Does BIPA protect me if I live outside Illinois?

No. BIPA applies only to Illinois residents. If a company collects your biometric data in another state, BIPA does not protect you. However, several other states have biometric privacy laws with varying levels of protection, and proposed legislation in many states could change this landscape. Check your state's current laws.

Can my employer require me to use biometric authentication?

In Illinois, employers must obtain informed written consent before collecting biometric data and cannot condition employment on providing biometric data. Outside Illinois, the law varies — some states have limited protections, and many have none. Employers in states without biometric privacy laws can often require biometric authentication as a condition of employment.

How do I know if a business has collected my biometric data?

Under BIPA and some other laws, you have the right to request disclosure of what biometric data was collected and how it is stored. Businesses subject to BIPA must provide this information within 30 days of a written request. In other jurisdictions, this right may not exist. Review privacy policies and opt-out mechanisms before providing biometric data.

What happens to biometric data when a company is breached?

Biometric data cannot be changed like passwords — if your fingerprint is stolen, you cannot issue a new fingerprint. Breaches of biometric databases are particularly dangerous because the data is permanently compromised. Companies that collect biometric data must secure it at the highest level, but many have inadequate security. Choose services that store biometric data on your device rather than on their servers.

The 2026 Biometric Privacy Landscape: Laws, Violations, and Your Rights

Facial recognition, fingerprint scanners, and retina prints are everywhere — and the legal framework governing their use is fragmented, evolving, and often inadequate. Here is what the law protects, what it does not, and how to protect yourself in 2026.

The 2026 Biometric Privacy Landscape: Laws, Violations, and Your Rights Biometric data — fingerprints, facial geometry, voiceprints, retina patterns — is the most sensitive personal data you possess. Unlike passwords or credit card numbers, biometric identifiers cannot be changed. If someone steals your fingerprint, you cannot issue a new fingerprint. The biometric identifier is permanent, which makes its compromise permanently damaging. In 2026, biometric collection has become ubiquitous. Smartphones use fingerprint and facial recognition for authentication. Buildings use biometric access control. Employers use biometric time clocks. Restaurants use facial recognition for age verification. Law enforcement uses facial recognition to identify suspects. The proliferation has outpaced legal protections, leaving most people without meaningful recourse when their biometric data is collected, stored, or misused. The US Regulatory Landscape The United States has no comprehensive federal biometric privacy law. Instead, the regulatory landscape is fragmented, with a few states having significant laws and most having none. Illinois has the strongest biometric privacy law in the country: the Biometric Information Privacy Act (BIPA). Passed in 2008, BIPA requires informed written consent before collecting biometric data, mandates data security requirements, and prohibits selling or profiting from biometric data. Critically, BIPA includes a private right of action — individuals can sue companies that violate the law and recover statutory damages of $1,000-$5,000 per violation. This has generated billions of dollars in litigation, with major settlements from Facebook, Google, Amazon, and others. California protects biometric data under the California Consumer Privacy Act (CCPA) and the follow-on California Privacy Rights Act (CPRA). These laws give consumers rights to know what biometric data is collected, to delete it, and to opt out of its sale. The California Privacy Protection Agency has authority to enforce these laws with substantial penalties. Texas has a BIPA-like law with weaker enforcement mechanisms. Other states have limited protections embedded in broader privacy laws. The majority of US states have no specific biometric privacy law, leaving collection largely unregulated. The result is a patchwork: Illinois residents have strong protections, California residents have moderate protections, and everyone else has minimal legal protection against biometric collection. Law Enforcement Use of Facial Recognition Law enforcement agencies across the United States have adopted facial recognition technology with minimal oversight. The ACLU's mapping project documents facial recognition use by police departments nationwide. Federal agencies including the FBI and Department of Homeland Security operate facial recognition systems that cross-reference against state DMV databases, passport databases, and other collections. The legal framework for law enforcement use is murky. The Fourth Amendment requires warrants for searches, but courts have reached conflicting conclusions about whether facial recognition searches require warrants. The Justice Department has issued guidance restricting some uses, but guidance is not law and can be changed. Communities of color face disproportionate impact from facial recognition. Studies have consistently shown that facial recognition systems have higher error rates for people with darker skin tones, women, and the elderly. When law enforcement uses flawed systems to identify suspects, the consequences — wrongful arrests, false accusations — fall hardest on already overpoliced communities. Several cities have banned facial recognition by law enforcement: San Francisco, Boston, Oakland, and others. These bans reflect local concerns about accuracy and civil liberties. However, most cities and states have no restrictions, leaving law enforcement use of facial recognition unregulated. The EU AI Act Approach The European Union has taken a more restrictive approach to biometric surveillance. The EU AI Act, which took full effect in 2026, categorizes real-time biometric identification in public spaces as a high-risk application that is largely prohibited. Law enforcement use of facial recognition in public spaces is restricted to specific, enumerated purposes with judicial authorization. The practical effect is that European law enforcement faces stricter constraints than American law enforcement. The prohibition on real-time biometric identification in public spaces means that automated surveillance cameras cannot be combined with facial recognition to track people in real time. This is a meaningful difference from US practice. Enforcement is still developing. The European AI Office has authority to investigate violations and issue penalties, but the legal framework is new and untested. The gap between prohibition on paper and enforcement in practice may be substantial. Protecting Yourself Given the regulatory gaps, personal protection strategies are essential. Prefer device-local biometric storage. When you use biometric authentication on your phone, the fingerprint or facial geometry is stored in a secure enclave on the device and never transmitted to third parties. Prefer services that use this model over services that transmit biometric data to their servers. Opt out where possible. Many businesses that collect biometric data offer opt-out mechanisms, particularly in states with privacy laws. Exercise those rights. When a restaurant wants to scan your ID or face, ask what data is collected, how it is stored, and whether you can decline. Support legal challenges. Organizations like the ACLU, Electronic Frontier Foundation, and local privacy groups challenge biometric surveillance through litigation and advocacy. Supporting these organizations financially and politically helps build the legal framework that protects everyone. Understand the limits of legal protection. Even in states with strong biometric laws, enforcement is inconsistent. Companies violate BIPA regularly; litigation is expensive; and most people never know their data was collected. Legal protections are necessary but not sufficient. The Long-Term Stakes Biometric data collection is not going to decrease. The technology is too useful for authentication, too cheap to deploy, and too valuable for surveillance. The legal framework will evolve, but slowly, and unevenly across jurisdictions. The stakes are high. A world where biometric data is routinely collected and stored is a world where your identity is permanently linked to your physical characteristics, where breaches expose data that cannot be changed, and where surveillance becomes more precise and harder to evade. The only meaningful protection is to minimize biometric data collection in the first place: to treat your biometrics as the sensitive, irreplaceable data they are, and to refuse collection wherever you have the power to refuse. The law will eventually catch up — but in the meantime, your data is compromised, your identity is linked to your face, and the only person who can protect your biometrics is you.