Technology

Biometric Privacy Litigation

Introduction

In the digital age, biometric data has become increasingly prevalent. From fingerprint scanners to facial recognition technology in identifying a person’s unique physical or behavioral characteristics, biometric tools offer enhanced security and convenience. However, the collection and use of this type of data has raised significant privacy concerns, leading to a surge in biometric privacy litigation. This publication looks at current legislation, notable settlements, litigation trends, and best practices concerning biometric data privacy.

What is BIPA?

The Biometric Information Privacy Act (BIPA)¹ is a pioneering piece of legislation passed in Illinois in 2008. BIPA was the first law in the United States to regulate the collection, use, safeguarding, handling, storage, retention, and destruction of biometric data. Under BIPA, biometric identifiers include retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry.

Key provisions of BIPA include:

Informed Consent

Companies must notify individuals in writing and obtain their consent before collecting their biometric data.

Disclosure

Companies must disclose the specific purpose and duration for which the data is being collected and stored.

Data Security

Companies must implement reasonable security measures to protect biometric data.

Private Right of Action

Individuals may sue companies for violations, with statutory damages ranging from $1,000 to $5,000 per violation.

States with the Toughest Privacy Laws

While Illinois’ BIPA is the most well-known biometric privacy law, other states have enacted stringent regulations:

Texas

The Texas Capture or Use of Biometric Identifier Act (CUBI)² requires businesses to inform individuals and obtain consent before collecting biometric data. It also mandates the protection of such data using reasonable care.

Washington

Washington’s biometric privacy law requires companies to obtain consent before collecting biometric data and mandates data protection measures.³

California

The California Consumer Privacy Act (CCPA) includes provisions for biometric data, giving consumers the right to know what personal data is being collected and to opt out of its sale.⁴

Notable Settlements in Biometric Privacy Litigation

Because of its high statutory damages and no need to demonstrate actual harm, BIPA has been a focus of class action plaintiffs’ lawyers. At least 100 putative class actions were filed in 2025 alleging violations of BIPA across a variety of industries and contexts. Several high-profile settlements have highlighted the importance of compliance with biometric privacy laws:

Motorola Solutions ($47.5M)

In June 2025, a $47.5 million settlement ended a class action lawsuit alleging Motorola Solutions and Vigilant Solutions violated BIPA laws by collecting, storing, and using residents’ biometric data in connection with providing to law officials the FaceSearch facial recognition technology and access to a gallery of booking photos.⁵

Google ($8.75M)

While denying all allegations and wrongdoing, in July 2025, Google agreed to pay $8.75 million to settle allegations that it violated BIPA laws by collecting and storing data of individuals enrolled in Illinois schools using Google Workspace for Education or G Suite for Education platforms without proper consent.⁶

Wells Fargo ($19.5M)

In March 2025, Wells Fargo agreed to pay $19.5 million to resolve claims that the company violated California’s privacy laws by recording phone calls without consent.⁷

Clearview AI ($51.75M)

In March 2025, independent facial recognition company Clearview AI entered into a settlement agreement in which it agreed to pay $51.75 million to a nationwide class action settlement alleging violations of state privacy laws by failing to obtain consent.⁸

Facebook ($650M)

In 2020, Facebook agreed to a $650 million settlement in a class-action lawsuit under BIPA. The lawsuit alleged that Facebook’s “Tag Suggestions” feature, which used facial recognition technology, violated BIPA by collecting biometric data without informed consent.⁹

Six Flags ($36M)

In 2019, Six Flags settled a BIPA lawsuit for $36 million. The lawsuit alleged that Six Flags collected fingerprint data from visitors without obtaining proper consent.¹⁰

Trends in Biometric Privacy Litigation

Several trends have emerged in biometric privacy litigation:

Increased Awareness and Enforcement

As awareness of biometric privacy laws grows, enforcement actions and lawsuits have increased. Companies are being held accountable for non-compliance, leading to significant financial penalties.

Class-action lawsuits are a growing litigation trend. Organizations are being held accountable for non-compliance due to the myriad of state laws, leading to significant financial penalties.

Expansion of Privacy Laws

More states are enacting or considering biometric privacy laws. For example, New York and Massachusetts have proposed legislation similar to BIPA.

Private Right of Action

The inclusion of a private right of action in laws like BIPA has empowered individuals to sue companies for violations, driving compliance efforts.

Best Practices for Protecting Biometric Data

With the increasing regulatory policies and litigation practices surrounding data privacy, companies should review their risk management strategy concerning customer and client data and look to update their best practices to include:

• Obtain Informed Consent: Clearly inform individuals about the collection, use, and retention of their biometric data. Obtain explicit, written consent before collecting any biometric information.
• Implement Robust Security Measures: Use encryption, access controls to restrict data to authorized personnel only, implement multi-factor authentication, and other security measures to protect biometric data from unauthorized access and breaches. When possible, store templates or hashes of biometric data instead of raw images.
• Limit Data Retention: Retain biometric data only for as long as necessary to fulfill the purpose for which it was collected. Establish and follow a data retention and destruction policy.
• Conduct Regular Audits: Regularly audit data collection and storage practices to ensure compliance with biometric privacy laws. Address any identified gaps or vulnerabilities promptly.
• Train Employees: Educate employees about biometric privacy laws and the importance of protecting biometric data. Provide training on data handling and security protocols.
• Insurance: Ensure the company has insurance that adequately covers and responds to allegations.

It is important to note that not all insurance policies offer the same coverage. Policies often contain specific exclusions for BIPA and related privacy laws. It is important to carefully review cyber, media liability, commercial general liability, directors and officers, and errors and omissions policies to ensure proper coverage is in place:

Biometric privacy litigation is a rapidly evolving area of law, with significant implications for businesses that collect and use biometric data. By understanding the complex legal landscape, staying informed about trends, and implementing best practices, companies can proactively manage their risks and maintain the privacy of individuals. As the use of biometric technology continues to grow, compliance with privacy laws will remain a critical aspect of responsible data management.