[Updated: September 27, 2023]
In addition to state comprehensive privacy laws, state legislatures are increasingly interested in regulating the collection, use, and possession of biometric data. It is therefore imperative for startups and businesses to remain informed of the potential laws that may apply and when. Readers are encouraged to review the following enacted and enforceable biometric laws, and to reach out if concerned that one such law may apply.
We will continue monitoring the biometric legislation landscape and will update this resource accordingly.
ILLINOIS
Law: Biometric Information Privacy Act (“BIPA”)
Applies to:
Any individual, partnership, corporation, limited liability company, association, or other group, however organized, that possesses, collects, captures, purchases, receives through trade, or otherwise obtains biometric identifiers or biometric information of Illinois residents.
Covers:
- Biometric identifiers: Retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry; or
- Biometric information: Any information, regardless of how it is captured, converted, stored, or shared, based on an individual biometric identifier and used to identify an individual.
Enforcement:
The law provides individuals with a private right of action, and violations can amount to $5,000 per collection, possession, etc., in violation of the law.
MARYLAND
Law: Labor and Employment Code § 3-717
Applies to:
Maryland employers that use facial recognition services for purposes of creating a facial template during an applicant’s interview for employment.
Covers:
- Facial template: Machine-interpretable pattern of facial features that is extracted from one or more images of an individual by technology that analyzes facial features and is used for recognition or persistent tracking of individuals in still or video images.
Enforcement:
Maryland Department of Labor.
MONTANA
Law: Facial Recognition for Government Use Act
Applies to:
Third-party vendors contracting with Montana state or local government agencies for the provision of facial recognition services.
Covers:
- Facial biometric data: Data derived from a measurement, pattern, contour, or other characteristic of an individual’s face, either directly or from an image.
Enforcement:
Montana Attorney General can bring enforcement actions, with damages starting at $10,000.
The law provides individuals with a private right of action, and violations can amount to $1,000 per violation.
NEW YORK
Applies to:
New York employers that fingerprint employees as a condition of securing employment or of continuing employment.
Covers:
- Fingerprints: The law does not define what constitutes a fingerprint, but New York State Department of Labor RO-10-0024 states: “instruments that measure the geometry of the hand are permissible under the Labor Law so long as they do not scan the surface details of the hand and fingers in a manner similar or comparable to the scanning of a fingerprint.”
Enforcement:
New York State Department of Labor.
Law: NYC Admin Code §§ 22-1201-1205
Applies to:
Places of entertainment, retail stores, or food or drink establishments in New York City that collect biometric identifier information from customers.
Covers:
- Biometric identifier information: Physiological or biological characteristics that are used by or on behalf of a place of entertainment, a retail store, or a food or drink establishment, singly or in combination, to identify, or assist in identifying, an individual.
Enforcement:
The law provides individuals with a private right of action, and violations can amount to $5,000 per violation.
OREGON
Law: Portland City Code, Title 34- Digital Justice, Chapters 34.10.010-34.10-050
Applies to:
Any individuals and non-government entities in the city of Portland, prohibiting them from using face recognition technologies in any place or service offering to the public accommodations, advantages, facilities, or privileges whether in the nature of goods, services, lodgings, amusements, transportation, or otherwise.
Covers:
- Face recognition: Automated searching for a reference image in an image repository by comparing the facial features of a probe image with the features of images contained in an image repository.
Enforcement:
The law provides individuals with a private right of action , and violations can amount to $1,000 per day for each day of violation.
STATE COMPREHENSIVE PRIVACY LAWS
Laws:
- California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020
- Colorado Privacy Act
- Connecticut Data Privacy Act
- Virginia Consumer Data Protection Act
Applies to:
Each state comprehensive privacy law features various thresholds of applicability. Please see our overview of state comprehensive privacy laws for more information on those thresholds.
Covers:
- Biometric data: Generally means an individual’s physiological, biological, or behavioral characteristics that is used or is intended to be used to establish or authenticate an individual’s identity.
Enforcement:
Most state comprehensive privacy laws are enforced by the state’s respective attorney general, but California also authorizes the California Privacy Protection Agency to enforce California’s state comprehensive privacy law.
TEXAS
Law: Capture or Use of Biometric Identifier (“CUBI”)
Applies to:
Any individuals and non-government entities capturing biometric identifiers of Texas individuals for a commercial purpose.
(The law does not define what constitutes a “commercial purpose,” but the Texas Attorney General has argued that capturing biometric identifiers to improve or develop products or services constitutes a commercial purpose.)
Covers:
- Biometric identifiers: Retina or iris scans, fingerprints, voiceprints, or records of hand or face geometry.
Enforcement:
Texas Attorney General, which can seek fines of up to $25,000 per violation.
WASHINGTON
Law: Biometric Identifiers Law (“BIL”)
Applies to:
All individuals and non-government entities that collect, use, and retain biometric identifiers from Washington residents.
Covers:
- Biometric identifiers: Data generated by automatic measurements of an individual’s
- biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or
- other unique biological patterns or characteristics that is used to identify a specific individual.
Enforcement:
Washington Attorney General under the state’s consumer protection act.
Law: My Health, My Data Act (“MHMDA”)
Applies to:
All legal entities of any size that conduct business in Washington state or produce or provide products or services targeted to individuals in Washington, and alone or jointly collects, processes, shares, or sells consumer health information.
Covers:
- Consumer health information: Personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.
Enforcement:
Washington Attorney General can bring enforcement actions under the state’s consumer protection act.
In addition, the law provides individuals with a private right of action.