Standards In Other States
Washington state requires similar consent and security measures. In New York City, a local ordinance requires commercial establishments to post signs if they use biometric surveillance. As of 2024, many other states are currently moving toward passing their own comprehensive versions of these laws.
How Federal Agencies Are Addressing Biometric Data Risks
There is no single national law for biometrics yet. However, the Federal Trade Commission (FTC) is watching companies very closely. They have already punished several companies for using face or voice data in unfair or deceptive ways.
The EEOC also gives advice to bosses on how to use biometrics without breaking employee disability laws. Since there is no federal law, businesses must follow many different state rules. Illinois is the highest bar to clear.
Where Businesses Commonly Use Biometric Data
Many companies collect biometric data through everyday systems. They often do so without realizing the full legal weight of those collections.
- Employee Time-Clocks: Using fingerprints or hand-scans to prevent buddy punching.
- Security Access: Using facial recognition to grant entry to high-security office zones or server rooms.
- Retail Analytics: Using gait analysis or face-scanning to track customer demographics and foot traffic.
- Identity Verification: Using voiceprints or iris scans for high-level banking or healthcare account access.
Following biometric laws is not optional. The risk of being sued under the Illinois BIPA is so high that it can dwarf the cost of building a safety program.
You must focus on written consent and having a clear plan for deleting data. Businesses that ignore these rules carry a massive legal risk that grows with every single scan.
Contact a qualified legal professional to discuss your compliance strategy and minimize potential liability.
