Securiti launches Gencore AI, a holistic solution to build Safe Enterprise AI with proprietary data - easily

View

Biometric Privacy Laws & Regulations Around the World

Author

Anas Baig

Product Marketing Manager at Securiti

Listen to the content

Biometric data privacy laws are enacted to govern the collection, analysis, and disclosure of a person’s biometric information, such as fingerprints, iris scans, or facial recognition scans. The laws are created to safeguard biometric data against potential abuse or breach and provide better transparency and control to individuals.

Illinois Biometric Information Privacy Act

Status

The Illinois Biometric Information Privacy Act (BIPA) was passed in 2008 to govern individuals’ biometric data collection, processing, and sharing. It came into effect on October 03, 2008.

Applicability

BIPA applies to private entities, including individuals, partnerships, associations, or other organized groups, that collect, process, analyze, and disclose the biometric information of individuals.

Data Subject Rights

BIPA does not define any provisions for this section.

Obligations of the Regulated Entities

Privacy Policy/Notice

A regulated entity must create and publicly share a written policy outlining a retention schedule. This policy should include guidelines for permanently deleting biometric identifiers and information either when the initial purpose is fulfilled or within three years of the individual's last interaction with the entity, whichever comes first. Unless a court issues a valid warrant or subpoena, the private entity must adhere to its retention schedule and destruction guidelines.

Consent

Written consent of the individuals must be obtained before the collection of biometric data. The request to consent must include an explanation of the purpose for which the data is collected and how it will be used and stored.

Sharing/Sale

The regulated entities are prohibited from selling, leasing, or making profits from the trade of individuals’ biometric data or identifiers unless the individual consents, that it is required by law, necessary to complete a transaction with the individual's consent or disclosed in response to a warrant.

Security Measures

Under BIPA, regulated entities must establish and enforce reasonable standards of care to protect data from disclosure. When storing, transmitting, and safeguarding biometric information, the data controller must treat it with at least the same standard of care with which it treats confidential and sensitive information.

Regulatory Authority

BIPA does not define any provisions for this section.

Penalties for Non-Compliance

Individuals may recover liquidated damages of $1,000 against negligent violations or $5,000 for intentional violations or actual damages, whichever is greater, by exercising their private right of action along with the attorney fees and costs.

Texas's Capture or Use of Biometric Identifier Act

Status

Texas’s Capture or Use of Biometric Identifier (CUBI) Act was signed into law in 2009 and came into effect on April 01, 2009. The law focuses on governing controls for commercially capturing and using an individual’s biometric data.

Applicability

The CUBI Act applies to all organizations or entities that offer genetic testing products or services to individuals or collect, use, or analyze genetic data.

Data Subject Rights

The CUBI Act does not define any provisions for this section.

Obligations of the Regulated Entities

Privacy Policy/Notice

The direct-to-consumer genetic testing companies must maintain a prominent and publicly available privacy notice that should include information about the company’s policies related to data collection, use, access, transfer, disclosure, and deletion.

Consent

The CUBI Act prohibits entities from capturing or using an individual's biometric data unless written consent is obtained.

Sharing/Sale

A company is not allowed to sell, lease, or disclose to third parties any biometric data unless it is required in case of death or disappearance for completion of a financial transaction, it is allowed by the federal statute, or the disclosure is made to a law enforcement agency in response to a warrant.

Security Measures

A company must take "reasonable care" when storing, transmitting, and protecting biometric information. Additionally, it must ensure that the method it uses to secure biometric data is the same as, or greater than, the way in which it stores, transmits, and protects other kinds of personal data.

Regulatory Authority

The Attorney General of Texas is solely responsible for enforcing this law.

Penalties for Non-Compliance

Any individual found to be violating any sections of this law will be fined no more than $25,000 for each violation.

Washington State's Biometric Privacy Protection Act

Status

Washington’s Biometric Privacy Protection Act was signed into law on May 16, 2017, and took effect on July 23, 2017.

Applicability

The law applies to all individuals and private entities and individuals who collect, capture, or enroll biometric identifiers and information of an individual for commercial purposes. The law exempts persons who collect, capture, enroll in, or store biometric identifiers for security purposes.

Data Subject Rights

The law does not define any provisions for this section.

Obligations of the Regulated Entities

Privacy Policy/Notice

A clear and readily available privacy notice must be provided, communicating the entity’s biometric data collection, use, and disclosure practices to individuals.

Consent

The law prohibits entities from the collection of biometric data of an individual unless written consent is obtained. The organization must also provide a mechanism to prevent subsequent use of biometric identifiers for commercial purposes.

