The enactment of biometric privacy laws is a growing trend across the country. Existing legislation has led to a boon of class action litigation against employers, consumer-facing business, and technology companies for claimed violations of biometric privacy rights. It is therefore imperative that businesses remain informed of their obligations, which are increasingly expanding and being required in new jurisdictions, as non-compliance can create significant monetary exposure.
Biometric privacy laws and regulations generally require businesses to track, inform employees or consumers of, and provide methods for employees or consumers to consent to, the collection of biometric information or biometric identifiers. BCLP has been tracking enacted biometric privacy laws and proposed legislation across the United States. Below is a high-level summary of existing laws and proposed bills introduced across the country that pertain to private sector companies' collection or use of biometric data. Additional privacy, data-breach, industry-specific, and public-sector regulations and proposed legislation exist. Readers are thus encouraged to consult their regular Bryan Cave Leighton Paisner contact or the authors of this article for more information and guidance.
BCLP continues to monitor. Please check back here periodically for updates.
U.S. Biometric Laws and Bills by State
Existing Laws
State |
Statute |
Details |
Arkansas |
Personal Information Protection Act ("PIPA") ARK. CODE. ANN. §§ 4-110-101 et seq. |
Requires a business to take all reasonable steps to destroy or arrange for the destruction of a customer's records containing personal information (which includes "biometric data") and implementation and maintenance of reasonable security procedures and practices. Provides for enforcement by the Arkansas Attorney General. |
California |
California Consumer Privacy Act ("CCPA") |
Comprehensive data privacy statute that includes obligation to make certain disclosures regarding collection of biometric data. More information on the CCPA can be found here. |
Colorado |
Consumer Protection Act COLO. REV. STAT. ANN. §§ 6-1-713, 6-1-713.5. |
A covered entity that maintains, owns, or licenses personal identifying information (including biometric information) must develop and implement a written plan for the disposal of such information and must implement and maintain reasonable security procedures and practices. |
Illinois |
Biometric Information Privacy Act ("BIPA") 740 ILCS 14/1 et seq. |
BIOMETRIC SPECIFIC. Depending on whether a private entity is possessing, capturing, collecting, otherwise obtaining, or disclosing biometric information or biometric identifiers, requires: (1) a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information; (2) compliance with that policy; (3) protection of the biometric information using the reasonable standard of care within the industry or in a manner as protective as the entity protects other confidential and sensitive information; (4) informing the subject whose biometric information is to be collected of the specific purposes and length of term for which biometric information is being collected, stored, or used; and (5) receiving a written release from the individual to proceed with the collection or disclosure of the biometric information. Provides for recovery of liquidated statutory damages or actual damages, and attorneys' fees and expenses. (But see Proposed Legislation below). |
Maryland |
Personal Information Protection Act MD. CODE ANN., COM. LAW §§ 14-3501 et seq. |
Requires a business to take reasonable steps to protect against unauthorized access to or use of personal information (including biometric data), including requiring in contracts with certain nonaffiliated third party service providers that the service provider will implement and maintain reasonable security procedures and practices. |
New York |
Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") |
Comprehensive data security statute that applies to biometric information. More information on the SHIELD Act can be found here. |
New York |
N.Y. LAB. LAW § 201-a. |
BIOMETRIC SPECIFIC. Prohibits employers from requiring a fingerprint from employees, as a condition of securing employment or of continuing employment, unless as provided by other laws. (See also New York State Department of Labor RO-10-0024 for opinion on use of a biometric device in a time clock). |
New York |
City of New York Administrative Code, Title 22, Chapter 12. |
BIOMETRIC SPECIFIC. Any "commercial establishment" that collects biometric information from "customers" must disclose the collection "by placing a clear and conspicuous sign near all of the commercial establishment's customer entrances." Makes it unlawful to sell, lease, trade, share, exchange for anything of value, or otherwise profit from the transaction of biometric identifier information. |
Oregon |
Portland City Code, Title 34- Digital Justice, Chapters 34.10.010-34.10-050. |
