Biometric data and USA privacy laws

In 2018, the US state of Illinois became the first to adopt the Biometric Information Privacy Act to address business’ collection of biometric data.


The USA does not have any federal law dealing with the use of biometric data but certain states, like Illinois, have the Biometric Information Protection Act. BIPA imposes obligations on organizations that collect and use biometric information such as iris scans, fingerprints, voiceprints and DNA. One of BIPA’s main requirements is that organizations need to obtain the written consent of the data subject before they process biometric data.


One of the main cases BIPA looked at, was the question of whether a data subject needed to experience actual harm before approaching the court for relief. A mother brought her case before the Illinois Supreme Court because a company required her son to scan his fingerprints, enabling him to use his season pass. She didn’t suffer damages, however, the company did violate her and her son’s rights by not getting their consent to collect biometric data. The court ruled that no actual damage needs to occur for you to bring an action under BIPA.

Pending federal legislation

The landscape of biometrics and regulations is constantly evolving. More states are beginning to pass biometric privacy laws similar to the state of Illinois. Since 2008, four other states have adopted legislation modeled on BIPA—Arkansas, California, Texas, and Washington. The state of Washington passed its state data privacy bill which will change the way companies will use biometric data for facial recognition technology. Federal lawmakers are working on legislating biometric information. The National Biometric Information Privacy Act of 2020 was introduced and would require covered entities to obtain consent prior to capturing biometrics. The proposed federal law, which is currently still under review in the U.S. Senate, would also include a private right of action.