Wyoming Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Wyoming relies entirely on its breach notification law to protect biometric data. The state has not enacted a comprehensive consumer data privacy statute, a standalone biometric privacy law, or any regulation that governs the collection or use of biometric identifiers before a security breach occurs.

This places Wyoming in the same category as several other western and rural states that have been slow to adopt biometric-specific protections. While the breach notification statute does explicitly cover biometric data, the protections only activate after a security incident has already compromised that data.

For a broader overview of privacy protections in the state, see the parent guide to Wyoming Data Privacy Laws.

How Wyoming Law Defines Biometric Data

Wyoming's breach notification law, Wyo. Stat. 40-12-501, defines "unique biometric data" as data generated from measurements or analysis of human body characteristics for authentication purposes. This definition appears as one element within the broader definition of "personal identifying information" that triggers breach notification obligations.

The definition is narrower than what some other states use. By specifying "for authentication purposes," Wyoming limits coverage to biometric data that is actively used to verify identity. Biometric data collected for other purposes, such as marketing research or behavioral analytics, may fall outside the statute's scope.

Common types of biometric data covered under this definition include:

• Fingerprint scans used for device or system login
• Facial recognition templates used for identity verification
• Iris or retina scans used for secure access
• Voiceprints used for phone authentication
• Hand geometry scans used for building access or timekeeping

The statute does not specifically address whether photographs, video recordings, or audio recordings qualify as biometric data.

Wyoming's Broad Definition of Personal Identifying Information

One notable aspect of Wyoming's law is the breadth of its overall personal identifying information definition. Under Wyo. Stat. 40-12-501, personal identifying information includes the individual's first name or first initial and last name linked to any of the following data elements:

• Social Security number
• Driver's license or state ID number
• Tribal identification card number
• Federal or state government-issued ID card number
• Shared secrets or security tokens used for data-based authentication
• Username or email address combined with a password or security question answer
• Birth or marriage certificate
• Medical information, including medical history, mental or physical conditions, treatment, or diagnoses
• Health insurance information, including policy numbers and claims history
• Unique biometric data
• Individual taxpayer identification number

By including biometric data alongside medical information, health insurance data, and government-issued identification, Wyoming signals that biometric identifiers rank among the most sensitive categories of personal information.

The definition excludes information contained in any federal, state, or local government records or in widely distributed media that are lawfully made available to the general public.

Breach Notification Requirements

When a breach exposes personal identifying information including biometric data, Wyoming's notification requirements apply under Wyo. Stat. 40-12-502.

Who Must Comply

Any individual or commercial entity that conducts business in Wyoming and owns or licenses computerized data that includes personal identifying information must comply. This applies to both Wyoming-based entities and out-of-state businesses that hold data on Wyoming residents.

Notification Timeline

Businesses must notify affected individuals in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

A law enforcement agency may request a delay in notification if it determines that notice will impede a criminal investigation. Once the agency determines notification will no longer compromise the investigation, the entity must proceed with notice.

Required Notification Content

Wyoming requires more detailed breach notifications than many states. Under the statute, the notice must include:

• The types of personal identifying information that were or are reasonably believed to have been compromised
• A general description of the breach incident
• The approximate date of the breach, if reasonably possible to determine
• Actions taken to protect the system from further breaches
• Advice that the individual remain vigilant by reviewing account statements and monitoring credit reports
• Whether notification was delayed due to a law enforcement investigation

Notification Methods

Notice must be provided by one of the following methods:

• Written notice mailed to the most recent address the entity has on file
• Telephone notice
• Electronic notice, if the individual has consented to electronic communication

Substitute Notice

If the cost of individual notice would exceed $250,000, the affected class exceeds 500,000 persons, or the entity does not have sufficient contact information, the entity may use substitute notice consisting of:

• Email notice, when available
• Conspicuous posting on the entity's website
• Notification to major statewide media

Enforcement and Penalties

The Wyoming Attorney General enforces the breach notification law through the Wyoming Consumer Protection Act (Wyo. Stat. Title 40, Chapter 12).

