A face is not a password

You can change a stolen password in thirty seconds. You cannot change your face. You cannot reset your fingerprints, swap out your iris, or be reissued a new voice. That single asymmetry—the permanence of the human body as an identifier—is the reason biometric data sits in a legal category all its own, and the reason a body of law has grown up around it capable of turning an ordinary product decision into an existential risk.

Consider two fictional companies. The first, Northwind Fitness, is a regional gym chain that wants to modernize. It installs cameras at the front desk so members can check in by face instead of fumbling for a key fob, and it bolts a fingerprint scanner to the staff entrance so employees can clock in without a badge. Convenient, cheap, and—Northwind's operations team assumes—uncontroversial. The second, Lumen AI, builds the facial-recognition and voice-authentication technology that companies like Northwind buy. To make its models accurate, Lumen needs faces and voices by the million to train on, and the cheapest source of faces and voices on Earth is the open internet.

Neither company thinks of itself as being in the privacy business. Both are about to discover that they are. When Meta agreed in 2024 to pay Texas $1.4 billion to settle claims that Facebook had captured the facial geometry of millions of Texans without consent—the largest privacy settlement a single state had ever extracted from a single company—it was not because Meta set out to violate anyone's rights. It was because biometric data is governed by statutes that punish the act of collecting without consent, whether or not anyone is ever harmed. The same logic that produced that ten-figure settlement governs Northwind's check-in camera and Lumen's training set. There is no de minimis exception for good intentions.

This article maps the law that applies to both companies. It begins with the Illinois statute that started the modern era of biometric litigation, traces the rules across the United States, crosses the Atlantic for the GDPR and the EU AI Act, and ends with a compliance approach you can actually use. The throughline never changes: because biometric identifiers are permanent, the law treats their collection as something that must be disclosed and consented to up front—and the penalties for getting that wrong are unusually, sometimes ruinously, severe. For the related problem of synthetic faces and voices, see our piece on the right of publicity and digital doubles; for the broader map of AI law, our overview of artificial intelligence key legal issues.

Three steps, one permanent record

Before any statute, it helps to understand what a biometric system actually does, because the law's distinctions track the technology's stages with surprising precision. Every biometric system performs three operations.

First comes enrollment: the system captures a raw sample—a photograph of a face, a recording of a voice, the impression of a fingertip. Second comes template generation: software reduces that raw sample to a mathematical representation, a so-called template or faceprint, by mapping nodal points (the distance between the eyes, the angle of the jaw) and encoding them as numbers. A well-built system often discards the raw image at this point and keeps only the encrypted template, which cannot be reverse-engineered into the original picture. Third comes matching: a live sample is compared against the stored template, either one-to-one ("are you really the person who enrolled?"—authentication) or one-to-many ("who is this unknown face among thousands?"—identification).

That three-step pipeline is the hidden skeleton of biometric law. The statutes do not regulate photographs or audio as such; they regulate the template—the identifying mathematical map—and the conduct of capturing, storing, and matching it. A camera that takes pictures is not, without more, a biometric system. A camera that takes pictures and builds searchable faceprints from them is. Hold that distinction in mind, because nearly every close case in this field turns on it.

Illinois BIPA: ground zero

The Illinois Biometric Information Privacy Act, enacted in 2008, is the most consequential biometric privacy law in the country, and understanding it is the key to understanding everything that followed. BIPA (740 ILCS 14/) grew out of a specific and prescient worry. The legislature found that biometrics are "biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions" (740 ILCS 14/5(c)). No existing law protected this uniquely vulnerable data, so Illinois built a framework from scratch—and, in a decision whose consequences nobody fully grasped at the time, gave ordinary people the right to enforce it themselves.

BIPA covers two things. Biometric identifiers are retina and iris scans, fingerprints, voiceprints, and scans of hand or face geometry (740 ILCS 14/10). Biometric information is any information derived from an identifier that is used to identify a person—so if a company converts a fingerprint into a unique number or an iris image into an "iris code," that derivative is covered too, as long as it can still pick out the individual (see Rivera v. Google Inc., 238 F. Supp. 3d 1088, 1095 (N.D. Ill. 2017)). The statute deliberately excludes a list of things that look biometric but are not treated as such: photographs, writing samples and signatures, demographic data, tattoo descriptions, physical descriptions like height or hair color, biological samples used for valid scientific testing, and information collected in a healthcare setting under HIPAA.

What the statute requires is, on its face, modest. Section 15 imposes a sequence of duties. Before a private entity collects biometric identifiers, it must (a) inform the person in writing that biometric data is being collected and stored; (b) inform them, in writing, of the specific purpose and the length of time the data will be kept and used; and (c) obtain a written release authorizing the collection (740 ILCS 14/15(b)). The entity must also publish a written retention-and-destruction policy and actually destroy the data when its purpose is satisfied or within three years of the person's last interaction, whichever comes first (§ 15(a)). It may not sell, lease, trade, or otherwise profit from the data at all—and BIPA, unlike its sister statutes, provides no consent exception to that ban (§ 15(c)). It may disclose the data only in narrow circumstances. And it must protect the data using the reasonable standard of care in its industry, in a manner at least as protective as it uses for other confidential information (§ 15(e)).

For Northwind, that means the facial check-in system cannot lawfully go live until the gym has given each member written notice of what it collects, why, and for how long, and has obtained each member's written release—and the same is true, separately, for the staff fingerprint clock, with employees as the data subjects. (BIPA's definition of "written release" expressly contemplates the employment context, treating a release "executed by an employee as a condition of employment" as valid consent; 740 ILCS 14/10.) Skipping any of those steps is not a technicality to be cured later. It is the violation, complete the moment the first face is scanned.

