Biometric Privacy Laws by State: Which States Regulate Fingerprints, Face Scans, and Voiceprints in 2026?

Biometric Data Is the New Privacy Frontier

Fingerprints. Facial geometry. Iris scans. Voiceprints. These biometric identifiers are increasingly collected by employers, retailers, tech platforms, and app developers — and a growing number of states are responding with dedicated biometric privacy laws or biometric-specific provisions within broader data privacy statutes.

If your business collects or processes biometric information, you face a complex patchwork of state-level obligations. This guide maps every US state that regulates biometric data as of March 2026, explains what each law requires, and provides a practical compliance framework.

What Counts as Biometric Data?

While definitions vary by state, biometric data generally includes identifiers derived from a person's physical or behavioral characteristics that can be used for identification purposes. Common categories include:

• Fingerprints and palmprints — used in time clocks, building access, and device authentication
• Facial geometry — used in facial recognition, photo tagging, and identity verification
• Iris and retina scans — used in high-security access systems
• Voiceprints — used in voice assistants, call center authentication, and recordings
• Gait patterns and keystroke dynamics — emerging behavioral biometrics used in fraud detection

Most state laws explicitly exclude photographs, writing samples, demographic data, tattoo descriptions, and physical descriptions used for law enforcement purposes.

The Three Categories of State Biometric Laws

State biometric regulations fall into three buckets, each with different compliance implications for businesses.

Category 1: Dedicated Biometric Privacy Statutes

Three states have standalone laws focused specifically on biometric data, each with distinct enforcement mechanisms.

Illinois — Biometric Information Privacy Act (BIPA)

Illinois BIPA, enacted in 2008, remains the strongest biometric privacy law in the country and has generated billions of dollars in litigation. Key requirements include:

• Written informed consent before collecting biometric identifiers
• A publicly available retention and destruction policy
• Prohibition on selling, leasing, or profiting from biometric data
• Private right of action — individuals can sue for $1,000 per negligent violation or $5,000 per intentional/reckless violation

BIPA's private right of action has led to massive settlements. In 2023, Facebook (Meta) paid $650 million to settle a BIPA class action over its photo-tagging feature. BNSF Railway was hit with a $228 million verdict for scanning truck drivers' fingerprints without consent.

Texas — Capture or Use of Biometric Identifier Act (CUBI)

Texas CUBI, enacted in 2009, has similar requirements to Illinois BIPA but with one key difference: there is no private right of action. Only the Texas Attorney General can enforce CUBI, with civil penalties of up to $25,000 per violation. Despite this limitation, Texas AG Ken Paxton demonstrated CUBI's teeth in 2024 by securing a landmark $1.4 billion settlement with Meta over facial recognition data practices.

Washington — Biometric Privacy Law (RCW 19.375)

Washington's 2017 biometric privacy law requires notice and consent before collecting biometric identifiers in a commercial context. Like Texas, enforcement is limited to the state Attorney General — there is no private right of action. Washington's law applies to biometric identifiers enrolled in a database for a commercial purpose.

Category 2: Comprehensive Privacy Laws With Biometric Provisions

All 21 states with comprehensive consumer data privacy laws classify biometric data as "sensitive data" requiring heightened protections. Under these laws, businesses must generally obtain opt-in consent before processing biometric identifiers. The key states and their biometric provisions include:

• California (CCPA/CPRA) — Biometric data is sensitive personal information. Consumers can limit its use and disclosure. Businesses must disclose biometric data collection in their privacy policy.
• Virginia (VCDPA) — Requires opt-in consent for processing biometric data. Virginia's definition covers "data generated by automatic measurements of an individual's biological characteristics."
• Colorado (CPA) — Biometric data that can identify an individual requires opt-in consent. Colorado also requires data protection assessments for biometric processing.
• Connecticut (CTDPA) — Opt-in consent required for biometric data. Proposed SB 4 amendments would add explicit facial recognition restrictions.
• Maryland (MODPA) — One of the strictest: prohibits the sale of sensitive data (including biometrics) entirely, not just requiring opt-in consent.
• Texas (TDPSA) — Requires opt-in consent for biometric data processing, in addition to the standalone CUBI law.
• Oregon (OCPA) — Biometric data is sensitive data requiring opt-in consent. Oregon also restricts the sale of precise geolocation data.

Use our Privacy Law Calculator to determine which of these state laws apply to your business based on your revenue, consumer count, and data practices.