Each failure to notify an affected individual is treated as a separate violation. The Attorney General can pursue civil penalties of up to $10,000 per violation under the Consumer Protection Act.

The Attorney General can also seek injunctive relief, restitution to affected individuals, and recovery of investigation costs.

There is no private right of action under Wyoming's breach notification statute. Only the Attorney General may bring enforcement actions.

What Wyoming Law Does Not Cover

Wyoming's breach notification law leaves significant gaps in biometric data protection.

No Collection Consent Requirements

Wyoming does not require any form of notice or consent before collecting biometric data. Businesses and employers can implement fingerprint scanners, facial recognition systems, and voice authentication without informing or obtaining agreement from the individuals whose data is collected.

No Retention or Destruction Requirements

The law imposes no limits on how long organizations can store biometric data. There are no requirements to publish retention schedules, establish destruction timelines, or delete biometric data when the purpose for collection has ended.

No Purpose Limitation

Businesses face no restrictions on how they use, share, or sell biometric data collected from Wyoming residents. The law does not prohibit the sale of biometric data to third parties or the repurposing of biometric identifiers for uses unrelated to their original collection purpose.

No Data Minimization

There are no requirements to limit biometric data collection to what is reasonably necessary for a stated purpose.

Wyoming's Genetic Data Privacy Act

While not directly a biometric privacy law, Wyoming has enacted a separate Genetic Data Privacy Act that provides additional protections for genetic data specifically. The act requires clear notices and consent before collecting genetic data and is enforced by the Attorney General.

This law is relevant because genetic data and biometric data sometimes overlap. For example, DNA profiles used for identification purposes could qualify as both genetic data under the Genetic Data Privacy Act and biometric data under the breach notification statute.

How Wyoming Compares to Neighboring States

Wyoming's biometric data protections are limited compared to some neighbors but comparable to others in the region.

Colorado offers the strongest protections nearby, with its comprehensive privacy act classifying biometric data as sensitive and requiring opt-in consent. Montana passed the Montana Consumer Data Privacy Act with biometric provisions. Utah enacted the UCPA with an opt-out model for sensitive data including biometrics.

South Dakota and Nebraska share Wyoming's approach of relying primarily on breach notification statutes without dedicated biometric privacy laws. Idaho similarly lacks comprehensive biometric protections.

Legislative Outlook

As of early 2026, Wyoming has not introduced a comprehensive consumer data privacy bill or a standalone biometric privacy statute. The state has focused recent legislative efforts on government data privacy, with a committee-sponsored bill addressing government entities' handling of personal data advancing during the 2025 interim session.

That government data privacy bill would prohibit government entities from purchasing, selling, trading, or transferring personal data without the individual's express consent. If enacted, it could establish a framework that future legislation might extend to private-sector handling of biometric data.

Residents and businesses should monitor the Wyoming Legislature website for any proposed privacy-related bills.

Practical Guidance for Wyoming Residents

Without dedicated biometric privacy protections, Wyoming residents should take proactive steps.

Ask businesses and employers about their biometric data practices before providing fingerprints, facial scans, or other biometric information. While they are not legally required to disclose their practices, many organizations have privacy policies that address biometric data.

If you believe your biometric data was compromised in a breach and you did not receive proper notification, file a complaint with the Wyoming Attorney General's Consumer Protection Unit.

Review privacy policies before using apps, devices, or services that collect biometric data. Your rights may be stronger under the privacy laws of other states if the collecting entity is based in a state with comprehensive biometric protections.

More Wyoming Laws

• Wyoming Recording Laws
• Wyoming Data Privacy Laws
• Wyoming Recording Laws
• Wyoming Recording Laws
• Wyoming Recording Laws
• Wyoming Data Privacy Laws

Sources and References

This article references Wyoming statutes available through the Wyoming Legislature website. For the breach notification definitions, see Wyo. Stat. 40-12-501. For notification requirements, see Wyo. Stat. 40-12-502. For consumer complaints, contact the Wyoming Attorney General's Consumer Protection Unit.

This article provides general legal information about Wyoming biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Wyoming government sources.