U.S. biometric laws & pending legislation tracker

Statute

Colorado Privacy Act

Colo. Rev. Stat. Ann. § 6-1-1314 (effective July 1, 2025)

Details

Requires a “controller” to adopt a written policy that establishes a retention schedule for biometric identifiers and data, which includes a protocol for responding to a data security incident that may compromise the security of biometric identifiers or biometric data.  Also require informed written consent from a consumer prior to collecting or processing a biometric identifier. Allows employers to require consent to collection and processing of the employee’s biometric identifier as a condition of employment if for certain purposes. Provides for enforcement by the Colorado Attorney General.

See: "Colorado's new requirements for biometric data: what businesses need to know"

Statute

Biometric Information Privacy Act (“BIPA”)

740 ILCS 14/1 et seq.

Details

Depending on whether a private entity is possessing, capturing, collecting, otherwise obtaining, or disclosing biometric information or biometric identifiers, requires:

1. a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information;
2. compliance with that policy;
3. protection of the biometric information using the reasonable standard of care within the industry or in a manner as protective as the entity protects other confidential and sensitive information;
4. informing the subject whose biometric information is to be collected of the specific purposes and length of term for which biometric information is being collected, stored, or used; and
5. receiving a written release from the individual to proceed with the collection or disclosure of the biometric information. Provides for recovery of liquidated statutory damages or actual damages, and attorneys’ fees and expenses. 

Statute

Labor and Employment Code § 3-717

Details

Prohibits employers from using facial recognition service for purpose of creating a facial template during applicant interview for employment, unless applicant consents.

Statute

N.Y. LAB. LAW § 201-aA 

Details

Prohibits employers from requiring a fingerprint from employees, as a condition of securing employment or of continuing employment, unless as provided by other laws. (See also New York State Department of Labor RO-10-0024 for opinion on use of a biometric device in a time clock).

Statute

City of New York Administrative Code, Title 22, Chapter 12.

Details

Any “commercial establishment” that collects biometric information from “customers” must disclose the collection “by placing a clear and conspicuous sign near all of the commercial establishment’s customer entrances.” Makes it unlawful to sell, lease, trade, share, exchange for anything of value, or otherwise profit from the transaction of biometric identifier information. Provides for recovery of damages to prevailing party.

Statute

Portland City Code, Title 34- Digital Justice, Chapters 34.10.010-34.10-050.

Details

Prohibits the use of Facial Recognition Technologies in Places of Public Accommodation by Private Entities within the boundaries of the City of Portland. Provides for recovery of damages sustained as a result of the violation of $1,000 per day for each day of violation, whichever is greater.

Statute

Capture or Use of Biometric Identifier Act (“CUBI”)

TEX. BUS. & COM. CODE ANN. § 503.001

Details

Requires that a person capturing a biometric identifier of an individual for a commercial purpose inform the individual before capturing the biometric identifier and receive the individual’s consent and requires protecting the data from disclosure using reasonable care and in a manner as protective as the entity protects other confidential information. Biometric identifiers must be destroyed within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the biometric identifier expires. Also prohibits a person in possession of a biometric identifier of an individual from selling, leasing, or otherwise disclosing the biometric identifier unless in certain circumstances. Provides for a civil penalty of no more than $25,000 for each violation, enforceable by the Texas Attorney General.

Statute

WASH. REV. CODE §§ 19.375.010 et seq.

Details

Provides that a person may not enroll a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose. Provides for enforcement by the Washington Attorney General under the Washington Consumer Protection Act.

Statute

My Health My Data Act

(effective March 31, 2024)

Details

“Biometric data” included in the broad definition of “consumer health data.” See: "Washington My Health My Data Act: Compliance hurdles and how to prepare".

Legislation

Amendment to Biometric Information Privacy Act

2025 IL H.B. 2838

2025 IL H.B. 3667

Information

Would amend the BIPA to exclude information captured and converted to a mathematical representation from the definition of “biometric identifier” and would exempt biometric time clocks from the BIPA’s purview. Would require a private entity in possession of biometric identifiers or biometric information to make a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information available to the person whose information is collected, but eliminate the requirement that the policy be publicly available. Would also not require informed written consent if a biometric identifier or information is captured and used only for a security purpose. Would limit the statute of limitations to one year and allow for an opportunity to cure.

Legislation

Amendment to Biometric Information Privacy Act

2025 IL H.B. 3292

2025 IL S.B. 2051

Information

Would amend the BIPA to exempt vehicle safety technology from its purview as long as any biometric identifier is not retained longer than is reasonably necessary to satisfy a vehicle safety purpose and is not used to identify any individual.

Legislation

Amendment to Biometric Information Privacy Act

2025 IL H.B. 2984

Information

Would amend the BIPA to include “neural data” (information generated by the measurement of activity of an individual’s central or peripheral nervous system and that is not inferred from non-neural information) as a “biometric identifier,”

Legislation

Amendment to Biometric Information Privacy Act

2025 IL H.B. 2591

Information

Would amend the BIPA to exempt companies registered with the Department of Transportation to conduct testing of autonomous vehicles.

Legislation

Biometric Information Privacy Act

2025 MA S.B. 2204

Information

[Similar to Illinois BIPA] Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for Attorney General enforcement or private right of action to recover statutory damages of at least $5,000 per violation or actual damages, whichever is greater.

Legislation

Biometric Information Privacy Act

2025 MO H.B. 407

2025 MO H.B. 500

2025 MO H.B. 554

Information

[Similar to Illinois BIPA] Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, made publicly available, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater.

Legislation

Biometric Autonomy Liberty Law

2025 NE L.B. 204

Information

Would prohibit a private entity from requiring an individual to provide or submit to the collection of biometric data. Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require written consent to the collection of biometric data. Provides for Attorney General enforcement.

Legislation

Biometric Privacy Act

2025 NY S.B. 1422

Information

[Similar to Illinois BIPA] Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for enforcement by the Attorney General.

Legislation

It’s Your Data Act

2025 NY S.B. 5156

Information

Would make it a misdemeanor for a person, firm or corporation that collects, stores, and/or uses biometric data for  advertising, trade, data-mining, or generating commercial or economic value  without having first obtained written consent of such person, of, if such consent is obtained, failing to exercise reasonable care with respect to that data.

Legislation

Biometric Identifier Signage Act

2025 PA H.B. 596

Information

Would require retail stores, restaurants, hotels/motels, or places of entertainment or amusement to disclose the collection, retention, conversion, storage, or sharing of biometric identifier information of customers with a clear and conspicuous sign near entrances. Provides for recovery of statutory damages.

Legislation

2025 WA H.B. 1672

Information

Would prohibit employers from electronically monitoring employees unless certain requirements are met and the specific form of electronic monitoring is the least invasive means.