As technological advancements continue to reshape businesses around the globe, biometric data is becoming an increasingly common tool, from monitoring worker performance to enhancing security measures. Biometric data refers to personal data that could be used to identify an individual, such as a fingerprint, retina, voiceprint, and more depending on the definition outlined by a particular jurisdiction. The collection and use of biometric data could offer significant benefits for businesses. For instance, biometrics, in the form of fingerprint or facial recognition, are often used as security measures to restrict access to facilities or data systems.
With these benefits comes the responsibility of ensuring compliance with a patchwork of federal and state laws, each of which can have specific requirements regarding the collection, storage, and use of biometric information.
Navigating the legal landscape in this realm is complex as data collection technologies and uses are still evolving. Some states impose stringent regulations, while others have little to no specific regulations at all. While the use of biometric data serves as an increasingly popular, helpful tool in the workplace, companies must be aware of existing and potential laws to protect against the risks associated with the collection of biometric data.
In this blog, we will explore some of the major biometric laws passed in the United States to protect personal information of individuals. Then, we will discuss some best practices to ensure compliance with these various laws when handling biometric information.
In the United States, there is currently no federal law specifically governing the collection, use, storage, or disclosure of biometric data. However, the Federal Trade Commission (FTC) plays a crucial role in protecting consumers' privacy by acting against companies that mishandle biometric data. This is done under the broader privacy and security principles outlined in the FTC Act, alongside the biometric data regulations that vary by state.
The Federal Trade Commission (FTC) Act enforces rules regarding consumer protection and data security. The FTC has broad authority to protect consumers from unfair and deceptive trade practices in or affecting commerce, which can apply to practices involving biometric data. Under this law, companies collecting personal information of consumers must ensure protection of this data.
Seeking to implement more direct protection for biometric usage, a few states have biometric data laws currently in effect. Meanwhile, many other states have similar bills pending as the race towards regulating this growing sector of technological usage of biometric data advances.
With a broad scope of provisionary applications, this Act has had significant impacts as the first state legislation to directly regulate biometric information specifically with some of the most stringent requirements for businesses to comply with.
Consent and opt-out: BIPA calls for private entities (defined as any individual, corporation, partnership, or other group that does business in Illinois) processing biometric data to provide a written release signed by affected workers and consumers requesting worker acknowledgement for each use stated prior to obtaining the biometric data.
Transparency: Private entities must provide written notice prior to biometric data collection clearly stating what specifically is being collected and the reasons for processing.
Retention: Permitted until “the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.” The retention schedule must be publicly posted.
Allows private right of action: Yes. Effective January 1, 2025, workers now have two years to file administrative charges with the Illinois Department of Human Rights (IDHR) after the date of any alleged civil rights violation, more than doubling the previous 300-day period.
Penalties: The law permits the prevailing party to recover $1,000 for each negligent BIPA violation and $5,000 for each intentional or reckless violation. The prevailing party may also recover attorneys’ fees and costs.
Conthron v. White Castle System, Inc. led to the passing of SB 2979 on January 31, 2024, that limits the accrual of damages for BIPA violations to one per worker. Instead of collecting compensation for every violation of the Act, workers can now only do so for the initial violation, significantly cutting the costs of damages paid out by companies prior to this ruling.
The Act regulates the capture or use of biometric identifiers (a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry) for “commercial purposes.” Though not defined by the statute, this term should be assumed to apply to the collection and use of biometric data for any purpose tied to company operations. It requires companies to protect biometric identifiers from disclosure and prohibits its sale through use of reasonable care in maintaining and transmitting the information.
Consent and opt-out: Companies must receive the consent of an individual prior to capturing the individual’s biometric identifier.
Transparency: Companies must provide notice of collection of biometric data to affected individuals prior to capturing their biometric identifiers, informing them of what it entails.
Retention Requirement: Companies must destroy the biometric identifiers “within a reasonable time” following capture but no later than one year after the purpose of its collection has expired, unless an exception applies.
Allows private right of action: No.
Penalties: The Texas Attorney General has exclusive authority to enforce CUBI and may obtain relief, including civil penalties of up to $25,000 per violation.
On July 30, 2024, the Texas state court finalized the largest-ever biometrics settlement between the Texas Attorney General and Meta (formerly known as Facebook) for $1.4 billion. The suit alleged that Meta unlawfully collected Texas residents’ biometric data through facial recognition algorithms employed in Meta’s tagging technology. Attorney General Ken Paxton’s new privacy division will likely devote increasing attention to businesses’ use of biometric technology as he promised to “double down to protect privacy rights.”