What actually counts as biometric data

A surprising share of biometric litigation turns not on whether consent was obtained but on whether the data at issue is biometric data at all—and these edge cases are worth understanding because they define the boundaries of the entire field.

BIPA's exclusion of photographs is the classic battleground. A digital photo sitting in a database is not a biometric identifier. But the moment software extracts a mathematical map of the face's geometry from that photo—a faceprint capable of distinguishing this person from everyone else—the output is biometric data even though the input was an ordinary picture. The federal courts in Illinois settled this early and decisively. In Monroy v. Shutterfly, Inc., 2017 WL 4099846 (N.D. Ill. 2017), the court found "nothing in BIPA's statutory text" to suggest the Act lacks application to the highly detailed facial maps Shutterfly derived from user-uploaded photos. Rivera v. Google drew the line with admirable clarity: "if Google simply captured and stored the photographs and did not measure and generate scans of face geometry, then there would be no violation of the Act." The line is the extraction of an identifying template, not the medium of the source. This is why a gym that merely stores members' photos is outside BIPA while a gym that runs those photos through face-matching software is inside it.

The same logic produces genuine defenses. BIPA reaches only data capable of identifying a specific person. A system that counts how many people walk past a display, or estimates the age range of a crowd without recognizing any individual, may process facial images all day without ever creating a biometric identifier. So a plaintiff has to plead and prove that the defendant actually built an identifying template; the bare fact that a defendant "uses facial recognition" somewhere is not enough (see Gullen v. Facebook, Inc., 2018 WL 1609337 (N.D. Cal. 2018), aff'd, 772 F. App'x 481 (9th Cir. 2019), where the plaintiff lost on summary judgment for failing to show Facebook ran its software on his photo). More recently, in the Martell v. X Corp. dismissal, a court rejected claims premised on photo hashes used to flag nudity, because hashes that detect content cannot identify the person in the image.

The practical upshot for a company designing a product is profound: the architecture choice—whether the system creates and stores an identifying template—often determines whether the heaviest biometric rules apply at all. Designing a feature to avoid building identifying templates, where the business purpose allows, can move it outside the statute entirely. That is not a loophole. It is the law tracking the real privacy risk, which comes from identification, not from the mere processing of an image.

Collector or possessor? The distinction that decides who is on the hook

BIPA, and its Texas and Washington cousins, draw a line that catches companies off guard: they impose one set of duties on entities that collect biometric data and a related but distinct set on entities that merely possess it. The collector obligations are the heavier ones—notice, written release, the up-front disclosures. The possessor obligations attach to anyone who holds the data: maintain a published retention policy, destroy on schedule, restrict disclosure, and secure the data reasonably. A single company can wear both hats, and many do.

This matters enormously for vendor relationships, which we return to below, but it matters as a threshold question even for a single firm. The Illinois Supreme Court has defined "possession" as occurring "when a person has or takes control of the subject property or holds the property at his or her disposal" (People v. Ward, 215 Ill. 2d 317, 325 (2005)). A plaintiff who cannot plausibly allege that a defendant exercised that kind of dominion and control over the biometric data may lose at the pleading stage—as the plaintiff did in Heard v. Becton, Dickinson & Co., 440 F. Supp. 3d 960, 968 (N.D. Ill. 2020), where the complaint failed to allege that the defendant ever controlled the data at all. The lesson is that liability is not magic: it attaches to specific conduct (collecting, possessing) by specific parties, and the pleadings have to connect a defendant to one of those roles.

Why BIPA became a litigation engine

Most privacy laws are enforced by regulators—an attorney general, a data-protection authority. BIPA is different, and that difference is the whole story. Section 20 gives private individuals a right of action and sets liquidated damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless one, plus reasonable attorneys' fees and costs (740 ILCS 14/20). For a decade after enactment, this lay mostly dormant. Then, in 2019, the Illinois Supreme Court decided Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, and the dam broke.

The question in Rosenbach was deceptively simple: must a plaintiff show some actual harm—identity theft, financial loss, emotional distress—to sue under BIPA, or is the bare violation of the statute's rules enough? A mother had sued Six Flags after the amusement park fingerprinted her teenage son to issue a season pass without the written notice and release BIPA requires. She alleged no theft, no leak, no concrete injury beyond the violation itself. The court held that she was nonetheless "aggrieved" within the meaning of the statute and could sue: "an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an 'aggrieved' person." The violation is the injury, because the statute exists precisely to protect against the loss of control over one's biometric identity before any downstream harm materializes.

That holding turned BIPA into one of the most powerful plaintiffs' statutes in the country. Class actions surged from a trickle to many hundreds. A company that had fingerprinted thousands of employees without proper consent now faced thousand-dollar penalties multiplied across an entire workforce, with no need to prove that anyone was actually hurt. The math, suddenly, was terrifying.

Cothron and the per-scan time bomb

In 2023 the exposure grew more alarming still. In Cothron v. White Castle System, Inc., 2023 IL 128004, the Illinois Supreme Court answered a question of statutory accrual: does a BIPA claim arise once, when biometric data is first collected, or every single time it is scanned or transmitted? Latrina Cothron, a White Castle manager, had scanned her fingerprint to access her workstation and payroll system thousands of times over more than a decade. The court held, 4–3, that a separate claim accrues with each scan.

