RatedWithAI

RatedWithAI

Accessibility scanner

Sign in
AI Legal & Compliance

Facial Recognition AI Legal Risk for Businesses in 2026: State Laws, BIPA & EU Rules

Facial recognition is one of the most legally fraught AI technologies a business can deploy. State biometric privacy laws have already produced billion-dollar class action settlements. The EU has moved to prohibit real-time uses entirely. Here's your legal risk map.

Why this matters now

Facial recognition AI is cheaper and more accessible than ever — embedded in timekeeping systems, retail loss prevention software, event check-in tools, and building access platforms. But the legal landscape has not kept up favorably for businesses. Multiple states have laws with private rights of action and statutory damages that don't require proving harm. One noncompliant deployment can produce a class action.

The US Legal Landscape: State by State

No federal law specifically governs commercial facial recognition in the US, though bills have been introduced. The action is at the state level:

Illinois — BIPA (Highest Risk)

The Illinois Biometric Information Privacy Act is the most litigated biometric privacy law in the US. It covers facial geometry (the geometric map used in facial recognition) as a "biometric identifier."

Requirements:

  • Written policy for retention and destruction of biometric data
  • Written notice to the person whose data is being collected
  • Written release (consent) before collection
  • Prohibited from selling or profiting from biometric data
  • Reasonable security standards for stored data

Damages:

$1,000 per negligent violation, $5,000 per intentional/reckless violation — per person per violation. Class actions are common. No actual harm required to sue.

Class action examples: BIPA settlements include $650M (Facebook facial tagging), $228M (Six Flags), $100M (Google Photos), and dozens of eight-figure settlements for timekeeping and workforce management systems.

Texas — CUBI (Capture or Use of Biometric Identifier)

Texas's Capture or Use of Biometric Identifier Act (CUBI) covers facial recognition data. Unlike BIPA, it does not have a private right of action — enforcement is by the Texas Attorney General, with fines up to $25,000 per violation.

CUBI requires informed consent before capturing biometric identifiers, prohibits selling biometric data, and requires commercially reasonable security. Texas has signaled increased enforcement activity in 2025-2026.

Washington — My Health MY Data + HB 2300

Washington's My Health MY Data Act covers health data including biometric information when it can be connected to health status. Washington also passed specific facial recognition legislation limiting government use and regulating commercial use in some contexts.

For commercial businesses, Washington's laws restrict use in contexts like housing, employment, credit, and public accommodation — and require consent for other uses. Private right of action exists for health data violations.

Other States — Active Legislation

Maryland, Colorado, Oregon, Nevada, and several other states have passed or are actively advancing biometric privacy legislation. The trend is clear: state-level coverage is expanding. A business operating nationally that collects facial recognition data without consent infrastructure is increasingly at risk across multiple jurisdictions simultaneously.

EU AI Act: Facial Recognition Largely Prohibited

The EU AI Act takes the most restrictive global approach to facial recognition. As of February 2025, prohibited practices under the Act include:

  • Real-time remote biometric identification in publicly accessible spaces — meaning live facial recognition scanning of people in public places (streets, shopping centers, transport hubs) is prohibited. Narrow law enforcement exceptions exist with significant safeguards.
  • Facial recognition-based emotional inference — AI systems that infer emotions from facial expressions in the workplace or educational institutions are prohibited as a category.
  • Untargeted scraping to build facial recognition databases — systems that scrape facial images from the internet or CCTV to build or expand databases are prohibited.

Post-hoc (after-the-fact) biometric identification systems are classified as high-risk — subject to conformity assessment, registration, and all high-risk obligations. This includes systems used for law enforcement facial matching and, depending on interpretation, some commercial identity verification systems.

High-Risk Business Use Cases

Employee time-and-attendance facial scanning

Very High Risk

BIPA class actions are common. Any Illinois employees trigger BIPA. Must have written consent and retention policies before first scan.

Retail loss prevention / shoplifter detection

High Risk

State law requirements vary. In EU, real-time use in retail (a publicly accessible space) is prohibited. Several US retailers have been sued for non-consensual scanning of shoppers.

Building access / visitor management

High Risk

Collecting facial geometry of employees or visitors requires BIPA-compliant consent in Illinois. Systems used at multiple locations across states multiply jurisdictional risk.

Event check-in / ticketing

High Risk

Six Flags' $228M BIPA settlement arose from season pass facial scanning. Any ticketed event in Illinois with biometric check-in must comply with BIPA — including written consent before first scan.