The California Privacy Rights Act (CPRA) addresses biometric information of California consumers as an element of personal information to be protected. Consumer rights to their biometric information under this law include data portability, access to their personal information, and request to delete.
Publicly available information is not considered personal information subject to consumer protection. There is an exception that biometric data is unable to qualify as publicly available information if collected without the knowledge of the consumer. In other words, biometric data that was gathered by a company in a public setting (i.e. walking in public or social media posts) without a consumer’s consent is not considered to be publicly available and therefore is covered by consumer protection laws.
The law applies to businesses which have over $25 million in annual revenue, collect personal information on 50,000 people or devices, or receive more than 50% of their annual revenue from the sale of personal information.
Consent and Opt-out: Opt-in consent for biometric data collection is not required. The CCPA takes an opt-out approach in its implementation, granting consumers the opportunity to limit a business’s use, disclosure, and sale of sensitive personal information.
Transparency: Businesses collecting biometric data in California must be transparent about their collection methods, purposes, and storage procedures. For biometric data to be considered publicly available, a business only needs to have informed the consumer. A business can likely meet this requirement by including a disclaimer in its privacy policy.
Retention: Businesses must be sure to notify consumers of their retention practices. In most cases, businesses cannot retain personal information after their specified purposes have been fulfilled. However, businesses may be able to retain information for longer if they provide incentives to consumers in return for data.
Allows Private Right of Action: Yes.
Penalties: Organizations that violate the CCPA can face class action statutory damages between $100 and $750 for each violation. Fines from regulatory enforcement actions may also occur, ranging from $2,500 to $7,500 per violation.
The VCDPA grants Virginia residents rights over their personal data. Consumer rights to their biometric information under this law include data portability, access, ability to correct inaccuracies, and delete their personal information. Under the Act, biometric data falls into the scope of “sensitive personal data,” meaning that it differs from the other categories of personal information by requiring opt-in consent to process rather than taking an opt-out approach.
Virginia’s law applies to any business that controls or processes the personal data of 100,000 or more Virginia residents annually. That threshold drops to 25,000 individuals if a business makes 50% or more of its gross revenue from the sale of personal data. It applies only to consumers, not workers in an employment context.
Consent and Opt-out: The VCDPA requires explicit opt-in consent before processing any sensitive personal information, including biometric data.
Transparency: Controllers must provide consumers with a privacy policy detailing the categories of personal data processed, the purpose of processing, consumer rights, whether the data will be shared with third parties and who, if any.
Retention: Companies are only to collect personal data solely for the purposes disclosed for a length of time no longer than is minimally necessary to fulfill these purposes.
Allows Private Right of Action: No.
Penalties: Civil penalties can be as high as $7,500 per violation under the VCDPA. The law provides for a 30-day cure period following initial notice by the Attorney General of potential violations.
This statute sets forth requirements for businesses that collect and use biometric identifiers for commercial purposes. The law defines biometric identifier as data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises or other biological patterns that are used to identify a specific individual. Given this definition, it remains unclear whether this bill covers scans of face geometry, though companies should assume it does to ensure compliance.
In contrast to the Illinois and Texas statutes, which broadly regulate the capture of biometric identifiers, Washington’s statute is limited to those persons that “enroll” biometric identifiers by capturing the data, converting it into a reference template that cannot be reconstructed into the original output, and storing it in a database that matches the biometric identifier to a specific individual. Biometric identifiers used to identify individuals in an employment context such as fingerprint timekeeping and facial recognition login systems are enrolled.
Consent and opt-out: Companies must obtain affirmative consent from individuals prior to collecting their biometric identifier.
Transparency: Companies must provide notice prior to obtaining someone’s biometric identifier. The notice required under the law is separate from, and not considered, “affirmative consent.”
Retention: A business may retain a biometric identifier “no longer than is reasonably necessary” to comply with law or a court order, protect against criminal activity and security threats, and provide the services for which the biometric identifier was enrolled.
Allows Private Right of Action: No.
Penalties: The Washington Attorney General has exclusive authority to enforce the requirements and may impose civil penalties up to $7,500 per violation.
Unlike BIPA, Washington’s biometric law states the type of consent and notice required must not be written but are “context dependent.” The law also differs in that it does not apply to the use of biometric identifiers for security purposes. An example of this exception is a retailer using video surveillance with facial recognition capabilities to identify shoplifters.
The first U.S. state privacy-focused law to protect personal health data, MHMDA offers protections like those in the BIPA for personal and health data not covered by the Health Insurance Portability and Accountability Act (HIPAA), which could include biometric data. “Consumer health data” covered by this law includes information that is linked to a consumer’s past, present, or future physical or mental health status.