BIOMETRIC SPECIFIC. Prohibits the use of Facial Recognition Technologies in Places of Public Accommodation by Private Entities within the boundaries of the City of Portland. Provides for recovery of damages sustained as a result of the violation of $1,000 per day for each day of violation, whichever is greater. |
Texas |
TEX. BUS. & COM. CODE ANN. § 503.001 |
BIOMETRIC SPECIFIC. Requires that a person capturing a biometric identifier of an individual for a commercial purpose inform the individual before capturing the biometric identifier and receive the individual's consent and requires protecting the data from disclosure using reasonable care and in a manner as protective as the entity protects other confidential information. Biometric identifiers must be destroyed within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the biometric identifier expires. Also prohibits a person in possession of a biometric identifier of an individual from selling, leasing, or otherwise disclosing the biometric identifier unless in certain circumstances. Provides for a civil penalty of no more than $25,000 for each violation, enforceable by the Texas Attorney General. |
Virginia |
Virginia Consumer Data Protection Act
|
Comprehensive data privacy statute that includes obligation to obtain consent prior to collection or use of biometric data. Provides for civil penalties of up to $7,500 per violation, enforceable by the Virginia Attorney General. (Effective date January 1, 2023). |
Washington |
WASH. REV. CODE §§ 19.375.010 et seq. |
BIOMETRIC SPECIFIC. Provides that a person may not enroll a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose. Provides for enforcement by the Texas Attorney General under the Washington Consumer Protection Act. |
Proposed Legislation
State |
Legislation |
Information |
Alabama |
Consumer Privacy Act |
Would require a business to make certain disclosures regarding what information it collects and has collected, and the purposes for which that information is used. |
Alaska |
Consumer Data Privacy Act 2021 AK H.B. 159 2021 AK S.B. 116 |
Would require a business that collects personal information from a consumer to notify the consumer before collecting the information. |
Arizona |
AZ H.B. 2729 |
Would amend a law that prohibits collection of personally identifiable data using certain strategies such as malware, keystroke logging and similar practices by changing the definition of "sensitive information" to include biometric information. |
Arizona |
AZ H.B. 2865 |
Would allow consumers to opt out of their personal data being sold to a third party. |
Colorado |
2021 CO H.B. 1244 |
BIOMETRIC SPECIFIC. Would require an entity that targets products or services to people in Colorado that collects, stores, or uses biometric identifiers of a Colorado consumer to provide the consumer with information about the biometric identifiers collected, obtain consent, and provide a right to revoke consent at any time. |
Colorado |
Colorado Privacy Act 2021 CO S.B. 190 |
Would give consumers the right to: (1) request disclosure of the information that a business collects about the consumer, including biometric information; (2) request deletion of such information; and (3) opt out of the sale of such information. |
Connecticut |
2020 CT S.B. 134 |
Would give consumers the right to: (1) request disclosure of the information that a business collects about the consumer, including biometric information; (2) request deletion of such information; and (3) opt out of the sale of such information. |
Connecticut |
Consumer Privacy Act |
Would establish a framework for controlling and processing personal data, responsibilities and privacy protection standards for data controllers and processors, and grant consumers the right to access, correct, delete and obtain a copy of personal data and opt out of the processing of personal data for the purposes of targeted advertising. |
Hawaii |
HW H.B. 2572 |
Would amend the requirements for handling consumer personal information for the purposes of security. |
Illinois |
2021 IL H.B. 3414 |
BIOMETRIC SPECIFIC. Would amend the BIPA by eliminating the "for each violation" language relating to recoverable damages and providing that the BIPA would not apply in the employment context. |
Illinois |
2021 IL H.B. 3304 |
BIOMETRIC SPECIFIC. Would repeal the BIPA in its entirety. |
Illinois |
2021 IL H.B. 3112 |
BIOMETRIC SPECIFIC. Would amend the BIPA by excluding timekeeping systems used by employers, making the BIPA solely enforceable by Illinois Attorney General, requiring a plaintiff to show actual harm, allowing for recovery of damages only for "initial violation," and reducing amount of liquidated damages recoverable. |
Illinois |
2021 IL S.B. 300 |
BIOMETRIC SPECIFIC. Would amend the BIPA by excluding from the definition of "biometric information" any "information that cannot be used to recreate original identifier," eliminating the public policy requirement, allowing for a cure period, and allowing only for recovery of actual damages. |
