Skip to content
FreedomRankings
Privacy & Surveillance

Biometric Privacy Laws by State: Face Scans & Fingerprints (2026)

Your face, fingerprints, and voiceprint are uniquely yours — but only a few states have a dedicated law protecting them. Here’s who does, and why Illinois’s law is the one companies fear.

FreedomRankings EditorialUpdated June 4, 20265 min read
On this page

Your fingerprints, face scan, and voiceprint are uniquely, permanently yours — you can't reset them like a password. Yet only a few states have a dedicated law protecting them. Here's who does, why Illinois's is the one companies actually fear, and where this is heading.

The short version

  • Illinois, Texas, and Washington have standalone biometric privacy laws.
  • Illinois's BIPA is the strictest — individuals can sue, driving big settlements.
  • Many of the 20 comprehensive-privacy states also cover biometrics within those laws.
  • Biometric data is uniquely sensitive: once leaked, it can't be changed.

What is biometric data?

Biometric data is information about your unique physical traits — fingerprints, facial geometry, iris scans, voiceprints, and hand geometry. It's used to unlock phones, clock in at work, and tag photos. What makes it uniquely sensitive is permanence: if a password leaks you change it, but you can't change your face or fingerprints.

Which states have a biometric law?

Three states have a dedicated biometric privacy statute:

States with a dedicated biometric privacy law

3 · June 2026

States with a standalone law governing biometric identifiers — fingerprints, face scans, voiceprints, and the like.

Illinois’s BIPA is the strictest — it lets individuals sue. Many of the 20 comprehensive-privacy states also regulate biometric data within those broader laws.

Beyond these, many of the 20 states with comprehensive privacy laws treat biometric data as a protected "sensitive" category within those broader laws — but a standalone biometric statute tends to be stronger and more specific.

Why Illinois's BIPA is the strictest

Illinois's Biometric Information Privacy Act (BIPA), passed in 2008, is the law companies watch most closely — for one reason: it gives individuals a private right of action. People can sue a company directly for collecting or storing their biometrics without proper consent.

That single feature has produced enormous class-action settlements (including nine-figure ones against major tech platforms) and made BIPA the de facto national standard for how companies handle biometric data, even outside Illinois.

How states rank on privacy

Biometric protection is one slice of the Fourth Amendment / privacy picture our index measures, alongside surveillance limits and recording laws:

Top 10 states — 4th AmendmentLive data
  1. 1MEMaine
    9.5A+
  2. 2NMNew Mexico
    9.5A+
  3. 3WIWisconsin
    9.0A+
  4. 4MOMissouri
    8.5A
  5. 5NCNorth Carolina
    8.5A
  6. 6MDMaryland
    8.5A
  7. 7FLFlorida
    6.5B-
  8. 8COColorado
    6.5B-
  9. 9CTConnecticut
    6.5B-
  10. 10OROregon
    6.5B-
See all 50 states ranked on 4th Amendment

See all 50 states ranked on privacy & the Fourth Amendment

Biometric, data, and surveillance protections plus forfeiture — the full ranking with a map.

The future of biometric privacy

Biometric privacy is one of the fastest-moving areas of state law. As facial recognition spreads — in retail, policing, and venues — more states are weighing BIPA-style protections, and the big fight is whether they'll include a private right of action (the feature that gives BIPA its teeth). Expect this short list to grow.

Frequently asked questions

What counts as biometric data?

Biometric data is information about your unique physical characteristics — fingerprints, face scans, iris scans, voiceprints, and hand geometry. Because you can’t change them like a password, their misuse is uniquely hard to undo.

Which states have a dedicated biometric privacy law?

Illinois (BIPA), Texas (CUBI), and Washington have standalone biometric privacy laws. Many of the 20 states with comprehensive consumer privacy laws also regulate biometric data within those broader statutes.

Why is Illinois’s BIPA so important?

Illinois’s Biometric Information Privacy Act is the strictest because it gives individuals a private right of action — they can sue companies directly for violations, which has produced large class-action settlements.

Are face-scan and fingerprint logins regulated?

In states with biometric laws, yes — companies generally must get informed consent before collecting biometric identifiers and must follow retention and security rules. Elsewhere, protection is thinner.

Sources

  1. 1.Biometric Information Privacy Act (BIPA) — Wikipedia
  2. 2.IAPP — US State Privacy Legislation Tracker

Civil Forfeiture & Privacy by State: all 50 ranked

See where every state lands on Fourth Amendment freedom — privacy, surveillance, and forfeiture.

Who represents you?

Enter your ZIP code to see your US House representative, senators, and governor — with their voting records, donors, and integrity scores.

Keep reading

Privacy & SurveillanceData Privacy Laws by State: Who Protects Your Data (2026)With no federal privacy law, your rights over your own data depend on your state — and 20 of them now have a comprehensive law. Here’s who, what rights you get, and where the gaps are.ReadPrivacy & SurveillanceTwo-Party Consent States: Where You Can’t Record Without Permission (2026)In most states only one person needs to consent to record a call — but in a dozen, everyone does. Here’s the list, what it means for phone and in-person recording, and the federal rule.Read

Explore FreedomRankings

Interactive mapAll 50 states colored by freedom scoreState rankingsRe-weight ten freedoms, rank liveElected officialsRecords, donors & integrity scoresCompare statesAny two states, side by sideCountry rankingsHow the US ranks against 197 countries