The arithmetic is staggering. An employee who clocked in and out with a fingerprint twice a day for five years generated thousands of separate violations, each carrying $1,000 to $5,000. White Castle estimated its potential exposure across its Illinois workforce at over $17 billion. The majority acknowledged that its reading could produce "annihilative liability" out of proportion to any actual harm, but reasoned that the statutory text compelled the result and that any fix had to come from the legislature, which "may amend the Act." The court all but begged Springfield to act.

The 2024 amendment: a cap, at last

The legislature obliged with unusual speed. In August 2024, Illinois enacted Senate Bill 2979 (Public Act 103-0769), amending BIPA in two important ways. First—and this is the headline—it provides that a private entity that, in more than one instance, collects or discloses the same biometric identifier or information from the same person using the same method of collection has committed a single violation, for which the aggrieved person is entitled to, at most, one recovery. In plain terms: the damages clock now runs per person, not per scan, defusing the Cothron bomb for conduct going forward. Second, the amendment confirms that a "written release" includes an electronic signature, resolving lingering doubt about whether click-through digital consent flows satisfy the statute.

The amendment helps enormously, but two cautions remain, and both matter for litigation strategy. Its retroactive reach is contested: courts have split on whether the single-violation rule applies to conduct that predated August 2024, which is decisive for the large stock of pending per-scan cases. A company sued today over pre-amendment fingerprinting may still face the older, larger exposure until the appellate courts—and likely the Illinois Supreme Court—settle whether the cap reaches backward. And even with the cap, BIPA remains the most potent biometric statute in the country. Class actions kept landing at a brisk pace through 2025, and settlements continued to arrive in the tens of millions: a multimillion-dollar facial-recognition settlement covering well over a hundred thousand class members, and a separate resolution of claims that an education-technology company captured face and voice models from hundreds of thousands of Illinois students. The Clearview AI litigation, consolidated as In re Clearview AI, Inc. Consumer Privacy Litigation in the Northern District of Illinois, settled on a genuinely novel structure: because Clearview could not fund a conventional cash settlement, the class received an equity stake in the company valued at roughly $51.75 million—a creative answer to the problem of a defendant whose primary asset is the very database that got it sued.

For Northwind, the lesson is concrete. The 2024 amendment limits the size of a BIPA judgment to once-per-person, but it does nothing to excuse the underlying obligation. Notice, written release, a published retention policy, and timely destruction are still mandatory before the first face is scanned.

A worked hypothetical (illustrative only). Suppose 600 Northwind employees clocked in and out by fingerprint, twice a day, over three years before anyone realized BIPA applied. Under the per-scan theory of Cothron, that is roughly 600 employees × 2 scans × 365 days × 3 years ≈ 1.3 million scans, and at even the negligent rate of $1,000 each the theoretical exposure runs into the billions—the "annihilative" figure the Illinois Supreme Court flinched at. The 2024 amendment changes the picture dramatically for conduct going forward: the same facts now yield at most one violation per person, or roughly $600,000 to $3 million for the group, plus attorneys' fees. That is the difference between a survivable settlement and the end of the company, and it turns on a single statutory sentence. But note what the amendment did not do. It did not make the collection lawful. Northwind still violated the statute by capturing fingerprints without written releases; the cap only limits how badly that violation can be monetized—and only, perhaps, for conduct after August 2024.

Across the states: Texas, Washington, and the comprehensive laws

BIPA dominates the litigation because of its private right of action, but it is far from the only biometric law. The Texas–Meta settlement proved that a determined regulator can match or exceed private class actions, and the comprehensive consumer-privacy laws sweeping the country have quietly folded biometrics into a national patchwork.

Texas CUBI and the $1.4 billion lesson

Texas's Capture or Use of Biometric Identifier Act (CUBI), Tex. Bus. & Com. Code § 503.001, enacted in 2009, forbids capturing a biometric identifier for a commercial purpose without first informing the person and obtaining consent. CUBI is in several respects narrower than BIPA. It covers only biometric identifiers (not derived "information"), it demands no written release, it does not specify what the notice must contain, and—crucially—it has no private right of action. Only the Texas Attorney General may sue, and the maximum civil penalty is up to $25,000 per violation (§ 503.001(d)).

For years that combination made CUBI look like a paper tiger next to its Illinois cousin. Then, in February 2022, the Texas Attorney General sued Meta over Facebook's "tag suggestions" feature, which captured facial geometry from photos that Texans and their friends uploaded—often without the subjects' knowledge, let alone consent. The complaint paired CUBI with the Texas Deceptive Trade Practices–Consumer Protection Act (Tex. Bus. & Com. Code §§ 17.41–17.63), alleging both unlawful capture and deceptive practices. The resulting settlement, announced in July 2024, reshaped how companies think about state enforcement: $1.4 billion, structured as $500 million up front and $225 million annually through 2028, with a path for Meta to seek the Attorney General's pre-approval for future biometric activities. The arithmetic that produced it was simple and chilling: a $25,000-per-violation cap, multiplied across a decade of allegedly unauthorized captures affecting millions of Texans, generates exposure no one had associated with a statute that lacks a private right of action. The state, it turned out, could be the most dangerous plaintiff of all.

