Navigating the complexities of biometrics is complex, largely because of the fast pace in which new biometric privacy laws are passed and the patchwork biometrics regulatory landscape on the city, state, federal, and international levels. Not ensuring compliance with biometric laws can result in costly litigation as well as reputational and regulatory enforcement risk.

Some of the most notable laws fall into three main categories – biometric-specific laws, components of comprehensive privacy laws that apply to biometrics, and city-level ordinances applicable to biometric information, which we further outline below:

Biometric-Specific Laws

Some of the most widely known biometric privacy laws are those that are “standalone” biometric-specific privacy laws aimed at solely regulating biometrics. These laws are contrasted by other laws, such as comprehensive privacy laws, which we discuss further below, which are broad-ranging but have biometric compliance components.

We overview two of the most widely known biometric-specific state privacy laws below:

Illinois Biometric Information Privacy Act (BIPA)

The Illinois Biometric Information Privacy Act (BIPA) is one of the original and most actively litigated biometric laws. It sets stringent requirements for collecting, using, and storing biometric identifiers and information. BIPA mandates informed consent, data retention policies, and biometric data protection. Noncompliance can lead to significant financial penalties and private actions. Most of the litigation on BIPA is costly class action, which can be tracked here.

Texas’s “Capture or Use of Biometric Identifier” Act (CUBI)

Texas’s Capture or Use of Biometric Identifier Act (CUBI) also governs the collection and use of biometric data. CUBI requires businesses to inform individuals and obtain consent before capturing their biometric identifiers. The act emphasizes the importance of safeguarding biometric data to prevent unauthorized use and potential breaches. To illustrate the cost of noncompliance, Meta reached a $1.4 billion settlement for violating CUBI with Texas’s attorney general, Ken Paxton. The allegation that resulted in the significant settlement centered on collecting facial recognition information on millions of users violating state law by automatically tagging users’ faces on Facebook.

Comprehensive State and International Privacy Laws

Certain comprehensive privacy laws on the state level, such as California’s CCPA as amended by the CPRA and Colorado’s CPA, among numerous others, have components that specifically apply to the collection and use of biometrics. Further comprehensive international privacy laws, such as the European Union’s GDPR and the United Kingdom’s equivalent law, provide added conditions for biometric data processing. Lastly, health privacy laws, such as Washington MHMDA, have biometric applications as well.

City-Specific Laws

Several cities or similar jurisdictional-specific biometric privacy laws exist, including New York City’s, which, due to the large number of businesses within its scope, is more overarching than other county or city-specific laws.

New York City Biometric Identifier Information Law

New York City has enacted its own biometric-specific regulations, requiring businesses to disclose their use of biometric identifier technology and obtain consent from individuals before collecting their biometric data. Noncompliance can result in civil penalties and damage to reputation.

Sector-Specific Biometric Processing Applications Increasing

As biometrics and other assistive technologies, such as artificial intelligence, further advance, businesses of all types and sizes are incorporating these rapidly evolving technologies into varying parts of their operations. The motivations range from trying to accomplish efficiencies and staying at the cutting edge of the competitive landscape.

Some of the most commonly implemented scenarios for the implementation of biometric data processing and, by extension, the need for compliance include the following:

Biometrics in Employment and Recruiting

Biometric data usage in the context of recruiting and employment is under intense scrutiny. For instance, Amazon faced a lawsuit for using and sharing the biometric data of their employees without proper consent due to potential violations of biometric and privacy laws.

Biometrics in Public Places and Retail

Biometric technologies are increasingly used for payment and security in public places and retail environments to prevent theft. However, businesses must navigate the legal requirements for biometric data collection and use, ensuring transparency and consent from individuals to prevent legal actions.

Social Media and Internet Platforms

Social media and internet platforms frequently face regulatory enforcement and private actions for improperly using biometric data. Notable cases include regulatory and private actions against Facebook and Twitter for failing to obtain proper consent and mishandling biometric data. That said, there is much nuance about what is deemed biometrics. For example, Facebook’s photo tagging technology to identify friends on social media has been deemed in at least certain contexts, such as BIPA, not to be biometric due to how the technology works.

Whole-Foods-NYC-Notice

Whole Foods NYC
Biometrics Notice


Web Scrapers

One of the most notorious uses of scraped photographs online and, by extension, potential biometric privacy and compliance applications is vendors such as Clearview that hoover up millions, if not billions, of images and then sell offerings to law enforcement, among other clients, access to vast databases with image and facial recognition use cases. Clearview has been the target of private actions alleging noncompliance with various laws ranging from BIPA to the GDPR, which have resulted in orders to stop their activities and monetary settlements on numerous occasions, including a $33 million fine from a Dutch regulator.

Helping Clients Navigate Biometric Privacy Compliance

At RICHT, as a privacy lawyer guiding clients on the ever-evolving regulatory landscape, we help clients ensure compliance with biometric and related privacy laws, including:

We understand the nuanced requirements of biometric and privacy laws across various jurisdictions and sectors. By partnering with us, you can confidently capitalize on biometrics and related technologies while accounting for the legal compliance landscape to protect your business from potential risk.


Find Out How A Biometric Privacy Compliance Lawyer Can Help




    Biometric Privacy Compliance News