Biometric Privacy Laws by State (2026): BIPA, CUBI & Consent
Most U.S. states do not have a dedicated biometric privacy law. Only Illinois (BIPA), Texas (CUBI), and Washington have stand-alone biometric statutes. About twenty more states protect biometric data as sensitive data under a broader consumer privacy law, and the rest cover it only through data-breach notification rules. There is no federal biometric privacy law.
Jurisdiction scope: This guide covers U.S. state biometric privacy laws (fingerprints, facial geometry, voiceprints, retina and iris scans) as of 2026. It is general legal information, not legal advice.
Which States Have Biometric Privacy Laws?
A biometric identifier is a measurement of a unique physical trait, such as a fingerprint, faceprint, voiceprint, or iris scan. As of 2026, only three states regulate the collection of biometric identifiers with a dedicated statute. Everywhere else, biometric data is protected either as a category of sensitive data under a general consumer privacy law or only through data-breach notification rules. No federal law specifically governs commercial biometric data, so the protections that apply to you depend entirely on your state.
The single most important distinction is whether a state gives individuals a private right of action, meaning the ability to sue on their own. Only Illinois does. That one feature is why Illinois is the center of biometric litigation in the country.
The Three Dedicated Biometric Laws
Illinois, Biometric Information Privacy Act (BIPA), 740 ILCS 14. Enacted in 2008, BIPA is the strictest biometric law in the United States. A private entity must obtain written consent before collecting a person's biometric identifier, publish a retention and destruction schedule, and never sell biometric data. BIPA is the only biometric law with a private right of action, and it sets statutory damages of $1,000 per negligent violation and $5,000 per reckless or intentional violation, plus attorney fees. The Illinois Supreme Court has held that a person does not need to prove actual harm to sue (Rosenbach v. Six Flags, 2019).
Texas, Capture or Use of Biometric Identifier Act (CUBI), Business and Commerce Code 503.001. Texas requires informed consent before capturing a biometric identifier for a commercial purpose and limits how long it can be retained. Unlike BIPA, CUBI has no private right of action; only the Texas Attorney General can enforce it, with civil penalties up to $25,000 per violation.
Washington, RCW 19.375 and the My Health My Data Act. Washington's 2017 biometric law requires notice and consent before enrolling a biometric identifier in a database for a commercial purpose, enforced by the Attorney General. Washington went further in 2023 with the My Health My Data Act, which treats biometric data tied to health as protected consumer health data and includes a private right of action.
Biometric Data as Sensitive Data Under State Privacy Laws
Roughly twenty states have passed comprehensive consumer privacy laws, and nearly all of them classify biometric data as sensitive data. These include California, Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and others. Under these laws, a business generally must obtain opt-in consent (or, in California, honor an opt-out) before processing biometric data, and consumers gain rights to access and delete it. Colorado amended its privacy act in 2024 to add specific biometric provisions. These protections are real but are enforced by the state attorney general, not through individual lawsuits.
States Without a Dedicated Biometric Law
In the remaining states, there is no statute that specifically restricts collecting biometric identifiers. Biometric data is usually still listed as protected personal information in the state's data-breach notification law, so a company that suffers a breach involving biometric data must notify affected residents. But there is generally no requirement to obtain consent before collection, and no individual right to sue over the collection itself.
Biometric Privacy Laws by State
The table below links to a detailed guide for each state. Select your state for the specific statute, consent rules, penalties, and recent changes.
