June 19, 2023

Anonybit Team

Biometric Privacy Laws That Regulate Collection & Use Of Biometric Data

Blog US supreme court - Biometric Privacy Laws

In the world of biometric authentication techniques, ensuring the security and protection of personal data is paramount. Imagine this: you’re at work or browsing online, and you come across a new app or service requesting access to your biometric data. You might be attracted by the convenience and speed of biometric authentication, but did you ever stop to consider who might have access to that data? This is where biometric privacy laws come into play, offering essential protection and regulation. If you want to navigate the complex landscape of biometric privacy laws and regulations, this blog is your guide.

Anonybit’s identity management platform can help you comply with biometric privacy laws. Ensuring your biometric data is secure and protected as you explore biometric authentication techniques.

What are Biometrics and How Are They Used?

woman using tablet - Biometric Privacy Laws

Biometrics refers to biological measurements, such as fingerprints, facial features, or iris scans used to identify individuals. These unique identifiers are widely used for authentication. For instance, fingerprint or facial recognition can be used to access smartphones or smart gates at airports.  


Biometrics are often used for authentication, where a person’s biometric data is compared to existing records. This one-to-one matching can involve fingerprint or facial recognition. Individuals provide their biometric data for future authentication, which is matched when needed. Depending on the modality, biometric authentication can also passively occur in the background without active participation from the individual.


In another scenario, biometric systems are used for identification in one-to-many systems. Unknown biometric data is compared against a database to identify the individual potentially. This is useful to prevent duplicates, synthetics, or blocked identities from reregistering an account.

Related Reading

What Is Biometric Data?

woman trying to log in - Biometric Privacy Laws

Now, let’s dive into the heart of biometric authentication techniques. Biometric data is a type of data that describes and classifies measurable human characteristics. This is a process called biometrics. Biometric data is typically captured, stored, and processed in the format of data templates.

These templates are usually known as biometric templates. A biometric template (stored biometric features) is a set of inherent or acquired physical or behavioral characteristics used to recognize a person. To create a template, we usually need to convert a biometric sample to a binary representation, which is also known as a biometric feature vector.

Practical Applications of Biometric Data

Biometric data has practical applications beyond its technical aspects. It can be used for authentication, where you prove that you are who you say you are (for example, by providing a password or fingerprint).

It is also commonly used for identification, where you prove that someone else is who they say they are (for example, by comparing their fingerprint against your database of fingerprints). 

Two Modes of Biometric Data Collection

There are two main ways that biometric data is collected: passively and actively. When biometric data is collected passively, the subject does not have to do anything for their biometric information to be collected—it just happens because of some inherent property of the subject (like their voice or face). When biometric data is collected actively, there must be some interaction between the subject and the device that will collect this information (like a palm scanner).

Anonybit: Decentralized Biometrics for Enhanced Security and Privacy

At Anonybit, our decentralized biometrics system design helps companies prevent data breaches and account takeover fraud. With a decentralized biometrics solution, companies can enable passwordless login, wire verification, step-up authentication, and help desk authentication. We are on a mission to protect companies from data breaches, account takeovers, and synthetic identity fraud.

To achieve this goal, we offer security solutions such as:

  • Secure storage of biometrics and PII data
  • Support for the entire user lifecycle
  • 1:1 biometric authentication and 1:N biometric matching to prevent duplicates, synthetics, and blocklisted identities 

Anonybit eliminates the tradeoffs between privacy and security. Prevent data breaches, enable strong authentication to eliminate account takeovers, and enhance the user experience across the enterprise using Anonybit.

Book a free demo today to learn more about our integrated identity management platform.

Which State Biometric Privacy Laws Exist To Regulate The Use Of Biometric Data?

US map - Biometric Privacy Laws

Biometric Privacy Laws Across States

State laws that regulate biometric data concerns and privacy. While the Illinois BIPA is one of the most widely recognized in the United States, with the threat of sizeable statutory damage awards “per violation,” other states have enacted laws governing the collection, storage, and use of biometric data. 

Illinois Biometric Privacy Act (BIPA)

Illinois enacted the Biometric Information Privacy Act (BIPA) in 2008 to regulate the collection and use of biometric data. BIPA requires entities that collect or use biometric data to have policies and procedures to securely and transparently use this data. The law prohibits entities from selling or profiting from individuals’ biometric information. BIPA applies to private entities operating in Illinois, regardless of their headquarters or incorporation location.

It excludes state and local governments, their agents, and contractors from its provisions. The law defines biometric identifiers as fingerprints, voiceprints,  iris scans,  palm scans, or face geometry, excluding biological data collected for health or medical purposes. Violations of BIPA can result in statutory damages.

Texas Capture or Use of Biometric Identifier Act (CUBI)

Like BIPA, the Texas Capture or Use of Biometric Identifier Act (CUBI) regulates the capture and use of biometric identifiers for commercial purposes in Texas. CUBI prohibits capturing biometric identifiers without notice and consent, selling or disclosing biometric identifiers and requires data protection, confidentiality, and deletion within a reasonable timeframe. Violating CUBI can lead to civil penalties imposed by the Texas Attorney General.