Illinois |
2021 IL H.B. 1764 |
BIOMETRIC SPECIFIC. Would amend the BIPA by giving the Illinois Attorney General sole power to enforce BIPA in instances of actual harm and exempt employers. |
Illinois |
2021 IL H.B. 560 |
BIOMETRIC SPECIFIC. Would amend the BIPA by eliminating the "right of action" section and replacing with Department of Labor enforcement. |
Illinois |
2021 IL S.B. 602 |
BIOMETRIC SPECIFIC. Would amend the BPIA by excluding "information captured and converted to a mathematical representation" from the BIPA's definition of "biometric identifiers" and excluding "biometric time clocks" and "biometric locks" from the BIPA's purview. |
Illinois |
2021 IL S.B. 1607 |
BIOMETRIC SPECIFIC. Would amend the BIPA by exempting from the BIPA's purview employers who collect, capture, obtain, or otherwise use biometric information or biometric information for recording employee work hours, security purposes, facility access, or human resources purposes. |
Illinois |
Consumer Privacy Act |
Would require a business to, at or before the point of collection, inform a consumer as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. |
Kentucky |
2021 KY S.B. 278 |
BIOMETRIC SPECIFIC. Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater. |
Florida |
Privacy Protection Act |
Would allow consumers to opt out of their personal data being sold to a third party. |
Maryland |
Biometric Identifiers and Biometric Information Privacy
Act |
BIOMETRIC SPECIFIC. Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater. |
Maryland |
Online Consumer Protection Act |
Would require a business that collects a consumer's personal information, at or before the point of collection, to clearly and conspicuously provide notice to the consumer regarding the collection, use, and disclosure of the information collected. Would also give the consumer a right to request a copy or deletion of his/her personal information and to opt out of their personal data being sold to a third party. |
Massachusetts |
Information Privacy Act 2021 H.B. 142 |
Would require certain businesses to solely share an individual's personal information with third-party entities that will agree to provide the same duties of care, loyalty, and confidentiality imposed by this Act. |
Massachusetts |
Biometric Information Privacy Act 2021 S.B. 220 |
BIOMETRIC SPECIFIC. Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater. |
Minnesota |
Consumer Data Privacy Act |
Would establish a framework for controlling and processing personal data, responsibilities and privacy protection standards for data controllers and processors, and grant consumers the right to access, correct, delete and obtain a copy of personal data and opt out of the processing of personal data for the purposes of targeted advertising. |
Montana |
Online Personal Information Protection Act 2021 MT H.B. 710 |
Would require any business that owns a website or an online service that collections and maintains biometric information to post a privacy policy on its website. |
New Jersey |
N.J. A.B. 3625 |
BIOMETRIC SPECIFIC. Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater. |
New York |
Biometric Privacy Act 2021 NY S.B. 1933 |
BIOMETRIC SPECIFIC. Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater. |
New York |
Privacy Act 2021 NY A.B. 680 |
Would prohibit the use, processing, or transfer of personal data of consumers (including biometric information) unless the consumer process express and documented consent. Would also require companies to disclose their methods of de-identifying personal data, place special safeguards around data sharing, and allow consumers to obtain the names of all entities with whom their information is shared. Also creates a special account to fund a new office of privacy and data protection. |
New York |
2021 NY A.B. 488 |
BIOMETRIC SPECIFIC. Would prohibit biometric data from being used for marketing purposes. |
New York |
2021 NY S.B. 567 |
Would provide consumers the right to request info about biometric data collected. Would allow consumers to opt out of their personal data being sold to a third party and prohibit discrimination against individuals who directs that their personal information not be sold. Requires that there be a clear and conspicuous link on the business's website titled "Do Not Sell My Biometric Information." Provides for statutory or actual damages. |
New York |
It's Your Data Act |
Would classify as a misdemeanor the failure to obtain written consent before collecting, storing, or using biometric data. Would also provide for recovery of actual damages. Would also require a business that collects a consumer's personal information to disclose certain information in an online privacy policy. |
New York |
Digital Fairness Act |
Would require a covered entity in possession of biometric information to develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric information. Would also require a covered entity to obtain informed written consent prior to the collection, capture, purchase, or receipt through trade of an individual's biometric information. Would provide for liquidated damages of $10,000 or actual damages, whichever is greater. |