Washington and the "enrolled" trigger

Washington's biometric statute (RCW §§ 19.375.010–.040), enacted in 2017, takes a different and instructive tack. It regulates biometric identifiers that have been "enrolled"—captured, converted into a reference template that cannot be reconstructed into the original image, and stored in a database that matches the identifier to a specific individual—for a commercial purpose. Before enrolling an identifier for a commercial purpose, a covered entity must do one of three things: provide notice, obtain consent, or provide a mechanism to prevent the later commercial use of the identifier (RCW § 19.375.020(1)). Like Texas, Washington requires no writing and has no private right of action; the Attorney General enforces it under the state Consumer Protection Act, where penalties and remedies can run high (the law potentially creates substantial monetary exposure given the Consumer Protection Act's penalty structure).

Washington's design carries two lessons worth importing into any compliance program. First, it pegs "commercial purpose" to the sale or disclosure of an identifier to a third party for marketing unrelated to the original transaction—a narrower trigger than BIPA's. Second, it carves out a meaningful security-purpose exemption: notice and consent are not required to enroll an identifier used to prevent shoplifting, fraud, or theft, or to protect the security or integrity of software, accounts, and online services (RCW §§ 19.375.010(8), .020(7)). A retailer using face-matching purely to flag known shoplifters may sit outside the consent requirement in Washington while being squarely inside BIPA in Illinois—a vivid reminder that the same product can face opposite obligations one state line apart.

The comprehensive privacy laws and the local ordinances

Beyond these three dedicated statutes, the wave of comprehensive consumer-privacy laws has folded biometric data into a broader regime. California's CCPA (as amended by the CPRA), along with laws in Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas's own TDPSA, Delaware, New Jersey, and a growing list of others, classifies biometric data as "sensitive" personal information and generally requires opt-in consent before processing it, plus data-protection assessments and heightened security. Most of these laws are enforced by state attorneys general or dedicated agencies rather than by private plaintiffs, so they shift the enforcement model back toward regulators—but they extend biometric obligations into states that have no dedicated biometric statute at all. (For the California regime in particular and how it dovetails with European rules, the CCPA/CPRA's "sensitive personal information" category is the practical analog of the GDPR's special-category treatment discussed below.)

Local governments have entered the field with some of the sharpest edges. New York City requires commercial establishments that collect biometric identifier information from customers to post conspicuous notice and bars them from selling, leasing, or otherwise profiting from that data (N.Y.C. Admin. Code §§ 22-1201 to 22-1205), and—notably—it includes a limited private right of action. Portland, Oregon prohibits private entities from using facial recognition in places of public accommodation outright. Baltimore has enacted a facial-recognition moratorium of its own. These ordinances mean that a national rollout cannot stop at fifty state analyses; it has to descend to city limits.

The table below sketches how the principal U.S. regimes differ on the points that matter most.

Regime Written consent? Private right of action? Headline penalty Enforcer
Illinois BIPA Yes (written release) Yes $1,000 / $5,000 per person (post-2024 cap) Private plaintiffs
Texas CUBI Notice + consent (no writing specified) No Up to $25,000 per violation Texas Attorney General
Washington (RCW 19.375) Notice or consent or opt-out (no writing) No Consumer Protection Act remedies Washington Attorney General
Comprehensive state laws (CCPA/CPRA, VCDPA, CPA, etc.) Opt-in for sensitive data Generally no (narrow in CA) Per-violation civil penalties State AGs / agencies
NYC biometric ordinance Notice (no sale) Yes (limited) Statutory damages Private plaintiffs / city

For a company operating nationally, the practical consequence of this patchwork is counterintuitive but liberating: the safest and often cheapest course is to design to the single strictest applicable rule—BIPA's written-release-and-retention regime—and apply it everywhere, rather than building and maintaining fifty-one different consent flows. One compliant pipeline beats a brittle matrix of state-by-state exceptions.

The federal backstop: there is no federal biometric law, but the FTC is watching

It is tempting to think that because no comprehensive federal biometric statute exists, federal law is silent. It is not. Section 5 of the FTC Act (15 U.S.C. § 45) prohibits "unfair or deceptive acts or practices," and the Federal Trade Commission has used it as a backstop against biometric misconduct. The agency's 2021 enforcement against Everalbum, a photo-storage app, is the template: Everalbum had switched on facial recognition by default and used users' photos to develop its face-matching models, contrary to its own representations. The FTC's order required Everalbum not only to obtain express consent going forward but to delete the offending photos and the models and algorithms trained on them—an early and important recognition that an unlawfully trained model is itself tainted, a point Lumen will need to internalize. Several sector-specific federal statutes also touch biometrics at the edges: HIPAA governs biometric data used in healthcare, and the Genetic Information Nondiscrimination Act (GINA) restricts employers' acquisition of genetic information, which can include certain biometric-adjacent data. For a company, the message is that "no federal statute" does not mean "no federal exposure."

Europe: the GDPR and the EU AI Act

A company that touches European data—or, in Lumen's case, that trained on European faces—adds another, stricter layer. Europe regulates biometrics twice over: once through the omnibus data-protection regime of the GDPR, and again, specifically for AI systems, through the EU AI Act.

The GDPR's "special category" treatment

Under the EU General Data Protection Regulation (Regulation (EU) 2016/679), biometric data processed for the purpose of uniquely identifying a natural person is "special category" data under Article 9—the same tier as data revealing health, race, religion, or sexual orientation, and subject to the strongest protections in the framework. Processing special-category data is generally prohibited unless one of the specific conditions in Article 9(2) applies. For ordinary commercial uses, the only realistic basis is explicit consent, and the GDPR sets a demanding bar: consent must be freely given, specific, informed, and unambiguous, manifested by a clear affirmative act, and as easy to withdraw as it was to give.

