Pennsylvania Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Pennsylvania does not have a dedicated biometric privacy statute. Unlike Illinois, which enacted the Biometric Information Privacy Act (BIPA) in 2008, and Texas, which passed its Capture or Use of Biometric Identifier Act (CUBI), Pennsylvania has yet to enact a law that specifically regulates the collection, storage, or use of biometric identifiers like fingerprints, facial geometry, or iris scans.

That does not mean biometric data goes unregulated in the state. Pennsylvania's existing breach notification law provides some coverage, and its consumer protection statute creates enforcement pathways. The state legislature has also introduced several bills that would directly address biometric privacy if passed.

For an overview of the broader privacy framework in the state, see the parent guide to Pennsylvania Data Privacy Laws.

How BPINA Applies to Biometric Data

The Breach of Personal Information Notification Act (BPINA), originally enacted as Act 94 of 2005, is Pennsylvania's primary data breach notification law. It requires businesses and government agencies to notify Pennsylvania residents when their personal information is compromised in a data breach.

BPINA defines "personal information" as an individual's first name or first initial and last name combined with one or more of these unencrypted data elements:

• Social Security number
• Driver's license or state identification card number
• Financial account number with any required security code, access code, or password
• Medical information held by a state agency
• Health insurance information
• A username or email address combined with a password or security question answer

Biometric identifiers like fingerprints, voiceprints, and facial geometry are not explicitly listed in the BPINA definition. This is a significant gap. If a company collects employee fingerprints for timekeeping and those fingerprints are stolen in a data breach, BPINA does not clearly require the company to notify affected individuals.

However, the law's broad language around "unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information" could potentially apply in situations where biometric data is linked to other covered elements like names and Social Security numbers.

The 2024 BPINA Amendment (Act 33 of 2024)

Governor Josh Shapiro signed Act 33 of 2024 on June 28, 2024, with an effective date of September 26, 2024. This amendment strengthened BPINA in several ways, though it still did not add biometric data to the definition of personal information.

Key changes include:

• Lowered notification threshold. Entities that notify more than 500 Pennsylvania residents of a breach must now also report the incident to the Pennsylvania Attorney General and to consumer reporting agencies. The previous threshold was 1,000.
• Free credit monitoring. Breached entities must provide affected individuals with 12 months of free credit monitoring when the breach involves Social Security numbers, driver's license numbers, state IDs, or financial account numbers.
• Faster timelines for government. State agencies must notify affected individuals and the Attorney General within seven business days of discovering a breach. Local government entities must notify individuals within seven business days and district attorneys within three business days.

The 2024 amendment was a step forward for breach response, but the absence of biometric identifiers in the covered data types means BPINA alone does not provide comprehensive protection for fingerprint scans, facial recognition templates, or other biometric data.

For more on breach notification requirements, see Pennsylvania Data Breach Notification Laws.

Consumer Protection Law and Private Right of Action

BPINA designates any violation of its requirements as an "unfair or deceptive act or practice" under the Pennsylvania Unfair Trade Practices and Consumer Protection Law (UTPCPL), codified at 73 Pa. Stat. Sections 201-1 through 201-9.2.

This connection matters because the UTPCPL provides two enforcement tracks:

Attorney General enforcement. The AG can bring civil actions against businesses that violate BPINA, seeking injunctive relief, restitution, and civil penalties of up to $1,000 per violation (up to $3,000 per violation when the victim is 60 or older).

Private right of action. Under Section 201-9.2, any person who purchases goods or services primarily for personal, family, or household purposes and suffers a loss due to an unfair or deceptive practice may file a private lawsuit. Courts may award actual damages (or a minimum of $100), attorney's fees, and up to treble (triple) damages at the court's discretion.

This means that while BPINA does not provide its own private right of action, the UTPCPL bridge allows individuals to sue for breach notification failures. If a company fails to provide required breach notices after a data breach that includes personal information, affected consumers can pursue damages through the UTPCPL.

The practical limitation is that this only applies when the breached data falls within BPINA's definition of personal information. Since biometric data is not listed, consumers would face difficulty bringing a UTPCPL claim based solely on a breach of their biometric identifiers.

Pending Legislation: HB 78 (Consumer Data Privacy Act)

The most significant biometric privacy bill in Pennsylvania's pipeline is House Bill 78, the Pennsylvania Consumer Data Privacy Act. The House passed HB 78 on October 1, 2025, with a vote of 127 to 76.

