The evolution of biometric data privacy laws

January 25, 2023

As states and localities enact more robust laws related to data privacy and security, biometric laws – such as the Illinois Biometric Information Privacy Act (BIPA) – are front-of-mind for both legislators and businesses. An increase in biometric privacy class action lawsuits and arbitration, an uptick in proposed legislation, and widespread criticism of both facial and voice recognition technologies suggest that biometrics will remain a hot topic for legal professionals.

[Bloomberg Law provides guidance that empowers practitioners to take decisive action amid fast-paced changes to privacy laws. Learn about our privacy and data security tools and resources.]

What is biometric data?

Biometrics are measurements related to a person’s unique physical characteristics, including but not limited to fingerprints, palmprints, voiceprints, facial, retinal, or iris measurements, and more. A person’s biometric data – their specific measurements – can be used as unique identifiers.

As tools to collect biometric data become more advanced and increasingly employed, laws like the Illinois Biometric Information Privacy Act (BIPA) are being introduced and considered to prevent private entities from collecting biometric information without disclosure and consent.

2022 Outlook on Privacy Data Security thumbnail

Download: Compare state biometric privacy statutes

Download the chart below to easily compare the details of biometric data privacy laws enacted in Illinois, Texas, and Washington.

The Illinois Biometric Information Privacy Act (BIPA)

In 2008, Illinois became the first state to enact a biometric data privacy law. The law requires entities that use and store biometric identifiers to comply with certain requirements and provides a private right of action for recovering statutory damages when they do not.

BIPA specifies that “[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”

BIPA also defines a “biometric identifier,” in part, as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”

Privacy Law FAQs featured image

Download: Privacy Law FAQs

Download this informative look at the consumer data privacy laws changing business practices in the U.S.

Prominent BIPA lawsuits

A decade after its enactment, several recent cases have put BIPA in the headlines and made it easier to file BIPA suits.

First, in 2019, the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp. held that a plaintiff can be considered an “aggrieved person” under the statute and “be entitled to liquidated damages and injunctive relief” without alleging an actual injury. Then, in May 2020, the U.S. Court of Appeals for the Seventh Circuit in Bryant v. Compass Group USA, Inc. clarified that such a person has suffered an injury-in-fact sufficient to support standing under BIPA Section 15(b).

Also in 2020, the Facebook BIPA class action lawsuit Patel v. Facebook, Inc. reached a conclusion when Facebook agreed to a $650 million settlement, one of the largest consumer privacy settlements in U.S. history, to resolve claims it collected user biometric data without consent.

It was not until October 2022 when the first-ever jury verdict in a BIPA class action lawsuit was handed down in Rogers v. BNSF Railway Company. Although the defending company announced its plans to appeal the decision of the District Court for the Northern District of Illinois, the plaintiffs’ success at the trial level may further embolden individuals to pursue their own BIPA claims.

[From GDPR to CPRA and beyond, practitioners can count on Bloomberg law to keep them up to date on the latest privacy and data security developments. Learn more.]

On-Demand: Privacy by Design

Learn how to apply privacy by design principles early on to scale and modify organizational privacy programs amid changing laws and regulations.

Which states have biometric privacy laws?

Texas and Washington also have broad biometric privacy laws on the books, but neither creates a private right of action like BIPA does. In addition, California, Colorado, Connecticut, Utah, and Virginia have passed comprehensive consumer privacy laws that, once in full effect, will expressly govern the processing of biometric information. And even more states have enacted data breach notification laws that explicitly include biometric data within their scope.

Various municipalities, such as New York City and Portland, Ore., have also passed tailored biometric privacy measures. New York City’s Biometric Information Privacy Law, applicable to certain commercial establishments, provides a private right of action.

As more states continue to introduce legislation similar to BIPA, insurers have begun expressly excluding biometric liability coverage from their policies, further adding to the risks posed by noncompliance with biometric privacy laws.

[Bloomberg Law subscribers can track all applicable state biometric privacy laws, including proposed legislation, using our interactive map. Not a subscriber? Request a demo.]

Download: Compare state biometric privacy statutes

Download the chart below to easily compare the details of biometric data privacy laws enacted in Illinois, Texas, and Washington.

Compare Illinois, Texas, and Washington biometric privacy statutes

[Download this comparison chart of state biometric privacy laws to easily compare the details of each statute.]

Legal Research and Practice Tools:

With evolving and emerging technologies come new risks and responsibilities. Bloomberg Law’s essential news, expert analysis, and practice tools will help you stay ahead of privacy and data security developments and protect your business.

Access to this information requires a subscription to Bloomberg Law. Don’t have access? Request a demo.

Biometrics and Facial Recognition Practical Guidance

Search through our Practical Guidance documents about biometric data privacy and compliance.

State Privacy and Data Security Chart

Use our Chart Builders tool to review privacy laws related to biometric data state by state.

Privacy and Data Security Practice Center

Explore privacy and data security beyond biometrics with our practice center covering all of the latest guidance, news, and legal developments.