A fingerprint stolen in a breach can’t be reissued. Neither can an iris pattern, a faceprint, or the geometry of a palm. That single fact — that biometric identifiers are permanent in a way passwords and credit card numbers never were — is what turns face and iris data into the most legally radioactive class of personal information a company can hold. In 2025 alone, more than 100 class actions were filed under Illinois’ biometric privacy law, a Thai regulator ordered the deletion of iris scans collected from 1.2 million citizens, and the EU’s first wave of AI Act prohibitions — including bans on untargeted face scraping and most workplace emotion recognition — became enforceable. The compliance picture is no longer ambiguous; it’s just fragmented and unforgiving.
This article maps the actual rules security and privacy teams have to operate under in 2026: which laws apply where, which biometric modalities they cover, where the litigation is concentrated, and which engineering decisions determine whether a deployment is defensible or an upcoming exhibit. Iris and face scans get the heaviest scrutiny because they can be captured at distance and without consent — but the frameworks below treat fingerprints, voiceprints, hand and retina geometry, and behavioral biometrics like gait and keystroke dynamics as part of the same regulated set.
What Counts as Biometric Data Under the Law
The threshold question — is this data even regulated? — has stopped having a single answer. Each major framework draws the line differently.
Under the EU GDPR, biometric data is a defined category in Article 4(14): information from technical processing of physical, physiological, or behavioral characteristics that allows or confirms unique identification. When used to uniquely identify someone, it becomes Article 9 “special category” data, requiring an explicit lawful basis like specific consent. The EU AI Act, in force since August 2024, layers a second framework on top: it adds definitions for biometric verification, biometric categorization, emotion recognition, and remote biometric identification (RBI), and classifies systems by risk rather than by the data they process.
Illinois’ Biometric Information Privacy Act (BIPA), enacted in 2008 and still the most consequential U.S. statute by any measure, defines a “biometric identifier” as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry, explicitly excluding photographs. Texas’s Capture or Use of Biometric Identifier Act (CUBI) and Washington’s HB 1493 use similar lists with their own carve-outs. Colorado’s amended Privacy Act, effective July 1, 2025, takes a broader approach: any data generated by technological processing of biological, physical, or behavioral characteristics that can uniquely identify someone — fingerprints, voiceprints, retina or iris scans, facial maps — counts.
The U.S. Federal Trade Commission‘s 2023 policy statement defines biometric information even more broadly: depictions, images, descriptions, or recordings (and related derivative data) of an individual’s faceprints, finger- and handprints, iris or retina scans, genetic data, and behavioral data that could identify an individual, such as walking gait and typing patterns.
The practical consequence: a face geometry template generated from a photograph might be regulated under Colorado’s law and the FTC’s enforcement view but fall outside BIPA’s literal text — a distinction Meta successfully exploited in the Ninth Circuit’s Zellmer ruling, where the court concluded “face signatures” do not qualify as “biometric identifiers” under the statute’s narrow definition. The takeaway for compliance teams isn’t to find the loosest definition; it’s to assume the broadest one applies, because at least one of the regimes you operate under almost certainly uses it.
Why Illinois Is the Center of Biometric Litigation
BIPA’s distinguishing feature isn’t its definitions; it’s the private right of action. An individual whose biometric data is collected without written notice, written consent, and a published retention schedule can sue, with statutory damages of $1,000 for each negligent BIPA violation and $5,000 for each intentional or reckless violation, plus attorneys’ fees. No proof of actual harm is required — the Illinois Supreme Court’s 2019 Rosenbach decision settled that.
That structure produced a litigation gold rush. In 2025 alone, over 107 new BIPA class action lawsuits have been filed in Illinois, resulting in landmark settlements such as Clearview AI ($51.75 million), Speedway ($12.1 million), and Viakable ($417,000). Cumulative filings since 2019 have crossed 1,500. The biggest payouts have come from face data: Facebook’s $650 million settlement in 2020 over photo-tagging, Google’s $100 million 2022 settlement over Google Photos face grouping, and Meta’s $68.5 million 2023 settlement covering Instagram users between August 2015 and August 2023.
The 2023 Illinois Supreme Court decision in Cothron v. White Castle briefly threatened companies with per-scan accrual — every fingerprint clock-in could be a separate violation. Lawmakers responded in August 2024 with SB 2979, which limits a worker to recovering for the initial violation rather than every subsequent scan, and accepts electronic signatures as valid consent. Litigation didn’t slow. It just shifted: the 2025 wave focuses on consent failures at the point of first collection rather than running totals.
Texas’s CUBI has produced fewer but larger outcomes because only the Attorney General can sue. Meta paid $1.4 billion to Texas in 2024 using CUBI — the largest biometric privacy payout to date — over the same photo-tagging conduct underlying the Illinois case.
The EU’s Two-Layer Framework: GDPR Plus AI Act
European compliance now requires reading two regulations in parallel. The GDPR governs the data; the AI Act governs the system that uses the data. They overlap but don’t merge.
