Biometrics • 11 min read • January 22, 2026

Biometric Data Privacy Laws: What You Need to Know

Facial recognition, fingerprint scanning, and voice authentication face strict regulations. Understand BIPA, GDPR, and state biometric laws.

Last year, a company I worked with wanted to add facial recognition to their office security system. Seemed straightforward—employees would scan their faces to enter the building instead of using keycards. Simple, convenient, modern.

Then I asked about their biometric data privacy compliance. Blank stares. They had no idea that collecting biometric data triggers some of the strictest privacy laws in the United States.

Biometric data—fingerprints, facial recognition, voiceprints, iris scans, even gait analysis—is considered highly sensitive personal information. It's unique, permanent, and can't be changed if compromised. This sensitivity has led to strict regulations around its collection and use.

If your business collects biometric data, you need to understand these laws. The penalties for non-compliance can be severe, and the requirements are more complex than typical privacy regulations.

What Counts as Biometric Data?

Biometric data is information that uniquely identifies a person based on their physical or behavioral characteristics. Common types include:

  • Fingerprints - The most common form, used in phones, laptops, and access control
  • Facial recognition - Used in security systems, photo tagging, and authentication
  • Voiceprints - Voice recognition for authentication or identification
  • Iris or retina scans - Used in high-security applications
  • Hand geometry - Less common but still used in some access control systems
  • DNA - The ultimate biometric identifier
  • Behavioral biometrics - Typing patterns, gait, mouse movements

Some laws also cover "biometric identifiers" (the raw data) and "biometric information" (data derived from identifiers). The distinction matters for compliance.

BIPA: The Illinois Biometric Information Privacy Act

Illinois passed the first comprehensive biometric privacy law in 2008. BIPA has become the model for other states and has resulted in some of the largest privacy settlements in history.

Who BIPA Applies To

BIPA applies to any private entity that collects biometric data from Illinois residents, regardless of where the company is located. If you collect biometrics from someone in Illinois, BIPA applies.

Key Requirements

BIPA has several strict requirements:

Written notice and consent: Before collecting biometric data, you must inform the person in writing about:

  • What biometric data you're collecting
  • Why you're collecting it
  • How long you'll retain it
  • How you'll destroy it

You must obtain written consent (or, in the case of employees, written release).

Retention and destruction: You can only retain biometric data as long as needed for the original purpose. Once that purpose ends, you must destroy it according to a written schedule.

No sale or profit: You cannot sell, lease, trade, or profit from biometric data.

Reasonable security: You must protect biometric data using reasonable security measures appropriate to the nature of the data.

Disclosure restrictions: You can only disclose biometric data with consent or in limited circumstances (like completing a financial transaction the person requested).

Penalties

BIPA violations can result in:

  • $1,000 per negligent violation
  • $5,000 per intentional or reckless violation
  • Reasonable attorneys' fees and costs

These penalties apply per violation, and class action lawsuits can result in massive settlements. Facebook settled a BIPA case for $650 million. Google settled for $100 million.

Other State Biometric Laws

Several other states have biometric privacy laws:

Texas

Texas has a biometric privacy law similar to BIPA, but it only applies to commercial use of biometric identifiers. It requires consent and prohibits selling biometric data.

Washington

Washington's biometric law requires notice and consent before collecting biometric data. It also requires reasonable security measures and prohibits selling biometric data.

California

California's CCPA/CPRA includes biometric data in its definition of personal information. This means biometric data is subject to CCPA requirements: disclosure, deletion rights, opt-out rights, and more.

New York

New York has proposed biometric privacy legislation, though it hasn't passed yet. Several cities in New York have their own biometric laws.

GDPR and Biometric Data

Under GDPR, biometric data is considered "special category" personal data, which means it gets extra protection. You need a specific legal basis to process it, and you must:

  • Obtain explicit consent (unless another legal basis applies)
  • Conduct a data protection impact assessment
  • Implement appropriate security measures
  • Respect deletion rights

GDPR also requires that biometric data processing be necessary and proportionate. You can't collect more biometric data than you need.

Common Use Cases and Compliance

Here's how compliance works for common biometric use cases:

Employee Time Clocks

Fingerprint or facial recognition time clocks are common. For BIPA compliance:

  • Provide written notice explaining what data is collected and why
  • Obtain written consent/release from employees
  • Establish a retention schedule and destroy data when no longer needed
  • Implement reasonable security measures
  • Don't sell or share the data

Many employers use templates for employee consent forms. Make sure yours covers all BIPA requirements.

Mobile App Authentication

If your app uses fingerprint or face ID for login, you're collecting biometric data. You need to:

  • Disclose this in your privacy policy
  • Obtain consent before enabling biometric authentication
  • Explain how the data is stored (many devices store it locally, which helps)
  • Respect user rights to opt out

If biometric data is stored only on the device and never transmitted to your servers, your compliance obligations are reduced but not eliminated.

Security Systems

Facial recognition for building access requires:

  • Notice and consent (for employees, this can be part of employment terms)
  • Clear retention policies
  • Security measures
  • Restrictions on sharing

For visitors, you'll need to obtain consent before collecting biometric data.

Customer-Facing Applications

If you use biometrics for customer identification or authentication:

  • Provide clear notice before collection
  • Obtain explicit consent
  • Explain how data is used and stored
  • Allow opt-out
  • Respect deletion requests

Customer-facing biometric collection requires more careful handling than employee use.

Best Practices for Biometric Data Compliance

Here are practices that help ensure compliance:

Minimize collection. Only collect biometric data if necessary. If a password or PIN works, use that instead.

Store locally when possible. If biometric data can be stored on the user's device rather than your servers, do that. It reduces your compliance burden.

Use templates. Create templates for notices and consent forms. This ensures consistency and completeness.

Set retention schedules. Don't keep biometric data forever. Set clear schedules for when data will be destroyed.

Implement security. Biometric data requires strong security measures. Encrypt it, limit access, and monitor for breaches.

Train your team. Make sure employees who handle biometric data understand the requirements.

Document everything. Keep records of notices, consents, retention schedules, and security measures.

Common Mistakes

Here are mistakes I see companies make:

Assuming device storage eliminates obligations. Even if biometric data stays on the device, you still have some compliance obligations.

Not obtaining proper consent. Vague consent or consent buried in terms of service isn't enough. You need clear, specific consent.

Keeping data too long. Biometric data should be deleted when no longer needed. Don't keep it "just in case."

Sharing without permission. BIPA and other laws restrict sharing biometric data. Don't share it unless you have explicit consent or a legal exception.

Not updating policies. As laws evolve, update your policies and practices accordingly.

The Bottom Line

Biometric data collection triggers strict privacy laws. BIPA, state laws, and GDPR all impose significant requirements and penalties.

If you're collecting biometric data, you need to:

  • Understand which laws apply
  • Provide clear notice
  • Obtain proper consent
  • Set retention schedules
  • Implement security measures
  • Respect user rights

The penalties for non-compliance can be severe—especially under BIPA, where class action lawsuits can result in massive settlements.

Before implementing biometric systems, assess whether they're necessary. If they are, build compliance into the system from the start. It's much harder to retrofit compliance later.

And if you're already collecting biometric data, audit your practices now. Make sure you're meeting all legal requirements. The cost of non-compliance far exceeds the cost of proper compliance.

Legal Disclaimer

This article is for informational purposes only and does not constitute legal advice. Privacy laws vary by jurisdiction and change over time. Consult with a qualified attorney for advice specific to your situation.

Need Legal Policies for Your Website?

Generate free privacy policies, terms and conditions, and cookie policies in minutes.

Privacy Policy Generator Terms & Conditions Generator