Biometric Data in Focus: What Businesses Need to Know About BIPA and Other State Laws Regulating Biometrics

4 min

Biometric data—such as face geometry, fingerprints, voiceprints—is no longer confined to niche applications. From virtual eyewear and makeup try-on tools to personalized shopping experiences and photo organization features, biometric technologies are increasingly embedded in everyday consumer products and services. And regulators and plaintiffs' attorneys have been taking notice. The result is a steady rise in enforcement and private litigation, especially in Illinois, which continues to set the tone nationally through its Biometric Information Privacy Act (BIPA).

The Regulatory Landscape for Biometric Privacy Laws Continues to Expand

Although BIPA remains the main source of biometric privacy litigation risk, Illinois is not the only state shaping how businesses collect, use, and disclose biometric data. A growing number of states are regulating biometric data through standalone biometric statutes, comprehensive consumer privacy laws, and increasingly active attorney general enforcement. Together, these developments reflect a broader trend: regulators are treating biometric information as a uniquely sensitive category of personal data that warrants heightened protections.

Texas and Washington were among the first states to enact biometric-specific laws governing the collection of biometric data. While neither statute provides a private right of action like BIPA, both authorize enforcement by the state attorney general and require businesses to obtain consent before collecting biometric data, while also imposing restrictions on disclosure and retention. Texas has demonstrated a willingness to actively enforce these requirements, underscoring that attorney general enforcement can create significant compliance risk even in the absence of private litigation.

Other states have addressed biometric data through broader privacy legislation, including amendments to their comprehensive privacy laws. In 2024, the Colorado General Assembly amended the Colorado Privacy Act to impose new consent and other requirements governing biometric data, including some requirements (such as more prescriptive deletion guidelines) that go beyond those in BIPA. For its part, Louisiana in May 2026 became the twenty-second state to pass a comprehensive privacy law, and that law in part requires businesses that sell biometric data to provide consumers with a conspicuous notice stating that such data is sold. The Louisiana law also requires consumer consent before processing biometrics and other sensitive data, reflecting the growing emphasis on transparency and consumer control over biometric data.

Why BIPA Remains the Cornerstone of Biometric Privacy Risk

Despite this expanding regulatory landscape, BIPA remains the cornerstone of biometric privacy risk because it provides individuals with a private right of action, including the ability to pursue class actions seeking statutory damages. In 2024, Illinois lawmakers attempted to rein in potentially massive liability by amending the law. In addition to clarifying that companies can obtain individual consent by electronic means rather than only in writing, the reform was designed to limit "runaway" damages by treating repeated collections of the same person's biometric data, using the same method, as a single violation in certain circumstances, rather than allowing a new claim for every scan. In short, it narrowed how damages can stack up, but it did not eliminate liability.

And that's the key point: the fundamentals of BIPA have not changed. Businesses are still required to provide clear written notice about biometric collection, obtain written consent, maintain and follow a retention and deletion policy, and avoid selling or otherwise improperly disclosing biometric data. Those obligations continue to drive litigation.

How Businesses Can Reduce Biometric Privacy Compliance Risk

As the regulatory landscape continues to evolve, companies should assess not only whether their biometric data practices trigger BIPA's obligations but also whether their practices implicate the requirements in the growing patchwork of state privacy laws governing the collection, use, disclosure, and retention of biometric data. Additionally, as technology evolves and new vendors are onboarded, assessing whether biometric data will enter your company's data environment is vital to ensuring that such data is managed in a compliant manner. A careful assessment, tailored to the particular biometric data use case at issue, can serve as an effective way to mitigate risk in a fluid and litigious area of the law.

If you have questions about these developments or would like assistance evaluating your organization's approach to biometric data practices, please contact the authors or Venable's Privacy and Data Security Group.