Biometrics law in the USA

In our last post, we discussed the state of biometric data from the GDPR’s perspective along with some prominent cases in the EU. This post will focus on the regulatory landscape around biometric data in the US.

The USA does not have a single, comprehensive federal law regulating the collection and usage of biometric data. However, some states do have biometrics law in action—along with some proposed—that place obligations on organizations’ way of biometric data collection and usage.


The Health Insurance Portability and Accountability Act (HIPAA) is a federal law and is enforced by the Office for Civil Rights (OCR). It is specially designed to ensure medical data privacy and protection and regulates the use, sharing, and disclosure of Protected Health Information (PHI)—biometrics data of which is a part—by covered entities. Because biometrics fall under the category of PHI, HIPAA requires entities to ensure adequate technical, administrative, and physical safeguards are in place to protect the confidentiality, integrity, and availability of the data. HIPAA doesn’t provide for a private cause of action brought by individuals.


Illinois became the first state in the US to set forth a biometric data privacy law—Biometric Information Pri