Biometric Law Compliance: What do State Biometric Laws Require of Businesses?

An increasing number of companies—in healthcare, education, finance, retail, technology and manufacturing—are implementing biometric identifiers.

This trend is growing in popularity as some argue that biometrics can be considered more stable over time, since passwords can be compromised and changed, resulting in security challenges for businesses, while biometrics cannot. While biometrics streamline the identification process privacy concerns may arise. To address potential privacy risks, several states have passed or proposed biometric laws.  

What Are Biometric Identifiers?

Biometrics can be defined as unique measurable behavioral or physiological characteristics that describes a person. Essentially biometrics work by using these unique characteristics to enhance personal authentication with easier, faster and more secure processes. Common examples of biometrics are:

  • Voice
  • Fingerprint
  • Palm Vein
  • Face Recognition
  • Palm Print
  • Hand Geometry
  • Iris Recognition
  • Typing Rhythm
  • Gait
  • DNA

Implementing biometric identifiers present businesses with new opportunities. For example, biometrics can be used to:

  • Improve student success in education by measuring and tracking student engagement.
  • Save time in administrative processes by quickly identifying individuals with reduced human intervention.
  • Help prevent unauthorized access to physical and digital environments.

States with Biometric Laws

Illinois, Texas and Washington State are among the first states to pass laws to regulate biometric data. Other states such as Arizona, Florida, Massachusetts and New York have proposals pending. These laws regulate the collection, use, storage and retention of biometric data. In response, businesses’ biometric compliance policies tend to emphasize the following:

  • Obtaining consent from individuals before collecting or disclosing personal biometric identifiers
  • Storing biometric data securely
  • Destroying biometric identifiers in a timely manner
  • Outlining separate biometric data policies for employees and customers

It’s important to understand each state’s law and its requirements.  For instance:

Definition: Some state biometric laws broadly define biometric identifiers as behavioral and physiological characteristics while others and specify the type of biometrics as outlined in the common examples of biometrics list above.

Enforcement: Many states give their attorney general the power to enforce these laws. However, differences exist. For instance, Illinois law allows individual or class action lawsuits. Violation of Illinois biometric law could result in fines between $1,000 and $5,000 per incident of noncompliance.

As more companies incorporate biometrics into business operations, states will continue to pass laws to guide business practices. Companies should be cognizant of biometric law requirements, differences and to ensure that policies and practices align with these legal obligations.

DISCLAIMER:  This alert is for general information purposes only.  It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought. If you have any questions, please contact an attorney at Beckage: or

Attorney Advertising: Prior results do not guarantee a similar outcome.