Biometric Privacy Laws & Regulations Around the World

Biometric data privacy laws are enacted to govern the collection, analysis, and disclosure of a person’s biometric information, such as fingerprints, iris scans, or facial recognition scans. The laws are created to safeguard biometric data against potential abuse or breach and provide better transparency and control to individuals.

Illinois Biometric Information Privacy Act

Status

The Illinois Biometric Information Privacy Act (BIPA) was passed in 2008 to govern individuals’ biometric data collection, processing, and sharing. It came into effect on October 03, 2008.

Applicability

BIPA applies to private entities, including individuals, partnerships, associations, or other organized groups, that collect, process, analyze, and disclose the biometric information of individuals.

Data Subject Rights

BIPA does not define any provisions for this section.

Obligations of the Regulated Entities

Privacy Policy/Notice

A regulated entity must create and publicly share a written policy outlining a retention schedule. This policy should include guidelines for permanently deleting biometric identifiers and information either when the initial purpose is fulfilled or within three years of the individual's last interaction with the entity, whichever comes first. Unless a court issues a valid warrant or subpoena, the private entity must adhere to its retention schedule and destruction guidelines.

Consent

Written consent of the individuals must be obtained before the collection of biometric data. The request to consent must include an explanation of the purpose for which the data is collected and how it will be used and stored.

Sharing/Sale

The regulated entities are prohibited from selling, leasing, or making profits from the trade of individuals’ biometric data or identifiers unless the individual consents, that it is required by law, necessary to complete a transaction with the individual's consent or disclosed in response to a warrant.

Security Measures

Under BIPA, regulated entities must establish and enforce reasonable standards of care to protect data from disclosure. When storing, transmitting, and safeguarding biometric information, the data controller must treat it with at least the same standard of care with which it treats confidential and sensitive information.

Regulatory Authority

BIPA does not define any provisions for this section.

Penalties for Non-Compliance

Individuals may recover liquidated damages of $1,000 against negligent violations or $5,000 for intentional violations or actual damages, whichever is greater, by exercising their private right of action along with the attorney fees and costs.

Texas's Capture or Use of Biometric Identifier Act

Status

Texas’s Capture or Use of Biometric Identifier (CUBI) Act was signed into law in 2009 and came into effect on April 01, 2009. The law focuses on governing controls for commercially capturing and using an individual’s biometric data.

Applicability

The CUBI Act applies to all organizations or entities that offer genetic testing products or services to individuals or collect, use, or analyze genetic data.

Data Subject Rights

The CUBI Act does not define any provisions for this section.

Obligations of the Regulated Entities

Privacy Policy/Notice

The direct-to-consumer genetic testing companies must maintain a prominent and publicly available privacy notice that should include information about the company’s policies related to data collection, use, access, transfer, disclosure, and deletion.

Consent

The CUBI Act prohibits entities from capturing or using an individual's biometric data unless written consent is obtained.

Sharing/Sale

A company is not allowed to sell, lease, or disclose to third parties any biometric data unless it is required in case of death or disappearance for completion of a financial transaction, it is allowed by the federal statute, or the disclosure is made to a law enforcement agency in response to a warrant.

Security Measures

A company must take "reasonable care" when storing, transmitting, and protecting biometric information. Additionally, it must ensure that the method it uses to secure biometric data is the same as, or greater than, the way in which it stores, transmits, and protects other kinds of personal data.

Regulatory Authority

The Attorney General of Texas is solely responsible for enforcing this law.

Penalties for Non-Compliance

Any individual found to be violating any sections of this law will be fined no more than $25,000 for each violation.

Washington State's Biometric Privacy Protection Act

Status

Washington’s Biometric Privacy Protection Act was signed into law on May 16, 2017, and took effect on July 23, 2017.

Applicability

The law applies to all individuals and private entities and individuals who collect, capture, or enroll biometric identifiers and information of an individual for commercial purposes. The law exempts persons who collect, capture, enroll in, or store biometric identifiers for security purposes.

Data Subject Rights

The law does not define any provisions for this section.

Obligations of the Regulated Entities

Privacy Policy/Notice

A clear and readily available privacy notice must be provided, communicating the entity’s biometric data collection, use, and disclosure practices to individuals.

Consent

The law prohibits entities from the collection of biometric data of an individual unless written consent is obtained. The organization must also provide a mechanism to prevent subsequent use of biometric identifiers for commercial purposes.

Sharing/Sale

Entities may not sell, lease, or otherwise disclose an individual's biometric data without consent unless it is:

• Necessary to provide a product or service requested by the individual.
• Consistent with the demands of the biometric law.
• Made to respond or participate in the judicial process.
• Made to get ready for litigation.
• Made to third parties who contractually promise that the biometric information will not be disclosed further or be enrolled in a database for commercial purposes that are not consistent with the law.
• Specifically authorized or required by a federal or state statute or by a court order.
• Necessary to administer, effect, complete, or enforce a financial transaction initiated, authorized, or requested by the individual and where the recipient keeps the confidentiality of the biometric identifier and does not disclose it further.

Security Measures

Proper safeguards must be maintained to protect individuals' collected or enrolled biometric data. The entity must ensure that they retain biometric information for no longer than they must comply with the law, protect against criminal activity, liability, security threats, fraud, or supply the service for which the biometric identifier was enrolled.

Regulatory Authority

The Attorney General of Washington is responsible for enforcing the law.

Penalties for Non-Compliance

The law does not define any provisions for this section.