State Biometric and Facial Recognition Laws
The Illinois Biometric Information Privacy Act (BIPA) (2008, amended 2024) was the first U.S. biometric privacy law and has a private right of action, a 5-year statute of limitations, and per-violation damages of $1,000 / $5,000. Illinois v. Facebook produced a $650 million BIPA class settlement. By contrast, Texas (CUBI) and Washington have no private right of action - their biometric laws are enforced by the state AG, and in 2024 Texas obtained a $1.4 billion settlement from Meta, the largest ever obtained by a single state. Facial recognition laws restrict government and law-enforcement uses.
The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008 and amended in 2024, was the first U.S. biometric privacy law. It has a private right of action, a 5-year statute of limitations, and significant per-violation damages of $1,000 / $5,000. The 2024 amendment limited damages accrual to rather than per scan.
In Illinois v. Facebook, a $650 million BIPA class settlement (2021) resolved claims over collecting face templates without consent (about 1.6 million users). Separately, in 2024 Texas obtained a $1.4 billion settlement from Meta over biometric data - the largest ever obtained by a single state.
BIPA has a private right of action. Texas (CUBI) and Washington also have biometric laws but no private right of action - they are enforced by the state attorney general. That is why the Texas-Meta matter was a state-obtained settlement rather than a class action.
Facial recognition laws target government and law-enforcement uses. New Hampshire (2014) barred facial recognition on driver's-license photos. Oregon, New Hampshire, California, Vermont, Virginia, and Massachusetts restrict law-enforcement use (body cameras, drones), and Maine, New York, Washington, and Maryland have limits too.