top of page
Powering-AI-Today-logo

Understanding BIPA Impacts: Current State Laws, Legislative Sentiment, and Future Projections

  • ematthiesen
  • 1 hour ago
  • 4 min read

Biometric privacy has become a critical issue as technology advances and companies increasingly collect biometric data such as fingerprints, facial recognition, and voiceprints. The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, remains the most influential law in this area. However, other states have introduced or passed their own laws and bills that affect biometric data collection and use. This post summarizes the current state laws and bills impacting BIPA, analyzes legislative sentiment, and offers a forecast on how state legislatures might proceed with pending bills.


Eye-level view of biometric fingerprint scanner on a security device
Biometric fingerprint scanner on security device

Overview of Existing State Laws Impacting BIPA


BIPA set a high standard for biometric privacy by requiring companies to obtain informed consent before collecting biometric data, establish data retention and destruction policies, and provide transparency about data use. It also allows individuals to sue for violations, which has led to significant litigation.


Illinois


Illinois remains the only state with a comprehensive biometric privacy law modeled on BIPA. It requires:


  • Written consent before biometric data collection

  • Publicly available retention and destruction policies

  • Prohibition on selling or profiting from biometric data

  • Private right of action for individuals


This law has driven many companies to change their biometric data practices nationwide.


Texas and Washington


Texas and Washington have biometric privacy laws that share some features with BIPA but are less stringent. For example:


  • Texas requires notice and consent but does not provide a private right of action.

  • Washington requires notice and limits data use but focuses more on government entities.


Other States with Emerging Legislation


Several states have introduced or passed bills that either mirror or expand on BIPA’s protections:


  • California: The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) include biometric data as a category of personal information but do not require explicit consent like BIPA.

  • New York: Proposed bills aim to regulate biometric data collection with consent requirements and data security measures.

  • Florida, Massachusetts, and New Jersey: These states have introduced bills that would require consent and impose data security standards but are still under consideration.


Key Differences Across States


  • Private Right of Action: Illinois allows individuals to sue for damages, which is rare elsewhere.

  • Scope of Data: Some states define biometric data narrowly (fingerprints, retina scans), others broadly (including voiceprints, gait).

  • Enforcement: Many states rely on regulatory agencies rather than private lawsuits.


Legislative Sentiment on Biometric Privacy


Legislators across the country recognize the growing importance of biometric privacy but differ on how to balance consumer protection with business interests.


Support for Stronger Protections


  • Privacy advocates and consumer groups push for laws similar to BIPA, emphasizing consent and transparency.

  • Some lawmakers see biometric data as highly sensitive and requiring strict safeguards.

  • States with active tech sectors, like California and New York, show momentum toward stronger biometric privacy rules.


Concerns About Litigation and Business Impact


  • Business groups warn that BIPA-style private rights of action lead to costly lawsuits and hinder innovation.

  • Some legislators prefer regulatory enforcement over private lawsuits to avoid excessive litigation.

  • There is debate about the scope of biometric data covered and the feasibility of compliance for small businesses.


Bipartisan Interest


  • Privacy protection has gained bipartisan attention, with some states proposing balanced bills that protect consumers while limiting litigation risks.

  • Lawmakers are also considering how biometric privacy fits within broader data privacy frameworks.


High angle view of state capitol building with legislative chambers
State capitol building with legislative chambers

Forecast of Legislative Action on Pending Biometric Privacy Bills


Several states have biometric privacy bills currently in committee or early stages. Based on legislative calendars, committee activity, and political climate, here is a forecast of how these bills might proceed.


California


  • Timeline: Bills related to biometric consent and data security are likely to be debated in the next 6 to 12 months.

  • Projection: Given California’s strong privacy stance, expect incremental strengthening of biometric provisions within the existing CCPA/CPRA framework rather than a standalone BIPA-style law.

  • Key Factors: Industry lobbying and public input will shape the final scope.


New York


  • Timeline: Bills introduced in the current session may see committee hearings within 3 to 6 months.

  • Projection: New York may pass a biometric privacy law with consent requirements and data security mandates but likely without a private right of action.

  • Key Factors: Growing public concern about facial recognition and biometric misuse is driving urgency.


Florida


  • Timeline: Bills are in early committee stages; floor votes could occur within 6 to 9 months.

  • Projection: Florida may adopt moderate biometric privacy rules focusing on notice and consent, with enforcement by state agencies.

  • Key Factors: Balancing business interests and consumer protection is a priority.


Massachusetts and New Jersey


  • Timeline: Both states have bills in committee; legislative sessions suggest possible action within 9 to 12 months.

  • Projection: These states may follow a cautious approach, adopting biometric privacy rules aligned with existing data protection laws.

  • Key Factors: Coordination with federal privacy developments may influence timing.


Practical Implications for Companies and Consumers


Companies operating in multiple states must navigate a patchwork of biometric privacy laws. Key steps include:


  • Reviewing Consent Practices: Ensure clear, written consent is obtained where required.

  • Updating Data Policies: Establish retention and destruction schedules for biometric data.

  • Monitoring Legislative Developments: Stay informed about pending bills and adjust compliance strategies accordingly.

  • Preparing for Litigation Risks: In Illinois and potentially other states, be ready for private lawsuits.


Consumers should:


  • Understand their rights under state laws.

  • Ask companies how biometric data is collected, used, and protected.

  • Advocate for stronger privacy protections through public comments and engagement.


Close-up view of biometric facial recognition device on a smartphone
Biometric facial recognition device on smartphone

Final Thoughts on Biometric Privacy Legislation


Biometric privacy laws are evolving rapidly as states respond to technological advances and public concerns. Illinois’ BIPA remains the gold standard, but other states are moving toward stronger protections with varying approaches to enforcement and scope. Legislative sentiment favors consumer privacy but also weighs the impact on businesses.


Comments

bottom of page