The first AI Act prohibitions took effect February 2, 2025. The most relevant for biometrics:
- Real-time remote biometric identification in publicly accessible spaces by law enforcement is banned, with narrow exceptions for serious crimes that require prior judicial or independent administrative authorization and a fundamental rights impact assessment.
- Untargeted scraping of facial images from the internet or CCTV to build recognition databases is prohibited outright — a direct response to the Clearview AI model.
- Emotion recognition in workplaces and educational institutions is prohibited.
- Biometric categorization that infers race, political opinions, religion, sexual orientation, or trade union membership is prohibited.
Beyond these bans, the AI Act tags most other biometric uses as high-risk. That covers post-event remote biometric identification, biometric categorization based on non-sensitive traits, emotion recognition outside workplace and education contexts, and any AI-driven biometric system used in employment, critical infrastructure, education, or border control. High-risk obligations — conformity assessments, registration in the EU database, risk management, data governance, human oversight — become enforceable August 2026.
The crucial distinction the AI Act draws is between identification (one-to-many matching against a database) and verification (one-to-one confirmation a person is who they claim). Verification — unlocking a phone, opening a turnstile with a registered fingerprint — sits largely outside the prohibitions. Identification, especially at distance and without active user participation, is what triggers the strictest controls.
GDPR keeps doing its own job underneath all of this. Biometric data used to uniquely identify is special category data under Article 9, requiring explicit consent or another narrow legal basis. Member states can — and many do — add stricter national rules. France’s CNIL, Italy’s Garante, and Germany’s federal and state DPAs have all taken enforcement action against biometric deployments that would never have surfaced under the AI Act alone.
What Iris and Face Modalities Make Worse
The legal framework treats all listed modalities as biometric identifiers, but iris and face data create distinct technical and operational problems that fingerprints and voiceprints don’t.
Capture without contact and often without awareness. A fingerprint reader requires a finger on the sensor. An iris scanner — the World project’s Orb being the most visible example — needs cooperation, but a mid-range face recognition camera does not. The whole category of “remote biometric identification” exists because face capture works at distance, in real time, against people walking past. That’s the property the EU AI Act prohibits in public spaces, and it’s the property that makes face data uniquely useful for surveillance and uniquely dangerous for civil liberties.
Linkability across systems. Iris and face templates can be regenerated from raw imagery that already exists in driver’s license databases, social media archives, building access logs, and CCTV. Clearview AI’s business model — scraping public images at scale and selling matches to law enforcement — relied on the fact that face data lives wherever images live. The AI Act’s untargeted-scraping ban is targeted at exactly this practice.
No revocation path. A breached password is rotated; a breached iris template is permanent. This is why every serious biometric standard pushes toward storing derived templates rather than raw imagery, and why on-device matching (the iPhone Secure Enclave model, FIDO2 with platform authenticators) has become the privacy-preserving default. Once a template leaves the user’s device, the failure mode is unbounded.
Demographic accuracy gaps. NIST’s ongoing Face Recognition Vendor Test program has documented persistent — though narrowing — disparities in false match and false non-match rates across demographic groups. The CFPB’s Circular 2024-06, which states that the use of biometric information in employment decisions must adhere to the Fair Credit Reporting Act (FCRA), treats this as a discrimination question, not just an accuracy question. Multiple cities — including Portland, Oregon — have moved beyond regulating to banning face recognition in places of public accommodation entirely.
The Thai enforcement action against Tools for Humanity’s World project illustrates how these issues converge. The Personal Data Protection Committee determined the company in question did not attain sufficient consent to collect biometric data under Thailand’s legal requirements and ordered the deletion of iris data from 1.2 million people, alongside concerns about a scheme to hire people to scan their irises in exchange for coins. Consent obtained in exchange for cryptocurrency payment is consent regulators can and will unwind.
The U.S. State-by-State Patchwork
There is no federal biometric privacy statute. Compliance in the United States means simultaneously satisfying the strictest applicable state law — and the strictest is almost always Illinois.
Texas’s CUBI requires informed consent before capture, restricts sale and disclosure, and mandates destruction within a year after the collection purpose expires. Washington’s HB 1493 limits its scope to entities that enroll biometric identifiers — capture, convert to a non-reconstructable template, and store in a matching database — narrower than BIPA and CUBI. New York City’s Commercial Establishments Ordinance requires “clear and conspicuous signage” near all customer entrances in retail and entertainment venues that collect biometric data. New York Labor Law § 201-a forbids employers from making fingerprinting a condition of employment outside narrow exceptions.