The "freely given" requirement is where European biometrics quietly diverge from American ones, and it is a direct warning to Northwind's European cousin. Where there is a clear power imbalance between the controller and the data subject, consent may be invalid because the subject is not truly free to refuse. The paradigm case is the employer–employee relationship: a staff fingerprint clock that relies on employee "consent" may fail outright, because employees can rarely say no to their employer without consequence. European regulators have applied this with real teeth. A Swedish authority fined a school for using facial recognition to track student attendance, holding that parental consent was invalid given the imbalance between the school and the families. And France's CNIL fined Clearview AI €20 million for processing French residents' facial images with no valid legal basis at all—part of a coordinated European response that also produced enforcement actions and orders against Clearview from regulators in the United Kingdom, Italy, and Greece, with parallel proceedings in Australia.

The GDPR layers on further duties beyond a lawful basis: a data protection impact assessment before high-risk biometric processing; appropriate technical and organizational security; records of processing; honoring data-subject rights of access, erasure, and portability; and restrictions on transferring biometric data outside the European Economic Area without appropriate safeguards such as standard contractual clauses—an area we examine in depth in international data transfers after Schrems II. For an American developer that scraped or licensed European faces, the cross-border transfer rules alone can be a compliance project unto themselves.

The EU AI Act—and the 2026 Digital Omnibus that reshaped its timeline

The EU AI Act (Regulation (EU) 2024/1689) adds a second European layer aimed specifically at AI systems, and its treatment of biometrics is the strictest in the world. The Act sorts biometric AI into prohibited, high-risk, and limited-risk categories—and in late 2025 and 2026 its timeline shifted in ways every affected company needs to understand.

The Act's outright prohibitions took effect on 2 February 2025 and remain fully in force. Among other things, they forbid:

  • building or expanding facial-recognition databases through untargeted scraping of faces from the internet or CCTV (the practice at the heart of the Clearview litigation);
  • using emotion-recognition systems in workplaces or educational institutions, except for medical or safety reasons;
  • deploying biometric categorization that infers sensitive attributes such as race, political opinions, religious beliefs, or sexual orientation; and
  • operating real-time remote biometric identification in publicly accessible spaces for law-enforcement purposes, subject to narrow, judicially authorized exceptions.

Violations of the prohibitions can reach €35 million or 7% of global annual turnover, whichever is higher—the heaviest penalty tier in the Act. These prohibitions hit Lumen directly. Its plan to scrape faces from the open web to build a facial-recognition database is precisely what the Act bans, full stop, regardless of intended use, and no amount of downstream care cures an unlawfully assembled training set.

The Act's high-risk rules are where the timeline changed. High-risk biometric systems—remote identification in non-prohibited contexts, non-sensitive biometric categorization, permitted emotion recognition—must satisfy a demanding pre-market regime: risk management, data governance, technical documentation and logging, human oversight, transparency to users, and third-party or internal conformity assessment. Those obligations were originally scheduled to apply from 2 August 2026. But by late 2025, implementation had fallen behind, in large part because the harmonized technical standards that companies need in order to demonstrate compliance were not ready. In November 2025 the European Commission proposed a "Digital Omnibus on AI" to defer the high-risk deadlines, and after difficult negotiations the EU institutions reached a provisional agreement in May 2026 (confirmed by Member State representatives mid-month), expected to be formally adopted and published before the original August 2026 date.

Under that agreement, the high-risk obligations for stand-alone systems listed in Annex III—which include biometric identification and categorization—are deferred to 2 December 2027, and the obligations for AI embedded as a safety component in regulated products under Annex I are deferred to 2 August 2028. The same package adds a new Article 5 prohibition on AI systems that generate non-consensual intimate imagery ("nudifier" apps) and child sexual abuse material—subject to a safe harbor for systems with effective preventive safeguards—with compliance required by 2 December 2026, and it compresses the grace period for the Act's synthetic-content transparency obligations so that watermarking and disclosure duties bite from roughly the same date. Companies should treat the May 2026 agreement as the operative planning baseline while watching for formal adoption, and they should resist over-reading the delay: the prohibitions, including every biometric one, were never postponed, and several near-term transparency duties still arrive in 2026.

For Lumen, the upshot is a layered set of constraints that interact. A facial-recognition product sold into the EU must clear the GDPR's special-category requirements (a valid legal basis, safeguards, an impact assessment) and, once the high-risk obligations apply, the AI Act's conformity-assessment regime—while the scraping prohibition forbids the very data-collection shortcut that would have made the product cheap to build. The intersection of these regimes is genuinely intricate, and the broader question of how AI training data collides with multiple overlapping legal frameworks runs through our discussion of copyright claims against generative AI.

Three technologies, three risk profiles

The rules apply differently depending on what the biometric system actually does, and three technologies illustrate the range from heaviest litigation to harshest prohibition.

Facial recognition has drawn the most litigation, and its treatment splits along the verification/identification/analysis lines. One-to-one verification (does this live face match this stored template?) is the lowest-risk use; one-to-many identification (who is this unknown face?) is the highest; and facial analysis (inferring age, gender, or mood) occupies a contested middle. Under BIPA, the fights have centered on whether a given process creates a "scan of face geometry" capable of identifying a person—and, as Martell, Gullen, and Rivera show, not every analysis of a facial image qualifies. Under the EU AI Act, the same technology splits three ways: database-building by scraping is flatly prohibited, real-time public identification for law enforcement is prohibited except narrowly, and other remote-identification uses are high-risk. A single facial-recognition engine can therefore be a benign verification feature, a regulated high-risk system, and an outright prohibited capability depending entirely on how it is deployed.