Customer identity verification (KYC/onboarding)

Medium Risk

Identity verification involving a one-time face match (e.g., selfie to ID photo) is generally lower risk than ongoing facial recognition surveillance, but state biometric laws may still apply. EU AI Act treatment depends on how 'biometric identification' is classified.

Workplace productivity monitoring

Very High Risk

Continuous or periodic facial scanning to monitor employee attention or activity is prohibited as emotional inference AI in the EU workplace. In the US, BIPA and employee consent requirements apply.

Facial Recognition Compliance Checklist

If your business uses or is considering facial recognition, work through this checklist:

1

Identify all facial recognition use cases

Document every system, product, or vendor feature that collects, stores, or processes facial images or facial geometry. Include employee systems, customer-facing systems, and third-party integrations.

2

Map the states where data subjects are located

Your legal obligations depend not just on where your company is incorporated but where the affected people are. Employees in Illinois trigger BIPA. Customers in Texas trigger CUBI. Map every state where you have significant user concentration.

3

Implement written notice and consent before collection

For Illinois users, consent must be in writing, must describe what biometric data is collected and why, and must be obtained before the first collection. Verbal consent is not sufficient under BIPA.

4

Create and publish a biometric data retention and destruction policy

BIPA requires a publicly available written policy specifying when biometric data is destroyed (e.g., when the employment relationship ends, or within 3 years of collection, whichever is first).

5

Prohibit sale or monetization of biometric data

No state biometric privacy law permits selling facial recognition data as a business practice. Audit any data-sharing arrangements — even for analytics or model improvement — for compliance.

6

Verify vendor contracts and data practices

If a vendor processes facial recognition data on your behalf, their practices affect your liability. Review vendor contracts for indemnification provisions, data deletion rights, and subprocessor disclosures.

7

Assess EU AI Act applicability

If you operate or plan to operate in the EU, identify whether your use case falls under prohibited AI practices (real-time public ID, emotional inference) or high-risk classification. Do not launch EU deployments without legal review.

8

Implement data security for biometric storage

All biometric privacy laws require reasonable security measures. Biometric data should be encrypted at rest and in transit, access-controlled with least-privilege principles, and included in your data breach response plan.

Frequently Asked Questions

We use facial recognition only for employees, not customers. Are we still at risk?

Yes — BIPA explicitly covers employee biometric data, and some of the largest BIPA class actions involve employee timekeeping systems. The origin of many BIPA suits is employers requiring fingerprint or facial scans for time-and-attendance without proper written consent and retention policies. If any employees are Illinois residents, BIPA compliance is required.

Our facial recognition vendor says they're BIPA-compliant. Does that protect us?

Partially. Vendor BIPA compliance means the vendor follows the rules in their own data handling. But BIPA obligations also fall on the entity that collected the data from individuals — that's you, the business, not just your vendor. You need to obtain written consent from your employees or customers, publish a retention policy, and manage the vendor relationship to ensure the vendor honors deletion obligations. Vendor compliance does not substitute for your own BIPA compliance.

Can we use opt-out consent instead of opt-in for facial recognition?

No, not in Illinois. BIPA requires affirmative, written consent (opt-in) before collection. Texas CUBI also requires informed consent before capture. Opt-out frameworks — where you collect data unless someone objects — do not satisfy these requirements. Practically, this means you cannot deploy facial recognition to existing employees or customers without proactively obtaining signed consent.

What if we stop using facial recognition — can we still be sued for past violations?

Yes. BIPA has a five-year statute of limitations. Violations that occurred up to five years ago can still be the basis of a lawsuit or class action today. Past non-compliant collection creates ongoing liability exposure even if the system has been decommissioned. Consult legal counsel about whether retroactive remediation (notice, deletion, record-keeping) can reduce exposure.

More AI Legal Risk Resources

Facial recognition is one piece of a larger AI compliance picture. Explore related guides on biometric data, AI hiring laws, and EU AI Act obligations on RatedWithAI.

Key Takeaways

  • Illinois BIPA is the highest-risk US law for facial recognition — it applies to employees and customers, requires written opt-in consent, and has a private right of action with statutory damages that produce class action exposure.
  • Texas, Washington, and multiple other states have biometric privacy laws; coverage is expanding rapidly.
  • The EU AI Act prohibits real-time facial recognition in public spaces and emotional inference AI in workplaces — effective February 2025 for prohibited practices.
  • Written consent before collection, a public retention/destruction policy, a ban on selling biometric data, and reasonable security are the baseline requirements in every US biometric privacy jurisdiction.
  • Past violations remain actionable under BIPA's five-year statute of limitations — decommissioning a system does not eliminate past exposure.