Info@MetaverseLaw.com

An overview of biometrics laws in the U.S.

[Updated: September 27, 2023]

In addition to state comprehensive privacy laws, state legislatures are increasingly interested in regulating the collection, use, and possession of biometric data. It is therefore imperative for startups and businesses to remain informed of the potential laws that may apply and when. Readers are encouraged to review the following enacted and enforceable biometric laws, and to reach out if concerned that one such law may apply.

We will continue monitoring the biometric legislation landscape and will update this resource accordingly.


ILLINOIS

Law: Biometric Information Privacy Act (“BIPA”)

Applies to:

Any individual, partnership, corporation, limited liability company, association, or other group, however organized, that possesses, collects, captures, purchases, receives through trade, or otherwise obtains biometric identifiers or biometric information of Illinois residents.

Covers:

  • Biometric identifiers: Retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry; or
  • Biometric information: Any information, regardless of how it is captured, converted, stored, or shared, based on an individual biometric identifier and used to identify an individual.

Enforcement:

The law provides individuals with a private right of action, and violations can amount to $5,000 per collection, possession, etc., in violation of the law.


MARYLAND

Law: Labor and Employment Code § 3-717

Applies to:

Maryland employers that use facial recognition services for purposes of creating a facial template during an applicant’s interview for employment.

Covers:

  • Facial template: Machine-interpretable pattern of facial features that is extracted from one or more images of an individual by technology that analyzes facial features and is used for recognition or persistent tracking of individuals in still or video images.

Enforcement:

Maryland Department of Labor.


MONTANA

Law: Facial Recognition for Government Use Act

Applies to:

Third-party vendors contracting with Montana state or local government agencies for the provision of facial recognition services.

Covers:

  • Facial biometric data: Data derived from a measurement, pattern, contour, or other characteristic of an individual’s face, either directly or from an image.

Enforcement:

Montana Attorney General can bring enforcement actions, with damages starting at $10,000.

The law provides individuals with a private right of action, and violations can amount to $1,000 per violation.


NEW YORK

Law: N.Y. LAB. LAW § 201-aA

Applies to:

New York employers that fingerprint employees as a condition of securing employment or of continuing employment.

Covers:

  • Fingerprints: The law does not define what constitutes a fingerprint, but New York State Department of Labor RO-10-0024 states: “instruments that measure the geometry of the hand are permissible under the Labor Law so long as they do not scan the surface details of the hand and fingers in a manner similar or comparable to the scanning of a fingerprint.”

Enforcement:

New York State Department of Labor.


Law: NYC Admin Code §§ 22-1201-1205

Applies to:

Places of entertainment, retail stores, or food or drink establishments in New York City that collect biometric identifier information from customers.

Covers:

  • Biometric identifier information: Physiological or biological characteristics that are used by or on behalf of a place of entertainment, a retail store, or a food or drink establishment, singly or in combination, to identify, or assist in identifying, an individual.

Enforcement:

The law provides individuals with a private right of action, and violations can amount to $5,000 per violation.


OREGON

Law: Portland City Code, Title 34- Digital Justice, Chapters 34.10.010-34.10-050

Applies to:

Any individuals and non-government entities in the city of Portland, prohibiting them from using face recognition technologies in any place or service offering to the public accommodations, advantages, facilities, or privileges whether in the nature of goods, services, lodgings, amusements, transportation, or otherwise.

Covers:

  • Face recognition: Automated searching for a reference image in an image repository by comparing the facial features of a probe image with the features of images contained in an image repository.

Enforcement:

The law provides individuals with a private right of action , and violations can amount to $1,000 per day for each day of violation.


STATE COMPREHENSIVE PRIVACY LAWS

Laws:

Applies to:

Each state comprehensive privacy law features various thresholds of applicability. Please see our overview of state comprehensive privacy laws for more information on those thresholds.

Covers:

  • Biometric data: Generally means an individual’s physiological, biological, or behavioral characteristics that is used or is intended to be used to establish or authenticate an individual’s identity.

Enforcement:

Most state comprehensive privacy laws are enforced by the state’s respective attorney general, but California also authorizes the California Privacy Protection Agency to enforce California’s state comprehensive privacy law.


TEXAS

Law: Capture or Use of Biometric Identifier (“CUBI”)

Applies to:

Any individuals and non-government entities capturing biometric identifiers of Texas individuals for a commercial purpose.

(The law does not define what constitutes a “commercial purpose,” but the Texas Attorney General has argued that capturing biometric identifiers to improve or develop products or services constitutes a commercial purpose.)

Covers:

  • Biometric identifiers: Retina or iris scans, fingerprints, voiceprints, or records of hand or face geometry.

Enforcement:

Texas Attorney General, which can seek fines of up to $25,000 per violation.


WASHINGTON

Law: Biometric Identifiers Law (“BIL”)

Applies to:

All individuals and non-government entities that collect, use, and retain biometric identifiers from Washington residents.

Covers:

  • Biometric identifiers: Data generated by automatic measurements of an individual’s
    • biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or
    • other unique biological patterns or characteristics that is used to identify a specific individual.

Enforcement: 

Washington Attorney General under the state’s consumer protection act.


Law: My Health, My Data Act (“MHMDA”)

Applies to:

All legal entities of any size that conduct business in Washington state or produce or provide products or services targeted to individuals in Washington, and alone or jointly collects, processes, shares, or sells consumer health information.

Covers:

  • Consumer health information: Personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.

Enforcement:

Washington Attorney General can bring enforcement actions under the state’s consumer protection act.

In addition, the law provides individuals with a private right of action.