Sharing/Sale

Entities may not sell, lease, or otherwise disclose an individual's biometric data without consent unless it is:

  • Necessary to provide a product or service requested by the individual.
  • Consistent with the demands of the biometric law.
  • Made to respond or participate in the judicial process.
  • Made to get ready for litigation.
  • Made to third parties who contractually promise that the biometric information will not be disclosed further or be enrolled in a database for commercial purposes that are not consistent with the law.
  • Specifically authorized or required by a federal or state statute or by a court order.
  • Necessary to administer, effect, complete, or enforce a financial transaction initiated, authorized, or requested by the individual and where the recipient keeps the confidentiality of the biometric identifier and does not disclose it further.
Security Measures

Proper safeguards must be maintained to protect individuals' collected or enrolled biometric data. The entity must ensure that they retain biometric information for no longer than they must comply with the law, protect against criminal activity, liability, security threats, fraud, or supply the service for which the biometric identifier was enrolled.

Regulatory Authority

The Attorney General of Washington is responsible for enforcing the law.

Penalties for Non-Compliance

The law does not define any provisions for this section.

Compliance with applicable global data privacy laws is obligatory for businesses.
Failure to comply can result in huge loss such as consumer trust, class-action lawsuits, and hefty fines.
orange hammer icon
Is your organization ready to comply with the existing as well as upcoming data privacy laws?

Watch the demo to see how Securiti is helping organizations with global privacy regulatory compliance.

Watch the demo

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

Videos

View More

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

View More

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

View More

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

View More

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

View More

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

View More

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

View More

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

View More

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...

View More

Navigating the Shift: Transitioning to PCI DSS v4.0

What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...

View More

Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)

AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 47:42

Cybersecurity – Where Leaders are Buying, Building, and Partnering

Rehan Jalil
Watch Now View
Spotlight 46:02

Building Safe Enterprise AI: A Practical Roadmap

Watch Now View
Spotlight 13:32

Ensuring Solid Governance Is Like Squeezing Jello

Watch Now View
Spotlight 40:46

Securing Embedded AI: Accelerate SaaS AI Copilot Adoption Safely

Watch Now View
Spotlight 10:05

Unstructured Data: Analytics Goldmine or a Governance Minefield?

Viral Kamdar
Watch Now View
Spotlight 21:30

Companies Cannot Grow If CISOs Don’t Allow Experimentation

Watch Now View
Spotlight 2:48

Unlocking Gen AI For Enterprise With Rehan Jalil

Rehan Jalil
Watch Now View
Spotlight 13:35

The Better Organized We’re from the Beginning, the Easier it is to Use Data

Watch Now View
Spotlight 13:11

Securing GenAI: From SaaS Copilots to Enterprise Applications

Rehan Jalil
Watch Now View
Spotlight 47:02

Navigating Emerging Technologies: AI for Security/Security for AI

Rehan Jalil
Watch Now View

Latest

View More

Accelerating Safe Enterprise AI with Gencore Sync & Databricks

We are delighted to announce new capabilities in Gencore AI to support Databricks' Mosaic AI and Delta Tables! This support enables organizations to selectively...

View More

Building Safe, Enterprise-grade AI with Securiti’s Gencore AI and NVIDIA NIM

Businesses are rapidly adopting generative AI (GenAI) to boost efficiency, productivity, innovation, customer service, and growth. However, IT & AI executives—particularly in highly regulated...

Key Differences from DLP & CNAPP View More

Why DSPM is Critical: Key Differences from DLP & CNAPP

Learn about the critical differences between DSPM vs DLP vs CNAPP and why a unified, data-centric approach is an optimal solution for robust data...

DSPM Trends View More

DSPM in 2025: Key Trends Transforming Data Security

DSPM trends in 2025 provides a quick glance at the challenges, risks, and best practices that can help security leaders evolve their data security...

The Future of Privacy View More

The Future of Privacy: Top Emerging Privacy Trends in 2025

Download the whitepaper to gain insights into the top emerging privacy trends in 2025. Analyze trends and embed necessary measures to stay ahead.

View More

Personalization vs. Privacy: Data Privacy Challenges in Retail

Download the whitepaper to learn about the regulatory landscape and enforcement actions in the retail industry, data privacy challenges, practical recommendations, and how Securiti...

Nigeria's DPA View More

Navigating Nigeria’s DPA: A Step-by-Step Compliance Roadmap

Download the infographic to learn how Nigeria's Data Protection Act (DPA) mapping impacts your organization and compliance strategy.

Decoding Data Retention Requirements Across US State Privacy Laws View More

Decoding Data Retention Requirements Across US State Privacy Laws

Download the infographic to explore data retention requirements across US state privacy laws. Understand key retention requirements and noncompliance penalties.

Gencore AI and Amazon Bedrock View More

Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock

Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...

DSPM Vendor Due Diligence View More

DSPM Vendor Due Diligence

DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...

What's
New