Biometric Privacy Laws by State 2026: BIPA, CUBI & What AI Companies Must Do
If your AI product uses face recognition, voice cloning, fingerprint login, or any feature that turns a person's body into a unique identifier, you're handling regulated biometric data. There's no federal biometric law — so compliance is a patchwork of state statutes, and one of them lets users sue you directly. Here's the 2026 map.
What Counts as Biometric Data
Biometric privacy laws regulate identifiers derived from a person's physical or biological characteristics. For AI products, the data most commonly in scope includes:
- Facial geometry — face recognition, face matching, age/emotion estimation from faces
- Voiceprints — voice recognition, speaker identification, voice cloning
- Fingerprints — biometric authentication and verification
- Iris and retina scans — high-security identity verification
- Hand and finger geometry — access control systems
A common trap: many laws cover not just the raw scan but the mathematical representation your AI derives from it (a face embedding, a voice vector). Deleting the source photo does not necessarily delete the regulated identifier.
The State-by-State Map
Illinois — BIPA
HIGHEST RISK- •The only major biometric law with a private right of action — individuals sue directly
- •Statutory damages: $1,000 per negligent violation, $5,000 per intentional/reckless violation
- •Requires informed written consent before collecting biometric identifiers
- •Requires a publicly available written retention and destruction policy
- •Prohibits selling or profiting from biometric data
- •Source of the largest biometric class actions in the US
Texas — CUBI
AG ENFORCED- •Capture of Biometric Identifiers (CUBI) — enforced by the Texas Attorney General
- •No private right of action, but civil penalties up to $25,000 per violation
- •Requires consent before capturing biometric identifiers for a commercial purpose
- •Texas has pursued high-profile enforcement against large tech companies
Washington — HB 1493
AG ENFORCED- •Regulates enrolling biometric identifiers in a database for a commercial purpose
- •Requires notice and consent; enforced by the state Attorney General
- •No private right of action
- •Washington's My Health My Data Act adds further protections for health-related biometric data
Comprehensive Privacy Law States
SENSITIVE DATA- •California (CCPA/CPRA), Colorado, Connecticut, Virginia, Texas (TDPSA), Oregon, and others
- •Treat biometric data as 'sensitive personal data' requiring consent or opt-in
- •Impose data minimization, purpose limitation, and consumer rights obligations
- •Enforced by state AGs / privacy agencies; California adds the CPPA
The practical takeaway: Illinois drives litigation risk, Texas and Washington drive regulator risk, and the comprehensive privacy laws mean biometric obligations apply in many more states than people assume. If you have users nationwide, you should design to the strictest standard — which means designing to BIPA.
Why AI Features Trip These Laws So Easily
The Biometric Compliance Checklist for AI Products
- ☐Obtain informed, written (or clearly recorded) consent before capturing any biometric identifier
- ☐Disclose what biometric data is collected, why, and how long it's kept — before collection
- ☐Do not bury biometric consent inside a general terms-of-service checkbox
- ☐Capture and store proof of consent for each user
- ☐Publish a written retention and destruction policy (required by BIPA)
- ☐Set a defined destruction timeline (e.g., when purpose is satisfied or after a fixed period)
- ☐Ensure destruction covers derived embeddings/vectors, not just source media
- ☐Verify your vector database and backups honor deletion
- ☐Do not sell or profit from biometric identifiers (prohibited under BIPA)
- ☐Bind any vendors/processors handling biometric data by contract
- ☐Confirm AI API providers don't retain or train on your biometric data
- ☐Protect biometric data with the same or greater care as other confidential data
- ☐Map every place biometric identifiers and embeddings are stored
- ☐Default to the strictest standard (Illinois BIPA) if you serve users nationwide
- ☐Review obligations under comprehensive state privacy laws where you have users
Frequently Asked Questions
We're not based in Illinois — does BIPA still apply to us?
BIPA can apply based on where the affected individuals are, not just where your company is located. If you collect biometric identifiers from Illinois residents — for example, users of a nationwide app — courts have allowed BIPA claims regardless of your company's home state. Because BIPA is the strictest and the only one with private lawsuits, most companies serving a national user base design their entire biometric program to BIPA's requirements.
Is a face embedding really 'biometric data' if we delete the original photo?
Generally yes. Many biometric laws cover information derived from a biometric identifier — including the mathematical templates and embeddings AI systems generate. Deleting the source image does not remove the regulated identifier if you retain a face or voice vector that can identify the person. Your destruction process must reach the embeddings stored in your vector database and backups.
Does consent in our general Terms of Service cover biometric collection?
Usually not. Laws like BIPA require specific, informed consent for biometric collection — disclosing what is collected, the purpose, and the retention period. Burying it in a general ToS checkbox has repeatedly been found insufficient in litigation. Use a dedicated, conspicuous biometric consent flow separate from your general terms.
Which states should we prioritize if we can't address them all at once?
Prioritize Illinois first because of its private right of action and per-violation statutory damages — it carries the highest litigation exposure by far. Then Texas and Washington for AG enforcement, then biometric obligations under the comprehensive privacy laws in states where you have significant user populations (California, Colorado, Connecticut, Virginia, Texas). In practice, building to BIPA covers most of the others.
Design to the Strictest Standard
Because there's no federal biometric law and Illinois BIPA allows individuals to sue directly, the safest engineering posture for any AI product with a national user base is simple: design your consent, retention, and destruction flows to satisfy BIPA, and you'll clear most other states by default.
Start by inventorying every biometric identifier and embedding your AI touches — including what lives in your vector database — then build a dedicated consent flow and a real destruction process around it.
This article is general information, not legal advice. Biometric laws change quickly; consult qualified counsel about your specific product and the states where you operate.