Voice authentication is generating fast-growing litigation, especially in customer service, where retailers and banks create voiceprints to verify callers. Voiceprints are biometric identifiers under BIPA, and the courts have had to work out how the statute's financial-institution carve-out applies to voice-authentication vendors that serve banks (the contours of which were litigated in the Cisneros v. Nuance Communications line of cases). Voice raises a distinctive consent problem: the interaction happens over the phone, where obtaining a written release before capture is awkward at best, so companies must fold disclosure into the very start of the call and design consent flows that satisfy the statute without driving customers away. The proliferation of always-listening voice assistants, which continuously process audio to detect wake words, sharpens the problem of ongoing consent and is one of several reasons that cell-phone and camera privacy law has become its own field—see our companion piece, Smile: cell phone camera privacy and the law.

Emotion detection faces the harshest treatment of all, at least in Europe. The EU AI Act prohibits emotion-recognition systems in workplaces and schools, reflecting both deep scientific doubt about whether discrete emotions can be reliably inferred from biometric signals and acute concern about coercion in settings marked by power imbalance. Recital 44 of the Act notes that emotional expression varies widely across cultures and situations and even within a single person, undercutting any claim that a smile reliably means happiness. The prohibition reaches systems that infer emotions or intentions from biometric analysis but, importantly, not systems that merely detect an apparent physical state: a system that notes whether someone is smiling sits outside the ban, while one that concludes the person is "happy" from that smile sits inside it. That line will be devilish to draw in practice, and any company deploying affective computing in Europe should assume scrutiny and document carefully where its system stops.

Vendors, provenance, and the long reach of liability

The biometric ecosystem runs on vendor relationships—Northwind buys its cameras from Lumen, and Lumen buys datasets from somebody else—and liability follows the data well past the entity that physically collected it. Recall the collector/possessor distinction: under BIPA, liability can attach to anyone who collects, captures, purchases, receives through trade, or otherwise obtains biometric data, language broad enough to reach a company that acquires biometric data through a vendor without performing the collection itself. Courts have generally refused to let employers escape BIPA by outsourcing fingerprint timekeeping to a technology provider; the employer that benefits from the biometric system remains on the hook for ensuring proper notice and consent. So Northwind cannot wash its hands of compliance by pointing at the vendor that built its check-in camera, and a timekeeping vendor that holds the templates may itself be a possessor with its own retention, security, and disclosure duties.

The defense is contractual and operational. A company procuring biometric technology should insist on:

  • representations and warranties of statutory compliance from the vendor;
  • indemnification for claims arising from the vendor's conduct, backed by adequate insurance (and note that biometric claims have spawned a thorny coverage fight of their own—general-liability insurers routinely contest whether BIPA suits fall within "personal and advertising injury" coverage or are excluded as violations of statutes governing the collection of information, so the availability of insurance cannot be assumed);
  • audit rights to verify the vendor's practices;
  • detailed data-handling specifications covering collection, storage, security, and deletion; and
  • a clear allocation of which party obtains consents and provides the required disclosures—the single most common gap in these contracts.

Equally important, and increasingly the crux of the matter, is data provenance: knowing where a vendor's training data came from. December 2024 joint guidance from the U.S. Department of Justice and Department of Homeland Security, though aimed at federal agencies procuring biometric technology, captured the emerging best practice with admirable bluntness: refuse to use AI models trained on biometric data captured unlawfully, require vendors to document the provenance of their training data, and verify that documentation rather than taking it on faith. For a developer like Lumen, provenance is the whole ballgame. A model trained on scraped faces is a liability that propagates to every customer who deploys it—which is exactly how Clearview's scraping metastasized into claims under multiple state laws and enforcement actions by regulators across two hemispheres. The same instinct that protects trade secrets during a security incident applies here with redoubled force; see our discussion of cybersecurity incident response and IP protection, because a biometric breach—unlike a stolen password—can never be remediated by changing a credential. When biometric data leaks, it is compromised forever.

The developer's dilemma: data hunger meets permanent identifiers

Everything above describes the rules that govern using biometric data. For an AI developer like Lumen, there is a prior and harder problem: the technology only works if it is trained on enormous quantities of the very data the law most jealously guards. A facial-recognition model that has seen ten thousand faces is a toy; one that has seen ten million is a product. That appetite for data is what repeatedly drags AI developers into legal trouble, and it is worth understanding why each tempting shortcut fails.

The cheapest way to assemble millions of faces or voices is to scrape them from the open internet—and it is precisely this shortcut that the law has moved most aggressively to close. Scraped data almost never comes with consent, which means a model trained on it is, under BIPA and the GDPR alike, built on unlawfully obtained material. That defect does not stay contained in the training set; it travels with the model into every deployment, as the Everalbum order's deletion-of-models remedy foreshadowed. The EU AI Act made the point categorical by prohibiting the creation or expansion of facial-recognition databases through untargeted scraping outright, regardless of intended use. The broader legal questions surrounding scraping—when it is lawful, when it breaches a site's terms of service, when it implicates computer-fraud statutes—are taken up in our analysis of data scraping after hiQ v. LinkedIn; for biometric data specifically, the additional consent overlay makes the scraping route the most dangerous of all.

