Missouri Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Missouri stands out as a state with minimal biometric data protections. Unlike Illinois, Texas, and Washington, Missouri has not enacted a law that specifically regulates how businesses collect, store, use, or share biometric identifiers such as fingerprints, facial geometry, or iris scans.

The state's breach notification law does not even include biometric data in its definition of protected personal information. That means businesses operating in Missouri face no state-level obligation to notify consumers, obtain consent, or follow retention rules when handling biometric data.

This guide breaks down what Missouri law currently says about biometric data, where the gaps are, what pending legislation could change, and what protections are available right now.

For a broader look at Missouri's privacy framework, see the parent guide to [Missouri Data Privacy Laws](/us-laws/data-privacy-laws/missouri-data-privacy-laws).

Missouri's Breach Notification Law Does Not Cover Biometric Data

Missouri's primary data protection statute is the breach notification law, codified at Mo. Rev. Stat. 407.1500. This law requires businesses to notify Missouri residents when a security breach exposes their personal information.

However, the statute defines "personal information" narrowly. It covers an individual's first name or first initial and last name combined with one or more of these data elements:

• Social Security number
• Driver's license number or government-issued identification number
• Financial account number, credit card number, or debit card number with any required security code or password
• Unique electronic identifier or routing code with any required security code or access code
• Medical information
• Health insurance information

Biometric data is not on this list. Fingerprints, facial scans, voiceprints, retinal patterns, and other biometric identifiers are not defined as personal information under the statute. This means a breach that exposes employee fingerprints from a time clock system or customer facial recognition data from a retail store does not trigger Missouri's notification requirements.

This puts Missouri behind the growing number of states that have added biometric data to their breach notification definitions. States like Louisiana, Arkansas, Nebraska, and Iowa all include biometric data in their breach notification statutes.

Attorney General Enforcement and Penalties

The Missouri Attorney General holds exclusive authority to enforce violations of the breach notification law. No private right of action exists under Mo. Rev. Stat. 407.1500.

The AG can seek:

• Actual damages for willful and knowing violations
• Civil penalties up to $150,000 per breach of security or series of related breaches discovered in a single investigation

Consumers who experience a data breach cannot file their own lawsuit under this statute. Enforcement runs entirely through the Missouri Attorney General's office.

Because biometric data is not covered under the statute's definition of personal information, these enforcement mechanisms do not apply to breaches involving only biometric data.

The Merchandising Practices Act: A Potential Backstop

Missouri's Merchandising Practices Act (MMPA), codified at Mo. Rev. Stat. 407.020, provides a broad prohibition on unfair and deceptive business practices.

The MMPA declares it unlawful to use "any deception, fraud, false pretense, false promise, misrepresentation, unfair practice or the concealment, suppression, or omission of any material fact in connection with the sale or advertisement of any merchandise in trade or commerce."

This language is intentionally broad. Courts have interpreted it to cover a wide range of consumer protection issues. In theory, a company that collects biometric data while making misleading promises about how it will be used or stored could face an MMPA claim.

The MMPA allows both AG enforcement and private lawsuits. Consumers can seek actual damages, and the AG can pursue civil penalties and injunctive relief. However, no Missouri court has applied the MMPA specifically to biometric data collection or misuse, so this remains an untested theory.

Employer Use of Biometric Data in Missouri

Missouri has no state law that restricts employers from collecting biometric data from workers. Companies operating in Missouri that use fingerprint scanners for timekeeping, facial recognition for building access, or other biometric systems face no state-level requirement to:

• Provide written notice before collecting biometric data
• Obtain employee consent
• Establish data retention or destruction policies
• Limit sharing of employee biometric data with vendors or service providers

This contrasts sharply with Illinois, where employers face statutory damages of $1,000 to $5,000 per violation of the Biometric Information Privacy Act (BIPA). It also differs from states like Texas and Washington, where attorney general enforcement creates accountability for biometric data practices.