Category 3: Sector-Specific and Municipal Biometric Laws

Several jurisdictions have biometric regulations targeting specific industries or use cases:

• New York City — Commercial establishments that collect biometric data must post conspicuous signage. Violations carry penalties of $500–$5,000 per incident, with a private right of action. In March 2026, NYC lawmakers proposed additional restrictions on biometric surveillance in places of public accommodation.
• Portland, Oregon — Bans the use of facial recognition technology by both city government and private entities in places of public accommodation.
• Maryland — HB 1202 restricts employers from using facial recognition during interviews without written consent.

Emerging Biometric Legislation in 2026

Several states are actively considering new biometric-specific laws or expansions in 2026:

• New York S 2539 — Currently on third reading in the Senate, this bill would require retailers to post signs warning customers about biometric data collection through electronic devices.
• Connecticut SB 4 — Would add facial recognition restrictions to the existing CTDPA, including notice requirements, consent obligations, bias auditing, and use limitations. See our full analysis.
• Massachusetts — Has multiple pending bills addressing facial recognition and biometric data in the workplace.

Compliance Framework: 7 Steps for Biometric Data

Step 1: Inventory Your Biometric Data Practices

Identify everywhere your organization collects, stores, or processes biometric data. Common sources include employee time clocks, building access systems, customer authentication, video analytics, and photo or voice processing features.

Step 2: Map Your Legal Obligations

Determine which biometric laws apply based on where your consumers and employees are located, not just where your business is headquartered. Use our Privacy Law Calculator and state comparison tool to identify all applicable laws.

Step 3: Obtain Proper Consent

For states requiring opt-in consent (which includes all comprehensive privacy laws and Illinois BIPA), implement a clear, specific consent mechanism before collecting any biometric data. Consent must be informed (explain what data you collect and why), specific (not bundled with other terms), and freely given (not a condition of service, where possible).

Step 4: Publish a Biometric Data Policy

Illinois BIPA specifically requires a publicly available retention and destruction schedule. Even in states that don't mandate this, publishing a biometric data policy demonstrates good faith compliance. Include the types of biometric data collected, the purpose of collection, how long it's retained, and how it's destroyed. See our privacy policy requirements guide for state-specific disclosure obligations.

Step 5: Never Sell Biometric Data

Illinois, Texas, and Maryland explicitly prohibit selling biometric data. Even in states without an outright ban, selling biometric identifiers invites regulatory scrutiny and consumer backlash. Treat all biometric data as non-saleable.

Step 6: Implement Data Minimization and Retention Limits

Collect only the biometric data you actually need. Set clear retention periods and automatically destroy biometric data when the purpose for collection has been fulfilled or the individual's relationship with your organization ends. See our data minimization guide and data retention guide for best practices.

Step 7: Conduct a Data Protection Assessment

Several states (Colorado, Connecticut, Virginia, and others) require data protection assessments for processing sensitive data, which includes biometric information. Even where not legally required, a data protection impact assessment helps document your compliance posture. This can be critical evidence if you face an enforcement action or lawsuit.

Frequently Asked Questions

Which state has the strictest biometric privacy law?

Illinois BIPA is widely considered the strictest because it provides a private right of action, allowing individuals (not just the Attorney General) to sue for violations. This has led to billions of dollars in settlements and verdicts, making it the most consequential biometric law in practice.

Does BIPA apply to my business if I'm not based in Illinois?

Yes, if you collect biometric data from Illinois residents. Courts have consistently held that BIPA applies based on where the affected individual is located, not where the company is headquartered. If you have employees or customers in Illinois, BIPA likely applies to you.

Is a photograph considered biometric data?

Generally, no. Most biometric privacy laws explicitly exclude photographs from the definition of biometric identifiers. However, if you use facial recognition software to extract facial geometry measurements from a photograph, the resulting faceprint is biometric data. The distinction is between the photo itself and the mathematical template derived from it.

Do employee fingerprint time clocks require consent?

Yes, in most states with biometric laws. If you use fingerprint-based time clocks in Illinois, Texas, Washington, or any state with a comprehensive privacy law, you must obtain informed consent from employees before enrollment. This applies to both new and existing employees.

Are there federal biometric privacy laws?

There is currently no comprehensive federal biometric privacy law. BIPA-style protections exist only at the state level. The proposed American Data Privacy and Protection Act (ADPPA) would have included biometric provisions, but it has not been enacted. Until federal legislation passes, businesses must navigate the state-by-state patchwork.

Last updated: March 29, 2026.