Even lawfully collected biometric training data carries a distinctive and underappreciated technical risk: a trained model can sometimes be coaxed into leaking the very identifiers it learned from. Researchers have demonstrated model-inversion attacks that reconstruct approximations of training faces and membership-inference attacks that reveal whether a particular person's data was in the training set. For a biometric model, this is not an abstract security curiosity. It means the model itself may be a repository of the permanent identifiers the law protects—which bears directly on whether a company has truly "deleted" someone's biometric data when it deletes the source image but keeps the model trained on it. Regulators have not fully resolved the implications, but a cautious developer treats the model, not just the database, as something that holds protected data, and bakes that assumption into its retention and deletion design.

These pressures are pushing serious developers toward mitigations that reduce dependence on real, identifiable biometrics:

  • Some train on synthetic faces and voices, generated to mimic the statistical properties of real ones without belonging to any actual person, sidestepping the consent problem at its root—though synthetic data raises its own questions about bias and fidelity, and a synthetic face that too closely resembles a real one can re-import the very problem it was meant to avoid.
  • Others adopt on-device processing and federated learning, so that raw biometrics never leave the user's phone and only abstracted, aggregated model updates are shared—an architecture the GDPR and BIPA both reward, since data that never leaves the device is data the company never "possesses."
  • Still others license carefully sourced, consent-backed datasets at a premium, treating clean provenance as a feature worth paying for rather than a cost to be minimized.

For Lumen, the strategic insight is that the apparent cheapness of scraped data is an illusion. The model built on it may be unmarketable in regulated jurisdictions and a litigation magnet everywhere else, while a more expensive, consent-backed foundation is the only one that survives contact with the law. The same lesson that governs the protection of one's own confidential code—that discipline at the input stage saves enormous trouble later—applies with full force to the data that trains biometric AI.

A practical compliance approach

Because biometric identifiers are permanent and the penalties are severe, compliance has to span the entire life of the data, not be bolted on at the end. The most effective programs share a recognizable shape, and it is worth walking through it in the order the data actually moves.

It begins before any data is collected, with an honest assessment: What biometric data will the system gather, and does it build identifying templates or merely process images? Which jurisdictions' laws apply, based on where the data subjects and the business sit? Does any exemption fit—Washington's security-purpose carve-out, BIPA's financial-institution exclusion, a sectoral HIPAA pathway? What legal basis supports the processing in each place? And, the question most often skipped, is the biometric approach even necessary, or would a less sensitive alternative—a PIN, a badge, a key fob—do the job? The strongest privacy posture is often the data you decided not to collect.

Next, build consent and disclosure to the strictest applicable standard. For the United States, that means BIPA's written notice and written release; for Europe, the GDPR's explicit, freely given, withdrawable consent—and, in employment settings, a sober recognition that "consent" may simply not be available, so an alternative legal basis or a non-biometric option must exist. One compliant flow, designed to BIPA-plus-GDPR, serves nearly everywhere. Treat electronic signatures as acceptable where, as under amended BIPA, the law now says they are.

Then, set retention and deletion timelines that match the statutes and automate them. BIPA's destroy-by-purpose-or-three-years rule is a sensible default even outside Illinois. Publish the retention policy (BIPA requires it), keep audit trails, and—this is where programs fail in practice—make sure deletion actually reaches backups, vendor systems, and, where feasible, the trained models, not just the primary database.

Protect biometric data with security calibrated to irreversibility. Encrypt templates, store them separately from identifying information, prefer on-device storage to a central honeypot, and treat a biometric breach as the worst-case scenario it is, because there is no remediation by reissuance.

Manage vendors through diligence, the contractual protections above, and ongoing monitoring—and demand training-data provenance documentation, not promises. Train the people who actually touch these systems, because a compliant policy defeated by an untrained front-desk clerk is no policy at all. And plan for incidents with the sober understanding that a biometric breach cannot be undone, so up-front notification and long-term monitoring matter more than usual.

For Northwind, walking this path is the difference between a convenient check-in feature and a class action: written notice and release before the first scan, a published retention policy, prompt destruction, a vendor contract that allocates responsibility and insurance, and security that reflects the permanence of a faceprint. For Lumen, compliance begins even earlier—at the training-data stage—because a model built on unlawfully collected biometrics is defective at its foundation, and no amount of downstream diligence can repair it.

Where the law is heading

The trajectory is unmistakably toward more regulation, not less. State legislative activity shows no sign of slowing: New York has repeatedly weighed BIPA-style bills with private rights of action, Maryland and others have floated their own, and proposals surface every session, so that even failed bills signal sustained legislative appetite. Attorney-general enforcement is likely to intensify now that the Texas–Meta settlement has demonstrated that public enforcers can match or exceed private recoveries; Texas has pursued biometric-related claims against Google as well, and other states are watching. International convergence toward stricter rules appears likely, with the EU AI Act's biometric restrictions already shaping debates well beyond Europe and jurisdictions such as Brazil drawing openly on the European model. And AI governance generally will keep tightening around biometric applications, because the underlying data is sensitive, the potential for discriminatory and inaccurate outcomes is real and well-documented, and the political salience of facial recognition in particular is only growing. The companies that fare best will be those that treat biometric compliance not as a box to check after launch but as a design constraint baked into the product from the first whiteboard sketch—an approach that, as the scraping disputes in data scraping after hiQ v. LinkedIn and the platform-liability questions in social media law basics both show, is far cheaper than litigating the consequences of getting it wrong.