Missouri employers should still consider voluntarily implementing biometric data policies. If Missouri passes one of its pending biometric privacy bills, companies without existing policies would face a scramble to comply.

Pending Biometric Privacy Legislation

Missouri lawmakers have introduced several biometric privacy bills across the 2025 and 2026 legislative sessions. None have been signed into law as of March 2026, but the volume of proposals signals growing legislative interest.

2025 Session Bills

Senate Bill 554. Sponsored in the 2025 regular session, SB 554 would establish the Biometric Information Privacy Act. The bill was referred to the Senate Judiciary and Civil and Criminal Jurisprudence Committee in February 2025. Key provisions include:

• Written notice and written consent required before collecting biometric identifiers
• A publicly available retention policy with guidelines for permanent destruction
• A prohibition on selling, leasing, or trading biometric information
• A reasonable standard of care for storing and protecting biometric data
• A private right of action with liquidated damages of $1,000 for negligent violations and $5,000 for intentional or reckless violations, plus attorney fees

House Bill 500 and House Bill 407. Both bills propose the Biometric Information Privacy Act with similar frameworks to SB 554. HB 407 was referred to the Emerging Issues Committee in May 2025. All three 2025 bills passed second readings but have not advanced to final passage.

2026 Session Bills

House Bill 1970. HB 1970 would prohibit a place of public accommodation from collecting, processing, transmitting, storing, or using an individual's biometric data without express consent. Violations would constitute a misdemeanor, and affected individuals could seek civil damages.

Senate Bill 1359. SB 1359 takes the opposite approach. Rather than creating new consumer protections, it would establish a safe harbor for businesses. Private entities that meet five conditions would be shielded from damages liability for unauthorized or negligent biometric data disclosure. Those conditions include posting warning signs, disclosing the purpose of collection, maintaining a written retention policy with a three-year maximum, complying with that policy, and securing biometric data at the same level as other sensitive information.

SB 1359 does not require consent, does not prohibit the sale of biometric data, and does not create a private right of action.

Federal Protections That Apply in Missouri

Because Missouri lacks state-level biometric privacy protections, federal laws provide the primary safeguards for residents.

Section 5 of the FTC Act allows the Federal Trade Commission to take enforcement action against companies engaged in unfair or deceptive practices involving biometric data. The FTC has used this authority against companies that failed to secure biometric information or made deceptive claims about biometric data collection.

HIPAA protects biometric data collected by covered healthcare entities and their business associates under the Privacy Rule. Healthcare providers in Missouri that use biometric patient identification must comply with federal standards.

COPPA requires parental consent before collecting biometric data from children under 13, enforced by the FTC.

FERPA restricts how schools handle student records, including biometric data, at the federal level.

How Missouri Compares to Other States

Missouri ranks among the least protective states for biometric privacy. The absence of both a dedicated biometric statute and biometric data coverage in the breach notification law leaves significant gaps.

• Illinois has the strongest biometric law in the nation (BIPA), with a private right of action and statutory damages of $1,000 to $5,000 per violation
• Texas and Washington have biometric-specific statutes enforced by their attorneys general
• States with comprehensive privacy laws (Colorado, Connecticut, Virginia) classify biometric data as sensitive and require opt-in consent
• Louisiana includes biometric data in its breach notification law, creating at least some protection
• Missouri has no biometric-specific protections and does not include biometric data in breach notification rules

Until the legislature passes one of its pending biometric privacy bills, Missouri residents have limited recourse if a business collects, misuses, or fails to secure their biometric data.

More Missouri Laws

• Missouri Data Privacy Laws
• Missouri Recording Laws
• Missouri Hit and Run Laws
• Missouri Recording Laws
• Missouri Car Seat Laws

This article provides general legal information about Missouri biometric privacy laws. It is not legal advice. Laws and regulations change frequently, and this content may not reflect the most recent developments. Consult a qualified attorney licensed in Missouri for advice about your specific situation.