This law requires that regulated entities and small businesses obtain “separate and distinct” consent prior to collecting or sharing consumer health data beyond the extent necessary to provide a consumer-requested product or service.
New York City has a biometric privacy law in effect that applies only to the collection of customer biometric information and does not apply to workers of a company. For consumer protection, the law prohibits the sale of biometrics for commercial establishments. The law specifies that it is unlawful to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.
Consent and opt-out: Commercial establishments obtaining biometric data of customers must provide notice near the entrance. If potential customers do not consent to that data collection, they can choose not to shop there. No accommodation is required from establishments by this law.
Transparency: Commercial establishments in New York City that collect biometrics must post conspicuous signs near their entrances, notifying customers that biometrics are being collected. Prior to a plaintiff filing a lawsuit for failure of posted signage, the establishment in violation will receive a 30-day cure period. If a commercial establishment cures a signage violation within 30 days of receiving notice of a purported violation, no claim can be filed against the establishment.
Retention: This law does not have a retention limitation, but it does require that consumers are explicitly notified of an established retention period of their biometric data prior to collection.
Allows private right of action: Yes.
Penalties: The bill provides for a private right of action that allows for judgments of $500 for failing to post signage or negligently selling/sharing biometric information and $5,000 for the intentional or reckless sale of biometric information.
Instances by which this law has been applied to propose class action lawsuits include uninformed use of surveillance in retail stores with facial recognition technology for shoplifting purposes and use of biometric data to enter cashierless convenience stores such as Amazon Go.
Technological facial recognition in job interviews is becoming more common. Analyzing an applicant’s facial expressions, gestures, tone, and word choice, AI systems evaluate traits such as honesty, attitude, and language competence to then generate an overall score for the candidate fitting into the role and atmosphere of the company.
Maryland’s HB 1202 requires companies to obtain consent from applicants by having them sign a waiver for the use of facial recognition services to create a facial template during their interview for employment.
Similar to Maryland’s HB 1202, AIVIA regulates the use of AI by companies to analyze video interviews of applicants for jobs “based in” Illinois. The Illinois legislature requires companies that use AI-based evaluation systems in interviews to:
Colorado’s Biometric Amendment adds protection for individuals’ biometric data, extending its obligations to companies collecting not only consumer biometric information but also their workers’. This update was announced to the public on December 6, 2024 by the Colorado Attorney General’s Office to widen the scope of this amendment’s provisions.
Consent and opt-out: Companies must obtain written or electronic consent from Colorado workers prior to collecting their biometric data. They must also receive new consent if the data will be used for a new purpose or involves different types of biometric identifiers than originally
disclosed. A company may require as a condition of employment that a worker or prospective worker consent to allowing the company to collect and process their biometric identifier only to:
Transparency: Companies must develop and maintain a biometric data policy outlining how the data is collected, stored, used, and destroyed. Furthermore, they must provide clear and accessible notice to individuals before collecting biometric identifiers, detailing what data is collected, why it is needed, and its retention period, and whether it will be shared. The notice can either stand alone or be integrated into broader privacy notices.
Retention: The Biometric Amendment requires organizations that process biometric identifiers to create a written policy outlining retention schedules for any biometric data collected.
Allows Private Right of Action: No. The Colorado Attorney General and district attorneys have the exclusive authority to enforce the amendment.
Penalties: Violations of the biometric amendment can result in civil penalties up to $20,000 per violation.
The amendment also requires drafting of a protocol for responding to security incidents involving biometric information. Businesses are generally required to make this policy publicly available.
Some of the most common uses of biometric data in the workplace include:
In the United States, businesses can generally collect and use biometric data as long as they comply with applicable laws. This typically involves obtaining consent, providing clear notices, adhering to retention policies, implementing strong security measures, and, in some cases, offering opt-out or accommodation options. Ensuring compliance with these regulations is essential to mitigate legal risks and maintain trust.
Navigating the intricacies of these legal requirements, however, can be complex and time-consuming. Laws vary by jurisdiction, and keeping up with the latest updates can be overwhelming. At TCWGlobal, as a global Employer of Record (EOR), we understand the complexities of data privacy internationally and can help you remain up to date on the complexities of biometric data usage as you grow your contingent workforce.
Whether it’s ensuring compliance with consent protocols, security standards, or retention policies, we stay informed on the ever-evolving regulations. With the increasing use of biometric data in the workplace, it’s more important than ever to ensure that your organization is handling it responsibly and securely. TCWGlobal is here to help.
For more insights on biometric data laws outside the U.S., check out our separate blog International Biometric Laws.