Every time I pick up my phone, it’s already unlocked; my facial scan ran instantaneously. I no longer associate opening my laptop with “logging in”—my fingerprint suffices. Before even finishing the word “Alexa,” the device has matched my voice to an ID. From our personal devices to security cameras, biometrics have become ubiquitous in our everyday lives. Yet even as their usage has rapidly expanded across the globe, the United States has fallen behind when it comes to properly regulating biometrics. The Federal Trade Commission (FTC) has previously  levied lawsuits against companies using biometric data, most notably Everalbum, but these cases hinge on companies’ deceptive advertising practices, not biometrics themselves. Last year the FTC released a policy statement indicating that they may soon impose regulations on handling biometric data—including security considerations (by collectors and third parties) for data, mandating consent and notice before collection, and promptly responding to data compromises. These proposed changes—and more not included in the statement—are long overdue.

The Security Concerns

Biometric data: fingerprints, iris scans, facial scans, hand geometry, voice recognition, gait recognition (walking pattern), screen pressure, and so many more identifiers are used to verify your actual identity. Largely for security reasons, biometrics are Americans’ most-preferred sign-in method. However, biometrics come with some inherent risks. Unlike passwords and other authentication methods, biometrics are far more personal and can be used for secondary demographic and location tracking. Additionally, unlike a password, it is incredibly difficult to change your fingerprint or facial structure should it be leaked. And whereas it is recommended that different strong passwords be used for every website, there is a far smaller selection of options for biometric data. As such, if biometric data from just one website is stolen or breached, it’s possible that many other sites where that same biometric data could’ve been used are now also compromised. And as banks, hospitals, and other everyday institutions begin to adopt biometrics at a larger scale, this poses a growing threat for Americans.

Of course, there are ways to mitigate these risks. Ensuring the data is encrypted, doesn’t fall into untrustworthy third parties’ hands, and deleting biometric data after certain periods of time are all good provisions. Unfortunately, said provisions do not exist across the US, even as they do in other parts of the world (South Africa, Australia, the European Union, to name a few). Similar provisions also exist to a degree within the United States government. In 2019, the US Customs and Border Patrol (CBP) had 200,000 images of various border-crossers and their license plates compromised due to a lack of regulation and good practice surrounding handling biometrics. An audit found that this was the result of the CBP’s federal subcontractor (a third party) mishandling the data, leaving it unencrypted, and failing to notify the CBP in a timely manner. Because of this breach, the Department of Homeland Security—which oversees the CBP—now has internal rules regarding facial recognition; however, this has not resulted in comparable federal legislation. For other types of sensitive data, proper encryption and notification of breaches are standard practice or enforced by law. Given that biometric data is normally given the highest level of protection when regulated (because of the intimacy of the data), it follows that we should at the very least be implementing similar security measures to this data as we do to others.

The Regulations

Unfortunately, such regulations exist sparsely within the United States. Biometrics is included in state-level consumer protection laws in Virginia, Colorado (effective 2025), Connecticut, Utah, and California. These protections range from consenting before usage and declaring biometric data sensitive to a narrow private right of action. Additionally, three states—Texas, Washington, and Illinois—have passed legislation specifically on biometrics, with the most comprehensive being Illinois’ Biometric Information Privacy Act (BIPA). BIPA is the only state-level legislation that applies to biometrics outside of commercial usage, and it has by far the most stringent protections. For instance, the sale of biometric data to third parties is completely disallowed. Only Illinois, Colorado, and Texas have a set period for when biometric data must be destroyed—Texas is one year, Colorado two, and Illinois three—on top of requiring the data be disposed of immediately after its initial purpose has been fulfilled. 
All of these bills have holes, be they in defining biometric data or in the scope of regulation—for instance, Illinois doesn’t include many behavioral biometrics (such as gait recognition and screen pressure) in BIPA, and no state has minimization requirements, as exists in the EU. Whereas the private right of action—the ability for a citizen to sue a business for violating a law—exists in every state for other types of data, only California and Illinois include this right for biometric data, and it is only used extensively in the latter. It’s also important to keep in mind that only eight states explicitly regulate biometric data—there are very exceedingly few limits in the majority of the United States. The inherent security risks of biometrics necessitates laws with proper collection and protection practices. By and large, those laws do not exist—but when your digital fingerprint is your literal fingerprint, it’s essential these guidelines be established.