1. ESPLawyers
  2. Legislative Updates

Biometric Data Privacy Laws: State-by-State Updates & Legal Cases

Jul 21, 2025

1. Biometric Data Privacy Laws: State-by-State Updates and Why They Matter

The conversation around Biometric Data Privacy Laws: State-by-State Updates has moved from tech blogs into courtrooms and legislative halls. With facial recognition, fingerprint scanning, voice IDs, and even iris-tracking now common in phones, workplaces, and public services, the need for strong regulation is clear—and overdue.

Unlike traditional data like emails or passwords, biometric data is unique and non-changeable. Once compromised, it cannot be replaced. That’s why an increasing number of U.S. states are enacting or updating laws to regulate how companies collect, store, and use such data. But since the U.S. lacks a unified federal biometric privacy law, rules vary significantly by state.

At ESPLawyers, we help individuals, companies, and tech developers navigate this evolving legal landscape and stay compliant with both current laws and upcoming changes.

2. Key State Laws Governing Biometric Data Collection

2.1 Illinois – Biometric Information Privacy Act (BIPA)

Illinois continues to lead the pack with its Biometric Information Privacy Act (BIPA), passed in 2008. Under BIPA, companies must obtain written consent before collecting biometric data, explain how they plan to use it, and outline a clear retention schedule. Violations can lead to hefty penalties, including $1,000–$5,000 per offense.

This law has been used in high-profile lawsuits against Facebook (now Meta), TikTok, and major employers. In 2023, White Castle was hit with a $17 billion claim in a BIPA class-action suit—demonstrating just how high the stakes can be.

2.2 Texas – Capture or Use of Biometric Identifier (CUBI) Act

Texas passed its biometric privacy law in 2009. While similar to Illinois' law in intent, it’s less detailed and doesn’t allow for private individuals to sue—only the state attorney general can enforce it. However, companies violating CUBI may still face injunctions or civil penalties.

2.3 Washington State – Biometric Identifiers Law

Washington's law, enacted in 2017, regulates the use of biometric identifiers for commercial purposes. It requires notice and consent but stops short of offering a private right of action. Enforcement falls to the state’s attorney general, making Washington’s law more lenient than Illinois' but still impactful.

2.4 California – CCPA & CPRA Impact

While not a biometric-specific statute, California’s Consumer Privacy Act (CCPA) and the updated California Privacy Rights Act (CPRA) include biometric data within broader personal information categories. Consumers can request to know, delete, or opt out of data collection—offering general but enforceable protection.

3.1 Facebook (BIPA Class Action)

In a groundbreaking 2020 settlement, Facebook agreed to pay $650 million after being sued under BIPA for using facial recognition technology to tag users in photos without consent. This case set the tone for future privacy litigation and proved the financial risks of non-compliance.

3.2 TikTok and Minor Users

TikTok faced class-action suits claiming the app collected facial scans and voiceprints of minor users without parental consent. Although TikTok denied wrongdoing, it agreed to a $92 million settlement in 2021. This case emphasized how youth data and biometric identifiers can trigger legal action across state lines.

3.3 Amazon and Ring Data Sharing

Amazon has come under scrutiny for how its Ring doorbells and Alexa devices collect and store biometric data such as voice and facial images. While legal challenges are ongoing, the controversy illustrates how even household tech can land companies in biometric-related lawsuits.

4.1 States to Watch: New York, Florida, Massachusetts

Several states, including New York and Florida, are considering laws modeled after BIPA. Massachusetts has proposed legislation that would give consumers the right to sue companies for unauthorized biometric use. As pressure builds from data advocacy groups, more states are likely to follow.

4.2 Legislative Shifts Toward Private Rights of Action

A key trend is the push to allow individuals—not just the government—to bring lawsuits. This increases accountability for businesses and creates real legal leverage for consumers whose biometric data has been misused.

4.3 Growing Focus on AI and Biometric Surveillance

New laws increasingly intersect with artificial intelligence. Legislators are now looking at how biometric recognition is embedded in surveillance systems, hiring algorithms, and even law enforcement databases—raising both privacy and civil liberty questions.

5. How Businesses and Consumers Should Respond—Legally and Practically

5.1 For Businesses: Build Consent and Transparency

If you collect or use biometric data, get ahead of regulation by implementing clear opt-in consent mechanisms, secure storage systems, and detailed privacy policies. Transparency builds trust and protects against litigation.

5.2 For Consumers: Know Your Rights

If you live in a state like Illinois or California, you may already have strong biometric protections. But regardless of where you live, it’s important to ask how your employer, apps, or devices use your biometric data—and whether you’ve given valid consent.

5.3 Legal Support Makes the Difference

Whether you’re building a product that uses biometric tech or feel your data has been exploited, having a legal team that understands both privacy law and tech infrastructure is essential. At ESPLawyers, we specialize in emerging data regulations and can guide you through compliance, litigation, or advocacy.