Other Federal Laws That Regulate the Use Of Biometric Data

glasses on document - Biometric Privacy Laws

SCA Protects the Privacy of Stored Communications

The Stored Communications Act (SCA) was enacted as part of the Electronic Communications Privacy Act of 1986 (18 U.S.C. §§ 2701 to 2713). It’s intended to protect the privacy of electronic communications while in storage. One example would be emails held on a server or subscribers to email services. Violations of this law invite legal action. The act allows plaintiffs to sue for monetary damages, injunctions, and legal costs.

GLBA Protects Customer Information Privacy

The Gramm–Leach–Bliley Act (15 U.S.C. §§ 6801-6809, §§ 6821-6827(GLBA)) of 1999 governs how financial institutions handle customer data. It’s also known as the Financial Services Modernization Act. The GLBA changed how banks and other financial services could do business in many ways. For example, they could act as brokers for insurance products, which was forbidden before the GLBA.

HIPAA Protects the Privacy of Patient Health Information

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. It was intended to improve health care coverage and delivery for Americans, but it’s now a regime of national standards for protecting patients’ private health data. That part of the act is the HIPAA Privacy Rule of 2002.

4 Prominent Biometrics Privacy Lawsuits

1. Six Flags Entertainment Corp

In 2019, the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp. held that a plaintiff could be considered an “aggrieved person” under the statute and “be entitled to liquidated damages and injunctive relief” without alleging an actual injury. Then, in May 2020, the U.S. Court of Appeals for the Seventh Circuit in Bryant v. Compass Group USA, Inc. clarified that such a person had suffered an injury sufficient to support standing under BIPA Section 15(b). 

2. Patel v. Facebook

Also in 2020, the Facebook BIPA class action lawsuit Patel v. Facebook, Inc. reached a conclusion when Facebook agreed to a $650 million settlement, one of the largest consumer privacy settlements in U.S. history, to resolve claims it collected user biometric data without consent.

3. Rogers v. BNSF Railway Company

It was not until October 2022 that the first-ever jury verdict in a BIPA class action lawsuit was handed down in Rogers v. BNSF Railway Company. Although the defending company announced its plans to appeal the decision of the District Court for the Northern District of Illinois, the plaintiffs’ success at the trial level may further embolden individuals to pursue their own BIPA claims.

4. Cothron v. White Castle System, Inc.

In February 2023, the Illinois Supreme Court held in Cothron v. White Castle System, Inc., that a separate claim accrues under BIPA each time a private entity scans or transmits a person’s biometric identifier or information, violating the law. The court also observed that BIPA damages are discretionary and not mandatory. Earlier the same month, the court ruled in Tims v. Black Horse Carriers, Inc., that a five-year limitations period applies to all claims arising under BIPA.

Related Reading

Best Practices For Businesses That Collect And Use Biometric Data

woman in excel - Biometric Privacy Laws

Obtaining Verifiable Consent

When collecting biometric data, it is crucial to inform individuals of the purpose and obtain their consent as proof that they were aware of and agreed to the data collection.

Providing Clear Statement of Purpose

Clearly communicate the reason for collecting biometric data to ensure transparency and maintain trust with individuals.

Limiting Use of Biometric Data

Restrict the use of biometric data only to the disclosed purpose to safeguard privacy and prevent misuse.

Storing Data for the Least Amount of Time

Minimize biometric data retention to reduce the risk of exposure and potential breaches.

Updating Privacy Policies and Terms of Use

Periodically review and update privacy policies and terms of use to include biometric data protection measures and ensure easy understanding.

Reviewing Cyber Liability Insurance Policies

Evaluate existing cyber liability insurance policies to confirm coverage for using and collecting biometric data, considering new laws and private actions.

Related Reading

Book A Free Demo To Learn More About Our Integrated Identity Management Platform

At Anonybit, we help companies prevent data breaches and account takeover fraud with our decentralized biometrics technology. With our decentralized biometrics framework, companies can enable passwordless login, wire verification, step-up authentication, help desk authentication and more. 

Comprehensive Security Solutions for Companies

We aim to protect companies from data breaches, account takeovers and synthetic identity on the rise, privacy regulations, and digital transformation. To achieve this goal, we offer security solutions such as:

  • Secure storage of biometrics and PII data
  • Support for the entire user lifecycle
  • 1:1 authentication and 1:N matching for lookups and deduplication

Balancing Privacy and Security with Anonybit’s Integrated Platform

Anonybit eliminates the tradeoffs between privacy and security. Prevent data breaches, reduce account takeover fraud, and enhance the user experience across the enterprise using Anonybit. Book a free demo today to learn more about our integrated identity management platform.

Be the first to know the latest news, product updates, and more from Anonybit