New York |
2021 NY S.B. 5879 |
Would prohibit any private entity from using biometric identifiers or biometric information for any advertising, marketing, promotion, or other activity that is intended to be used to influence business volume, sales, or market share or to evaluate the effectiveness of marketing practices or personnel. |
North Carolina |
Consumer Privacy Act 2021 NC S.B. 569 |
Would establish a framework for controlling and processing personal data, responsibilities and privacy protection standards for data controllers and processors, and grant consumers the right to access, correct, delete and obtain a copy of personal data and opt out of the processing of personal data for the purposes of targeted advertising. |
Oklahoma |
Computer Data Privacy Act |
Would require an entity collecting personal information to obtain informed written consent. Would allow consumers to opt out of their personal data being sold to a third party and prohibit discrimination against individuals who choose to have their information deleted. |
Oklahoma |
2021 OK H.B. 1130 |
Would require any business or website that operates an online business or website that collects a consumer's personal digital information or data to, before the point of collection, conspicuously post on its website homepage information regarding the information to be collected or disclosed. Provides for civil monetary penalties and Oklahoma Attorney General enforcement. |
Pennsylvania |
Consumer Data Privacy Act 2021 PA H.B. 1126 |
Would provide consumers the right to request info about biometric information collected. Would allow consumers to opt out of their personal data being sold to a third party and prohibit discrimination against individuals who exercise rights under the statute. Requires that there be a clear and conspicuous link on the business's website titled "Do Not Sell My Biometric Information." Provides for statutory or actual damages. |
South Carolina |
Biometric Data Privacy Act |
BIOMETRIC SPECIFIC. Would require a business that a consumer's biometric information to, at or before the point of collection, inform the consumer about the information being collected and used. Would also grant consumers the right to access, delete and obtain a copy of personal data. Requires that there be a clear and conspicuous notice with a reasonably full and complete description of the business's practice governing the processing of personally identifying information. Provides for civil penalties. |
Texas |
2021 TX H.B. 3741 |
Would require certain business to provide consumers the right to request info about biometric information collected. Would allow consumers to opt out of their personal data being sold to a third party and prohibit discrimination against individuals who exercise rights under the statute. Requires that there be a clear and conspicuous link on the business's website titled "Do Not Sell My Biometric Information." Provides for statutory or actual damages. |
Texas |
2021 TX S.B. 1952 |
BIOMETRIC SPECIFIC. Would amend the Business & Commerce Code to require a person who captures an individual's biometric identifier for a commercial purpose to provide the individual with information on the type of technology used, the purpose or method for capturing or collecting the identifier, and the method for storing data related to the captured identifier. |
Texas |
2021 TX H.B. 4164 |
Would amend the Business & Commerce Code to require certain businesses provide consumers the right to request info about or delete biometric information collected. |
Vermont |
VT H.B. 75 |
BIOMETRIC SPECIFIC. Would prohibit use of facial or voice recognition technology unless a consumer opts in to use of the technology. Would also require use of facial recognition technology to be disclosed on a clear, conspicuous, physical sign at the entrance of a building. |
Washington |
2021 WA S.B. 5104 |
BIOMETRIC SPECIFIC. Would prohibit operation, installation, or commissioning the operating of facial recognition technology in any place of public resort, accommodation, assemblage, or amusement. |
Washington |
2021 WA H.B. 1433 |
Would require a covered entity to make a long-form and short-form privacy policy "persistently and conspicuously" available that provides notice regarding the personal information being processed, captured, used, or disclosed. Would also grant consumers the right to access, correct, delete, and obtain a copy of personal data. |
Washington |
Washington Privacy Act S.B. 5062 |
Would prohibit a "controller" from processing "sensitive data" (including biometric information) concerning a consumer without obtaining the consumer's consent. |
West Virginia |
Biometric Information Privacy Act |
BIOMETRIC SPECIFIC. Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater. |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.