HB 78 follows the model of comprehensive state privacy laws already enacted in Virginia, Connecticut, and other states. Key biometric provisions include:

• Biometric data definition. The bill defines biometric data as data generated by automatic measurements of an individual's biological characteristics, including fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns used to identify a specific individual. Photographs, video recordings, and audio recordings are excluded unless used for identification.
• Sensitive data classification. Biometric data is classified as "sensitive data" when processed to uniquely identify an individual. This triggers heightened protections.
• Opt-in consent required. Controllers must obtain affirmative opt-in consent from consumers before processing biometric data for identification purposes. Consent must be freely given, specific, informed, and unambiguous.
• Consumer rights. Individuals can request access to, correction of, deletion of, and portable copies of their biometric data. They can also opt out of the sale of their biometric data or its use for targeted advertising.
• AG-only enforcement. The Attorney General has exclusive enforcement authority. The bill does not include a private right of action. There is a 30-day cure period before the AG can initiate enforcement.

As of March 2026, HB 78 is pending in the Senate Communications and Technology Committee after being re-referred on February 4, 2026. Its companion bill, Senate Bill 112, sponsored by Senator Maria Collett, contains similar provisions and is also in the Senate Communications and Technology Committee.

Pending Legislation: HB 596 (Biometric Identifier Signage Act)

House Bill 596, introduced by Representative Ed Neilson on February 12, 2025, takes a narrower approach focused specifically on commercial disclosure of biometric data collection.

Key provisions:

• Scope. Applies to commercial establishments such as retail stores, restaurants, hotels, and entertainment venues that collect, retain, store, or share customers' biometric identifier information.
• Signage requirement. Covered establishments must place clear and conspicuous signs near customer entrances that notify customers in plain language about biometric data collection.
• Biometric identifier definition. Covers physiological or biological characteristics used to identify individuals, including retinal scans, fingerprints, voiceprints, and facial geometry.
• Private right of action. Customers can file civil lawsuits for violations. Damages range from $500 to $5,000 per violation, plus attorney's fees. There is a 30-day written notice and cure period before filing for signage-only violations.
• Exemptions. Government entities and financial institutions are excluded. Video recordings not used for identification purposes are also exempt.

HB 596 was referred to the House Commerce Committee on February 12, 2025, and has not advanced further as of March 2026. A nearly identical bill, HB 926, was introduced in the 2023-2024 session by the same sponsor but died in committee without receiving a vote.

Employer Use of Biometric Data in Pennsylvania

Pennsylvania employers that collect fingerprints, facial scans, or other biometric identifiers for timekeeping, access control, or security purposes currently operate without a state-specific biometric privacy law governing those activities.

There are several practical considerations:

No state-level mandate. Pennsylvania does not require employers to provide written notice, obtain consent, or establish retention schedules before collecting employee biometric data.

Multi-state exposure. Employers operating across state lines must consider the biometric laws of other states where they have employees. An employer headquartered in Pennsylvania but with workers in Illinois must comply with Illinois BIPA for those employees. BIPA class action settlements have reached tens of millions of dollars, including a $51.75 million settlement with Clearview AI in 2025.

HB 78 impact if passed. If HB 78 becomes law, it would likely exempt employee data collected in an employment context from most consumer privacy provisions, following the approach taken by most comprehensive state privacy laws. However, employers should monitor the bill's progress as exemption language can change during the legislative process.

Best practices. Employment law professionals in Pennsylvania recommend that employers proactively implement notice and consent procedures, establish data retention and destruction policies, and evaluate third-party vendor compliance even before a state law requires it.

How Pennsylvania Compares to Other States

Pennsylvania sits in a middle tier among states on biometric privacy protection. It lacks the strong standalone protections of states like Illinois (BIPA, with its private right of action that has generated billions in settlements) or Texas (CUBI, with AG enforcement and $25,000 per violation penalties).

The BPINA/UTPCPL combination provides some enforcement tools, but the absence of biometric identifiers from the breach notification trigger limits practical impact. If HB 78 passes, Pennsylvania would join more than 20 states with comprehensive consumer privacy laws that classify biometric data as sensitive, but without a private right of action for biometric claims specifically.

HB 596 would bring Pennsylvania closer to the Illinois model by creating a private right of action for commercial biometric data collection, though its scope is limited to customer-facing commercial establishments and does not cover employer data collection.

More Pennsylvania Laws

• Pennsylvania Recording Laws
• Pennsylvania Recording Laws
• Pennsylvania Recording Laws
• Pennsylvania Data Privacy Laws
• Pennsylvania Recording Laws
• Pennsylvania Data Privacy Laws
• Pennsylvania Recording Laws
• Pennsylvania Recording Laws

Sources and Official Resources

For the most current information on Pennsylvania biometric privacy laws and pending legislation, consult these official government sources:

• BPINA Full Text (Act 94 of 2005) on the Pennsylvania General Assembly website
• Act 33 of 2024 (BPINA Amendment) on the Pennsylvania General Assembly website
• PA Attorney General BPINA Information for breach reporting and consumer guidance
• HB 78 Bill Status on the Pennsylvania General Assembly website
• HB 596 Bill Status on the Pennsylvania General Assembly website
• SB 112 Bill Status on the Pennsylvania General Assembly website

This article provides general legal information about Pennsylvania biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Pennsylvania government sources.