The 2025 wave brought Colorado’s amended Privacy Act, Delaware’s and New Jersey’s comprehensive privacy laws — both classifying biometric data as sensitive and requiring explicit consent — and a queue of pending bills. Michigan (S.B. 359): Proposed June 2025. Would define biometric data as automatic measurements of biological characteristics including fingerprints, voiceprints, eye retinas, irises, alongside Massachusetts companion bills (H.D. 3523, S.D. 1455) that would create $5,000 minimum statutory damages on the BIPA model, Missouri’s proposed Biometric Data Privacy Act (S.B. 554), and Pennsylvania’s H.B. 596 mandating retail and entertainment signage.
Beyond state laws, two federal levers are active. The DOJ’s bulk data rule, finalized under Executive Order 14117, restricts transfers of bulk U.S. biometric data to “countries of concern” — citing risks of malicious cyber-enabled activities, targeted personal risks to U.S. persons (e.g., blackmail, coercion, intimidation), and misuse of data to develop and enhance AI capabilities and algorithms. The FTC’s biometric policy statement lays out the agency’s enforcement priorities: deceptive claims about accuracy, undisclosed collection, sale to third parties, and failure to assess foreseeable harms before deployment.
Engineering Decisions That Decide Compliance
The legal exposure isn’t determined by the policy team in isolation. It’s largely determined by architectural choices that get made — or skipped — long before deployment.
On-device versus server-side matching. A system that compares an iris or face template entirely on the user’s device, never transmits raw biometric data, and stores no central template database has the lowest exposure under every framework. FIDO2 platform authenticators implement this pattern; Apple’s Secure Enclave and Android’s StrongBox do too. Server-side matching, by contrast, creates the central template database that every regulator treats as the primary risk surface.
Templates versus raw imagery. Storing the original capture image — a photograph of a face, a high-resolution iris image — means storing data that can be re-processed by any future algorithm. Storing only a one-way template that cannot be reconstructed into the original image dramatically narrows breach impact, though it does not eliminate it: templates can still be matched against other templates derived from the same person.
Verification versus identification. Designing for one-to-one verification (confirming a claim) rather than one-to-many identification (searching a database) keeps the system on the permissible side of the EU AI Act’s RBI prohibition and avoids the most aggressive U.S. enforcement.
Retention scheduling. BIPA requires a written, publicly available retention and destruction schedule. Texas requires destruction within a year of purpose expiration. Colorado requires written deletion policies. The defensible practice is to define retention at the data-model level — every biometric record carries a created-at timestamp, a purpose tag, and a deletion trigger — and to instrument verifiable destruction.
Consent capture. Written, specific, informed consent before collection, separately retained, with the purpose clearly stated. A general terms-of-service checkbox does not satisfy BIPA. The 2024 BIPA amendment accepts electronic signatures, but the substantive consent requirements did not change.
Vendor due diligence. Most BIPA defendants are not the company that built the algorithm — they’re the employer or business that deployed a vendor’s product. Contractual flow-down of consent, retention, and security obligations is non-optional.
Frequently Asked Questions
Does GDPR consider all biometric data special category data? No. Biometric data is special category data under Article 9 only when used to uniquely identify a person. A fingerprint stored as part of a personnel file isn’t automatically Article 9 data; a fingerprint template used to authenticate that person against a database is. The distinction matters because Article 9 narrows the available legal bases, with explicit consent as the most common.
Are face photos covered by BIPA? Photographs are explicitly excluded from BIPA’s definition of “biometric identifier,” but a “scan of face geometry” derived from a photograph is covered. The Ninth Circuit’s 2024 Zellmer ruling found that Meta’s “face signatures” did not meet the statutory definition, but this is a narrow result and other courts have reached different conclusions about other template formats.
Does the EU AI Act apply to companies outside the EU? Yes, when their AI systems are placed on the EU market or their outputs are used in the EU. A U.S. SaaS provider whose face recognition product is used by an EU customer is in scope as a provider, with the customer in scope as a deployer.
Can employees be required to use biometric clock-in systems? It depends on the jurisdiction. Illinois allows it with valid BIPA consent. New York Labor Law § 201-a effectively prohibits mandatory employer fingerprinting. Colorado now applies its consumer biometric requirements to employees, narrowing what employers can require. The conservative approach is to offer a non-biometric alternative.
What This Adds Up To
The hardest part of biometric compliance in 2026 isn’t reading any single regulation — it’s accepting that there is no unified scheme to read. A face recognition turnstile in a Chicago office building, a Berlin retail store, and an Austin warehouse is the same product subject to three substantially different rule sets, with overlapping definitions and non-overlapping enforcement mechanisms. The frameworks are converging on a few principles — explicit consent, retention limits, data minimization, on-device processing where possible, prohibitions on covert mass identification — but the convergence is slow and the gaps are where the lawsuits and fines live.
The defensible posture is to engineer for the strictest applicable rule and accept that the ceiling will keep moving. Treat every biometric template as data you can never let leak, because the user can never get a new face. The companies that have paid the largest settlements weren’t the ones with the worst security; they were the ones who treated face data like ordinary personal data. It isn’t, and the law has stopped pretending it is.