Conclusion

Biometric data privacy has become one of the most consequential domains in technology law, and the reason is the asymmetry we began with: a compromised face or voice cannot be reissued. The law has responded by treating the collection of biometric identifiers as something that must be disclosed and consented to in advance, and by attaching penalties—statutory damages in Illinois, nine- and ten-figure recoveries elsewhere—severe enough to make the rules impossible to ignore. The most recent developments cut in two directions at once: Illinois capped its most ruinous damages theory in 2024, while Europe both held its biometric prohibitions firm and, through the 2026 Digital Omnibus, granted companies more time to meet the AI Act's high-risk obligations. Neither development changes the core duty to obtain consent before the first scan.

For a deployer like Northwind, the path is well marked: collect biometric data only with proper notice and consent, retain it no longer than necessary, secure it as the irreplaceable thing it is, and hold vendors to the same standard. For a developer like Lumen, the obligation runs deeper—back to the provenance of the very data the technology is built on, and forward into the models that may themselves hold protected identifiers. In both cases, the companies that treat compliance as a feature of good engineering rather than a cost imposed from outside will be the ones still standing when the next settlement makes headlines.

For guidance on building a biometric-privacy compliance program tailored to your products and markets, contact our intellectual property and technology practice or our privacy team.

Frequently asked questions

Is a photograph "biometric data"? Not by itself. BIPA and the comparable statutes expressly exclude photographs. But run that photograph through software that extracts an identifying faceprint—a scan of face geometry capable of distinguishing the person—and the output is biometric data, even though the input was an ordinary picture (Monroy v. Shutterfly; Rivera v. Google). The line is the creation of an identifying template, not the medium of the source.

Do I really need written consent, or is a verbal okay enough? It depends on the state. Illinois BIPA requires a written release (electronic signatures now count, after the 2024 amendment). Texas CUBI and Washington's law require notice and consent but do not specify writing. Because national products rarely benefit from running different flows in different states, the safest design obtains a BIPA-grade written release everywhere.

Does the 2024 BIPA amendment mean my old collection is now legal? No. The amendment caps damages at one violation per person rather than per scan, and it confirms that electronic signatures satisfy the written-release requirement. It does not retroactively bless biometric collection that lacked the required notice and written release. And courts are split on whether the per-person cap even applies to pre-amendment conduct, so older collections may still face the larger, per-scan exposure.

We use a vendor's biometric technology—isn't compliance their problem? Largely no. BIPA reaches any private entity that collects, captures, receives, or otherwise obtains biometric data, and courts have refused to let companies escape liability by outsourcing collection. The deploying company typically remains responsible for notice and consent; the vendor may also be a "possessor" with its own duties. Allocate the obligations explicitly by contract, with indemnification and audit rights—and confirm the indemnity is backed by insurance that actually covers BIPA claims.

Can we train an AI model on faces scraped from the internet? This is the single riskiest thing a biometric developer can do. Scraped faces almost never carry consent, so a model trained on them is built on unlawfully obtained data under BIPA and the GDPR alike—and the EU AI Act prohibits building or expanding facial-recognition databases through untargeted scraping outright, regardless of intended use. The taint travels with the model into every deployment.

If I delete the source images, have I deleted the biometric data? Maybe not. Researchers have shown that trained models can leak approximations of their training faces (model inversion) or reveal who was in the training set (membership inference). A cautious developer treats the model itself as holding protected data and designs deletion and retention accordingly.

Does the GDPR let our European office use a fingerprint time clock? Be careful. Biometric data processed to identify a person is "special category" data under Article 9, generally prohibited absent explicit consent—and consent extracted from employees is often invalid because of the power imbalance between employer and employee. A Swedish school learned this when its facial-recognition attendance system was fined despite parental "consent." Plan for a non-biometric alternative.

Related articles

Selected authorities

740 ILCS 14/1 et seq. (Illinois Biometric Information Privacy Act); Tex. Bus. & Com. Code § 503.001 (Texas CUBI); RCW §§ 19.375.010–.040 (Washington biometric law); N.Y.C. Admin. Code §§ 22-1201 to 22-1205; Regulation (EU) 2016/679 (GDPR), Art. 9; Regulation (EU) 2024/1689 (EU AI Act); Digital Omnibus on AI (provisional agreement, May 2026); 15 U.S.C. § 45 (FTC Act § 5). Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186; Cothron v. White Castle System, Inc., 2023 IL 128004; Rivera v. Google Inc., 238 F. Supp. 3d 1088 (N.D. Ill. 2017); Monroy v. Shutterfly, Inc., 2017 WL 4099846 (N.D. Ill. 2017); Gullen v. Facebook, Inc., 2018 WL 1609337 (N.D. Cal. 2018), aff'd, 772 F. App'x 481 (9th Cir. 2019); Heard v. Becton, Dickinson & Co., 440 F. Supp. 3d 960 (N.D. Ill. 2020); People v. Ward, 215 Ill. 2d 317 (2005); Tims v. Black Horse Carriers, Inc. (Ill. App. / Ill. Sup. Ct., BIPA limitations); Martell v. X Corp. (N.D. Ill.); In re Clearview AI, Inc. Consumer Privacy Litigation (N.D. Ill.). Illinois Public Act 103-0769 (2024 BIPA amendment, S.B. 2979); State of Texas v. Meta Platforms, Inc. (settlement, July 2024); CNIL decision fining Clearview AI €20 million; In re Everalbum (FTC settlement, 2021); DOJ/DHS guidance on government use of biometric technology and AI (Dec. 2024).

This article is for general informational purposes only and does not constitute legal advice, nor does it create an attorney-client relationship. Biometric and AI privacy law is evolving quickly and varies by jurisdiction; the discussion here may not reflect the most recent developments. Consult qualified counsel about your specific circumstances before acting.