By John Arthur 
Face scans. Fingerprints. Iris scanners.
Biometrics are everywhere these days, and the law is scrambling to keep up.
The question is, what privacy laws apply to face scans and fingerprints? And what happens when businesses fail to comply with those laws?
Here’s what you need to know…
- What Is Biometric Data — And Why Does It Matter?
- Which Laws Currently Govern Biometric Data?
- What a Biometric Data Retention Policy Actually Requires
- How State Biometric Privacy Laws Are Quickly Expanding
- Recent Settlements Show Biometric Laws Are Being Enforced
- Where Does This Leave Your Business?
What Is Biometric Data — And Why Does It Matter?
Biometric data can be defined as any piece of data used to identify one individual from another through a physical trait.
That includes:
- Fingerprints and hand scans
- Face geometry scans
- Eye scans (iris and retina)
- Voiceprints
The problem with biometric data is…
You can’t change your fingerprint if it’s stolen. You can’t destroy your face scan. Once that data is out of your control, it’s lost forever.
That’s why biometric data retention policy laws are some of the strictest you’ll find.
And they should be.
Biometric data is forever. Encrypt a password and it can still be hacked. Destroy biometric data stored on a server? It’s too late.
Face Scans And Fingerprints Are Governed By…
Can’t find your state? This map shows the latest biometric privacy laws by state.
As of 2025, there are biometric privacy laws in place in over 20 U.S. states. In fact, biometric privacy laws are some of the fastest expanding privacy laws we’ve seen.
As more and more businesses are collecting biometric data, the risk of a biometric privacy lawsuit is growing — and state attorneys general and private citizens are sure to follow.
If your business does not have a biometric data retention policy that complies with every state you operate in…you could be next.
Two of the biggest players in the world couldn’t even get it right.
Below are the key laws that apply to biometrics. Each state law will have its own requirements for biometric data retention policy, but these are the standards most will apply.
- Illinois — Biometric Information Privacy Act (and set the standard for other states to follow)
- Texas — Texas Capture or Use of Biometric Identifier Act
- Washington — Biometric Privacy Protection Act
- California — California Consumer Privacy Act
Illinois BIPA — The Strongest Biometric Law
Passed in 2008, Illinois’ Biometric Information Privacy Act is (by far) the strongest law regulating biometric data.
Companies must:
- Get written permission before collecting ANY biometric identifier
- Publish a public data retention policy detailing the length of storage
- Prohibit the sale or profiting off of biometric data
- Allow individuals the right to sue for violations directly
Allowing individuals to sue is key. When most states pass privacy laws, only the State Attorney General can file a lawsuit. With BIPA, employees can directly file a class action lawsuit.
This ended up being the case for Facebook…
Your Biometric Data Retention Policy Matters
Let’s get something straight.
If your business collects any biometric data, you are required to have a biometric data retention policy in place before collecting that data.
Plain and simple.
Both BIPA and California’s CCPA state that businesses must distribute a written retention policy to consumers before collecting biometric data. As of July 1, 2025, the same is true in Colorado.
That policy must include:
- The types of identifiers being collected
- The specific purpose for collection
- HOW LONG the data will be stored
- The methods of destruction once data storage expires
In Colorado’s recent amendment to its Consumer Privacy Act, businesses are also now required to obtain consent from individuals before collecting biometric identifiers. Employers are also now required to maintain a written policy covering retention, deletion, and security incidents involving biometric data. Other states are expected to follow suit soon.
A biometric retention policy should be created before collecting the first fingerprint.
State Privacy Laws Are Quickly Expanding
Illinois alone accounted for over 100 BIPA lawsuits in 2025. And those lawsuits span industries from trucking to hospitals to retail.
The message is clear…
These lawsuits are here — and they’re coming after any company that doesn’t comply.
But Illinois isn’t the only game in town.
Biometric privacy laws are popping up all over.
States considering a BIPA-esque law:
- New York
- Massachusetts
- Missouri
States recently requiring consent for biometric data collection:
- Delaware
- New Jersey
Expect that list to grow by at least a few states every year. With dozens of states considering laws or amendments to current laws, it’s only a matter of time before your state passes something.
And they will look to BIPA as a model.
What Businesses Have Gotten Fined?
Facebook agreed to pay $650 million in 2020 for failing to comply with BIPA. Target paid $1.5 million in 2021 for violations of their internal BIPA policy. Chicago prompted a $600,000 settlement with a hospital system in 2023 after investigators “found virtually endless examples of patient biometric data being stored without a documented retention period or instructions on how and when to permanently delete the information.”
You may notice all of the penalties are in Illinois. That’s because Illinois has the strictest biometric laws by far. But that won’t be true for long.
Texas struck the largest agreed settlement to date in August of 2024. Metronicipedia Texas settled with the state for $1.4 billion for violations of the Texas Capture or Use of Biometric Identifier Act, otherwise known as CUBI.
Your business can be next.
Examples of Recent Settlements
Texas CUBI
Texas’s statewide biometric privacy law is modeled almost identically to BIPA. Companies must:
- Inform users in writing of the purpose for collecting biometric data.
- Receive a written release from the individual BEFORE collecting their biometric identifier.
- Prohibit selling or profiting off of biometric data.
Failure to comply can result in:
- Up to $25,000 for each negligent violation.
- Up to $100,000 for each intentional violation.
Facebook paid $1.4 billion. Consider that Texas’s population is roughly double that of Illinois.
Washington’s BPPA
Washington’s biometric law took effect in March of 2025. It requires companies to:
- Inform individuals in writing that their biometric data is being collected.
- Receive individual consent for collection.
- Prohibit sale or profiting off of biometric data.
Assuming their lawsuits follow Illinois precedent, violations of the BPPA can result in:
- $5,000 per intentional violation.
- $250 per negligent violation.
Two of the biggest companies in the world couldn’t get it right. Your business probably doesn’t have their legal budget.
Where Does This Leave Your Business?
If you’re still reading, great. The seriousness of biometric data is clear.
If your business collects any biometric data from customers or employees, here are some things to consider doing RIGHT NOW:
- Write a biometric retention policy
- Obtain written consent from EVERY individual
- Establish deletion timelines for stored biometric data
- Train all employees who interact with biometric data
- Perform an audit to ensure existing tools are compliant
It shouldn’t take very long to write a biometric data retention policy. As long as it’s clear, comprehensive, and compliant with state laws, your business will be in a good position to start collecting biometric data.
The tricky part is knowing which laws apply and what each one requires. States will continue passing and expanding biometric privacy laws at a rapid rate, and keeping up with every update is a significant challenge.
Scheduling a free consultation with a qualified privacy attorney is a good next step for any business navigating biometric data compliance.