| State | Dedicated biometric law? | Key statute | How biometric data is protected |
|---|---|---|---|
| Alabama | No | None | Mainly data-breach notification coverage |
| Alaska | No | None | Mainly data-breach notification coverage |
| Arizona | No | None | Mainly data-breach notification coverage |
| Arkansas | No | None | Mainly data-breach notification coverage |
| California | No | None | Sensitive data, opt-in consent under California's privacy law |
| Colorado | No | None | Sensitive data, opt-in consent under Colorado's privacy law |
| Connecticut | No | None | Sensitive data, opt-in consent under Connecticut's privacy law |
| Delaware | No | None | Sensitive data, opt-in consent under Delaware's privacy law |
| District of Columbia | No | None | Mainly data-breach notification coverage |
| Florida | No | None | Mainly data-breach notification coverage |
| Georgia | No | None | Mainly data-breach notification coverage |
| Hawaii | No | None | Mainly data-breach notification coverage |
| Idaho | No | None | Mainly data-breach notification coverage |
| Illinois | Yes | BIPA (740 ILCS 14) | Dedicated statute (strongest protection) |
| Indiana | No | None | Sensitive data, opt-in consent under Indiana's privacy law |
| Iowa | No | None | Sensitive data, opt-in consent under Iowa's privacy law |
| Kansas | No | None | Mainly data-breach notification coverage |
| Kentucky | No | None | Sensitive data, opt-in consent under Kentucky's privacy law |
| Louisiana | No | None | Mainly data-breach notification coverage |
| Maine | No | None | Mainly data-breach notification coverage |
| Maryland | No | None | Sensitive data, opt-in consent under Maryland's privacy law |
| Massachusetts | No | None | Mainly data-breach notification coverage |
| Michigan | No | None | Mainly data-breach notification coverage |
| Minnesota | No | None | Sensitive data, opt-in consent under Minnesota's privacy law |
| Mississippi | No | None | Mainly data-breach notification coverage |
| Missouri | No | None | Mainly data-breach notification coverage |
| Montana | No | None | Sensitive data, opt-in consent under Montana's privacy law |
| Nebraska | No | None | Sensitive data, opt-in consent under Nebraska's privacy law |
| Nevada | No | None | Mainly data-breach notification coverage |
| New Hampshire | No | None | Sensitive data, opt-in consent under New Hampshire's privacy law |
| New Jersey | No | None | Sensitive data, opt-in consent under New Jersey's privacy law |
| New Mexico | No | None | Mainly data-breach notification coverage |
| New York | No | None | Mainly data-breach notification coverage |
| North Carolina | No | None | Mainly data-breach notification coverage |
| North Dakota | No | None | Mainly data-breach notification coverage |
| Ohio | No | None | Mainly data-breach notification coverage |
| Oklahoma | No | None | Mainly data-breach notification coverage |
| Oregon | No | None | Sensitive data, opt-in consent under Oregon's privacy law |
| Pennsylvania | No | None | Mainly data-breach notification coverage |
| Rhode Island | No | None | Sensitive data, opt-in consent under Rhode Island's privacy law |
| South Carolina | No | None | Mainly data-breach notification coverage |
| South Dakota | No | None | Mainly data-breach notification coverage |
| Tennessee | No | None | Sensitive data, opt-in consent under Tennessee's privacy law |
| Texas | Yes | CUBI (Bus. & Com. Code 503.001) | Dedicated statute (strongest protection) |
| Utah | No | None | Sensitive data, opt-in consent under Utah's privacy law |
| Vermont | No | None | Mainly data-breach notification coverage |
| Virginia | No | None | Sensitive data, opt-in consent under Virginia's privacy law |
| Washington | Yes | RCW 19.375 + My Health My Data Act | Dedicated statute (strongest protection) |
| West Virginia | No | None | Mainly data-breach notification coverage |
| Wisconsin | No | None | Mainly data-breach notification coverage |
| Wyoming | No | None | Mainly data-breach notification coverage |
What About BIPA Specifically?
Because Illinois BIPA drives most biometric litigation in the country, it is worth understanding on its own. For the statute's consent and retention requirements, the landmark cases, and how the per-scan damages question affects employers, see our detailed BIPA explainer, and for the Illinois state context, our Illinois biometric privacy guide.
Sources and References
- Illinois Biometric Information Privacy Act, 740 ILCS 14(ilga.gov).gov
- Texas Business and Commerce Code 503.001 (CUBI)(statutes.capitol.texas.gov).gov
- Washington RCW 19.375 (Biometric Identifiers)(app.leg.wa.gov).gov
- Washington My Health My Data Act, RCW 19.373(app.leg.wa.gov).gov
- California Civil Code 1798.140 (CCPA sensitive personal information)(leginfo.legislature.ca.gov).gov
- Colorado HB24-1130 (biometric amendment to the Colorado Privacy Act)(leg.colorado.gov).gov