Mississippi Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Mississippi is among the states that offer the least legal protection for biometric data. The state has no biometric-specific privacy statute, no comprehensive consumer data privacy law, and a breach notification law that does not mention biometric information. Residents who provide fingerprints to employers, encounter facial recognition systems, or submit biometric data to apps and devices have minimal state-level recourse if that data is mishandled.

This guide covers what Mississippi law does and does not protect when it comes to biometric information, the repeated legislative attempts that have stalled, and the federal protections that partially fill the gap.

For broader context on Mississippi's overall privacy framework, see the parent guide to Mississippi Data Privacy Laws.

What Counts as Biometric Data

Biometric data refers to unique physical or behavioral characteristics used to identify a specific person. Common examples include fingerprints, facial geometry (used in facial recognition systems), iris and retina scans, voiceprints, palm prints, vein patterns, and gait analysis.

States with dedicated biometric privacy laws, such as Illinois (BIPA), Texas (CUBI), and Washington, define these identifiers in statute and regulate how entities handle them. Mississippi has not enacted any similar law.

Mississippi's Current Legal Framework

Breach Notification Law (Miss. Code Ann. 75-24-29)

Mississippi's primary data protection statute is the Breach Notification Law, originally enacted in 2010. The law requires any person conducting business in the state to notify Mississippi residents when a security breach compromises their personal information.

The statute defines "personal information" as an individual's first name or first initial and last name combined with one or more of the following:

• Social Security number
• Driver's license number, state identification card number, or tribal identification card number
• Financial account number, credit card number, or debit card number combined with any required security code, access code, or password that would permit access to the account

Biometric data, including fingerprints, facial scans, and voiceprints, is not included in this definition. A data breach that exposes only biometric records would not trigger notification requirements under Mississippi law.

Key Limitations of the Breach Notification Law

Mississippi's breach notification statute has several notable gaps compared to other states:

• No biometric data coverage. Many states have updated their breach notification laws to include biometric information as a protected data element. Mississippi has not.
• No Attorney General notification requirement. The law does not require businesses to report breaches to the Mississippi Attorney General, only to affected individuals.
• Harm threshold. Notification is not required if the entity "reasonably determines the breach is not likely to result in harm" to the affected individuals.
• No specific timeline. The law requires notice "without unreasonable delay" but does not set a firm deadline in days.
• Encryption safe harbor. If the breached data was encrypted or rendered unreadable, notification is not required.

Mississippi Consumer Protection Act (Miss. Code Ann. 75-24-5)

The Mississippi Consumer Protection Act prohibits unfair and deceptive trade practices. While the statute does not reference biometric data specifically, a business that made misleading promises about how it handles biometric information could theoretically face enforcement under this law.

Violations of the breach notification statute are treated as unfair trade practices under the Consumer Protection Act, giving the Mississippi Attorney General authority to pursue enforcement actions. However, there is no record of the Attorney General using this authority in connection with biometric data.

No Employer-Specific Biometric Rules

Mississippi places no state-law restrictions on employers who collect biometric data from workers. Companies that use fingerprint-based time clocks, facial recognition for building access, or other biometric systems are not required by state law to:

• Obtain written or informed consent before collecting biometric data
• Disclose the purpose of collection or how the data will be stored
• Establish retention schedules or data destruction timelines
• Limit sharing of biometric data with third parties
• Provide employees access to their own biometric records

This stands in sharp contrast to states like Illinois, where the Biometric Information Privacy Act requires written informed consent and imposes statutory damages of $1,000 to $5,000 per violation.

Failed Legislative Attempts

Mississippi lawmakers have introduced several bills that would have established biometric privacy protections or comprehensive data privacy frameworks. None have become law.

Biometric Identifiers Privacy Act (HB 467, 2023)

House Bill 467, introduced on January 12, 2023, was modeled closely on Illinois' BIPA. The bill would have required private entities that possess biometric identifiers to:

• Inform individuals in writing that their biometric data is being collected or stored
• Disclose the specific purpose of collection and the length of storage
• Obtain a written release from the individual before collection
• Develop a publicly accessible written policy with a retention schedule and destruction guidelines

The bill included a private right of action allowing individuals to recover the greater of $1,000 or actual damages for negligent violations, or the greater of $5,000 or actual damages for intentional or reckless violations, plus reasonable attorneys' fees.

HB 467 died in committee on January 31, 2023, without receiving a hearing.

Mississippi Consumer Data Privacy Act (SB 2080, 2023)

Senate Bill 2080 was a broader consumer privacy bill introduced in January 2023. It would have classified biometric data as a protected category and established consumer rights including data access, correction, and deletion. The bill died in committee the same month.

Mississippi Consumer Data Protection Act (SB 2500, 2025)

Senate Bill 2500, introduced in the 2025 regular session, defined biometric data as "data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual." The bill would have classified genetic or biometric data processed for uniquely identifying a natural person as sensitive data requiring consent.

The bill would have authorized the Attorney General to seek civil penalties of up to $7,500 per violation. SB 2500 died in committee in February 2025.

Mississippi Consumer Privacy Protection Act (HB 1051, 2026)

House Bill 1051, the most recent attempt, was introduced in the 2026 regular session. It applied to entities with over $25 million in annual revenue that process personal data of at least 25,000 consumers. The bill died in committee on February 3, 2026.

The repeated failure of these bills suggests that Mississippi is unlikely to pass comprehensive biometric privacy legislation in the near term.

Federal Protections That Apply in Mississippi

Because Mississippi lacks a state biometric privacy law, federal statutes provide the primary legal framework for biometric data protection.

Section 5 of the FTC Act allows the Federal Trade Commission to bring enforcement actions against companies engaged in unfair or deceptive practices involving biometric data. The FTC has taken action against companies for deceptive facial recognition practices and inadequate data security measures.

HIPAA protects biometric data when collected or used by covered healthcare entities and their business associates. Fingerprint or facial recognition data used in a healthcare setting falls under HIPAA's Privacy Rule.

FERPA restricts how educational institutions handle student biometric data. Schools in Mississippi that use fingerprint-based lunch payment systems or other biometric tools must comply with FERPA's privacy requirements.

COPPA imposes strict requirements on the collection of biometric data from children under 13, including parental consent requirements enforced by the FTC.

FCRA applies when biometric data is used in background checks or consumer reports. Employers in Mississippi who use facial recognition or fingerprint databases for screening must follow FCRA requirements.

How Mississippi Compares to Other States

Mississippi falls into the least protective tier of states for biometric privacy. For comparison:

• Illinois has the strongest biometric law in the country (BIPA), with a private right of action and statutory damages of $1,000 to $5,000 per violation
• Texas and Washington have biometric-specific statutes enforced by their attorneys general
• States with comprehensive privacy laws (like Colorado, Connecticut, and Virginia) classify biometric data as sensitive and require consent for processing
• Mississippi has no biometric-specific protections, no comprehensive privacy law, and a breach notification statute that excludes biometric data entirely

Neighboring states offer a mixed picture. Louisiana, Alabama, Tennessee, and Arkansas each have varying levels of biometric data protection, but none match the comprehensive framework found in Illinois.

More Mississippi Laws

• Mississippi Data Privacy Laws
• Mississippi Lemon Laws
• Mississippi Dog Bite Laws
• Mississippi Statute of Limitations
• Mississippi Recording Laws
• Mississippi Car Seat Laws

This article provides general legal information about Mississippi biometric privacy laws. It is not legal advice. Laws and regulations change frequently, and this content may not reflect the most recent developments. Consult a qualified attorney licensed in Mississippi for advice about your specific situation.