American companies are collecting facial recognition data, fingerprints, voice prints, and other biometric identifiers from consumers at an unprecedented scale through airports, retail stores, banking apps, and workplace access systems. Unlike Europe, which restricts biometric data collection under GDPR, the United States has no federal law specifically governing biometric data. Only Illinois, Texas, Washington, and a handful of other states have enacted biometric privacy legislation.
The absence of federal regulation has enabled business practices that privacy advocates argue would be prohibited under any reasonable framework. Several companies have built facial recognition profiles from public social media photos without individual consent and sold access to these databases to law enforcement agencies at rates well below what formal contracts would require. The Illinois Biometric Information Privacy Act has produced the largest privacy litigation verdicts in US history as plaintiffs test the statute's private right of action.
