Biometric authentication just became a regulatory frontier
Biometrics are now in nearly every national ID and a growing share of logins, and the law has caught up. BIPA, the EU AI Act, and a wave of US state rules treat biometric identifiers as a special category. Here is what changed and what to do.
Two things happened at once. Biometrics moved into nearly every national ID and a large share of consumer logins, and lawmakers decided biometric identifiers deserve their own rules. If you use face or fingerprint anywhere in your identity stack, this is now a compliance question, not just an engineering one.
What changed in the law
A cluster of regulations now treats biometric data as a special category with extra duties:
- Illinois BIPA gives individuals a private right of action with statutory damages for collecting biometric identifiers without written consent and a retention schedule. It has driven years of class-action litigation. See the BIPA breakdown.
- The EU AI Act bans untargeted scraping of facial images, restricts real-time remote biometric identification, and classifies most biometric identification systems as high-risk. Details in our EU AI Act page.
- US state privacy laws in Virginia, Colorado, and Texas classify biometric data used to identify a person as sensitive, requiring opt-in consent. Colorado's 2024 amendment adds specific biometric duties.
- GDPR, India DPDP, and others treat biometrics as sensitive personal data needing a stronger basis to process.
The full set, mapped to identity impact, is in the regulations directory.
The distinction that keeps you out of trouble
Not all "biometrics" are equal under these laws, and the difference is the whole game.
- On-device biometric unlock, as used by passkeys and WebAuthn, keeps the biometric on the user's device. The relying party never receives a fingerprint or face template. This is the privacy-friendly pattern, and it is usually outside the worst of the biometric-data rules.
- Server-side biometric identification, where you collect and match a face or fingerprint template centrally, is what most of these laws target. Consent, retention limits, and data minimization apply hard.
If you are choosing how to add biometric login, this distinction should drive the architecture, not just the legal review.
What to do now
- Prefer on-device. Passkeys give you phishing-resistant authentication without holding biometric templates. See what is passwordless.
- If you must store templates, get explicit consent and set a retention schedule. That is the core of BIPA and the state laws.
- Know your geography. Biometric rules vary sharply by country and US state. Check each market in the regulations directory.
- Vet your verification vendor. If you verify government IDs with biometrics, your identity verification provider inherits some of these obligations with you.
Biometrics are not going away. Almost every national digital ID in our directory now enrolls them. The teams that win will treat biometric data as the regulated, high-value asset it has become, and design so they hold as little of it as possible.