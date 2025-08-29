A hot potato: US states are imposing stricter rules on how tech companies collect, analyze, and monetize biometric data, including facial features, iris patterns, and other unique identifiers. While no federal regulation currently governs facial recognition systems, the National Conference of State Legislatures reports that 23 states have passed or updated laws to limit the mass collection of biometric information.

Colorado recently implemented new privacy rules requiring companies to obtain consent before using facial or voice recognition technology. The rules also prohibit the sale of biometric data. In June, Texas introduced an AI law that bans the unauthorized collection of biometric identifiers, echoing similar consent-based regulations passed last year in Oregon, where companies must now secure explicit opt-in from consumers before collecting facial, eye, or voice data.

Facial recognition technology has become a core feature of many consumer products and services, though industry attitudes have shifted over time. Meta, for example, shut down its facial recognition system in 2021 following a lawsuit over biometric privacy violations, but has since reintroduced the technology to combat celebrity investment scams.

Meanwhile, advances in AI have driven facial recognition into everyday devices and applications. Pete Fussey, a professor at the University of Essex, told NPR that "facial recognition is everywhere," adding that while consumers enjoy conveniences like unlocking phones and faster airport security checks, "there's no downstream control over how our biometric data is used."

Although most states have adopted some form of biometric protection, the scope and effectiveness of these laws vary widely. In several cases, these measures have led to substantial financial settlements with tech companies accused of violating privacy regulations.

Both Google and Meta paid a combined $1.4 billion after allegations that they mined Texans' facial recognition data without user consent. Another firm, Clearview AI, settled for $51 million over claims it collected billions of online facial images without proper authorization.

In Illinois, Google paid $9 million after a lawsuit alleged it failed to obtain written consent from students whose voice and facial data were recorded through an educational tool.

The Illinois Biometric Information Privacy Act , adopted in 2008, is notable for requiring written permission rather than a simple digital agreement – such as clicking a checkbox for a service's terms – and for allowing individuals to file lawsuits directly against companies. Legal scholar Michael Karanicolas of Dalhousie University called the standard digital consent model "clearly ineffective," noting that "nobody is reading these terms of service."

He highlighted that Illinois's law is unique in granting citizens the ability to sue, a mechanism that privacy advocates say the tech industry has strongly opposed. Only a handful of other states, including California and Washington, provide similar legal recourse.

In most states, enforcement is left to attorneys general. Advocates of citizen lawsuits, known as a "private right of action," argue that this approach empowers residents to hold companies accountable for exploiting biometric data. "And that can lead to these big class-action settlements… they can be genuinely effective at shaping companies' attitudes about personal information and generate corporate change," Karanicolas said.

However, even the strongest privacy laws have limits when dealing with foreign-based firms. PimEyes, an overseas facial recognition service, allows users to search for matches based on facial features but does not follow the same safeguards as major US tech companies.

Although Illinois law ostensibly bars PimEyes from operating locally, attorney Brandon Wise discovered that images of Illinois residents remained in its database among billions of others. Wise filed a class-action lawsuit on behalf of five Illinois residents, but efforts to serve the company in Georgia, Dubai, and Belize failed. After two years, the case was dropped. Wise said the process felt like "suing a ghost."

At the federal level, several proposals have sought to increase transparency around facial recognition technology, including recent attempts to require the Transportation Security Administration to notify air travelers of their right to opt out of face screenings. However, progress has been slow.

Adam Schwartz, litigation director at the Electronic Frontier Foundation, who has long advocated for national biometric protections similar to those in Illinois, says that technology companies have consistently opposed such measures, arguing they would harm profitability. "But I think people are getting more and more fed up with tech companies ignoring their privacy," Schwartz said.