The United States has no federal biometric privacy law. What it has instead is a growing, inconsistent, and increasingly consequential patchwork of state-level legislation that creates compliance challenges for any organisation collecting or processing biometric data from US residents.

Illinois' Biometric Information Privacy Act remains the most aggressive and most litigated statute. Enacted in 2008 — years before most organisations had any biometric capability — BIPA requires written informed consent before collecting biometric identifiers, a publicly available written policy on retention and destruction, and prohibits the sale or profiting from biometric data. What makes BIPA uniquely powerful is its private right of action: individuals can sue directly for violations, with statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation. The resulting class action litigation has produced settlements totalling hundreds of millions of dollars and has made Illinois the jurisdictional focal point for biometric privacy enforcement in the US.

Colorado's amended privacy act, effective July 2025, added biometric-specific protections that extend beyond what its original comprehensive privacy law required. Entities collecting biometric identifiers of Colorado residents must now maintain a written policy with specific retention schedules, implement security controls including incident response plans, and refrain from collecting or disclosing biometric identifiers without proper transparency and consent. Connecticut has similarly expanded its sensitive data definitions to include biometric data even when not used for identification purposes — a broader scope than most other state laws.

Texas presents another variant. Its Responsible Artificial Intelligence Governance Act applies existing privacy requirements to data collected or processed for AI systems, clarifies consent requirements for biometric capture, and creates limited exceptions for biometric data used to train AI models under specified conditions. This introduces the first significant regulatory intersection between biometric privacy and AI governance at the state level.

The compliance challenge for multi-state organisations is the variation. The definition of "biometric data" differs across states. The consent requirements differ — some require written consent, others require any demonstrable form of informed consent. The retention and destruction obligations differ in specificity. The enforcement mechanisms differ — some states provide a private right of action, others rely exclusively on attorney general enforcement. And the exemptions differ, with some states carving out exceptions for financial institutions, healthcare providers, or law enforcement that other states do not.

For organisations implementing facial recognition, fingerprint scanning, or other biometric verification across the United States, the practical approach is to design for the most restrictive applicable standard. In practice, this means BIPA-compliant processes: explicit written consent, a published retention policy, purpose limitation, and architectural controls that minimise biometric data retention.

The absence of federal preemption means this patchwork will likely become more complex before it becomes simpler. Multiple state legislatures are considering biometric privacy bills, each with its own variations. The trajectory is toward more regulation, not less, and organisations that build biometric privacy compliance into their architecture now will face lower adaptation costs as new statutes emerge.

For organisations navigating this landscape while implementing biometric verification, deepidv provides identity verification infrastructure designed with configurable consent flows, minimal data retention, and compliance controls that adapt to the requirements of each jurisdiction.