Biometric Data Laws: Can Companies Store Your Face or Fingerprint?

In an era where a quick scan can unlock a laptop or open a door, many of us wonder: Are companies allowed to keep a digital copy of my face or fingerprint? The answer isn’t a simple yes or no. It depends on where you live, what kind of organization is collecting the data, and how they handle consent and security.

Navigating this landscape requires high-level tools like ShouldEye and EyeQ, which help individuals and businesses alike understand the nuances of biometric privacy laws and facial recognition regulations. This guide walks you through the U.S. legal landscape, highlights the most common compliance pitfalls, and gives you a practical checklist to verify a company’s biometric practices before you hand over a scan.

What the U.S. Landscape Looks Like

Biometric data laws in the United States are a patchwork of state-specific statutes and broader privacy frameworks. As of 2025, only three states - Illinois, Texas, and Washington - have enacted statutes that directly regulate an employer’s collection, storage, and use of biometric data. These laws lay out clear obligations around consent, fingerprint data security, and retention for workplace scenarios. The Illinois Biometric Information Privacy Act (BIPA) remains a cornerstone of this legal movement, often cited in major litigation regarding employee data rights.

Beyond those three, more than 20 states have enacted or proposed broader biometric privacy laws. While many of these statutes are still evolving, they generally echo the same themes: obtain consent, provide notice, and protect the data with reasonable security measures. Because the statutes differ from state to state, a company operating in multiple jurisdictions must navigate a complex compliance matrix. For those seeking the most current legislative updates, the International Association of Privacy Professionals (IAPP) provides comprehensive tracking of these shifting state laws.

Key Consent and Notice Requirements

Written Consent Is the Norm Across the jurisdictions that address biometric data; before collection or storage, written consent is a common requirement. Employers and other private entities are advised to adopt a “best practice” of notifying individuals about what data will be collected and securing a signed written agreement. This protects both the individual and the organization from future disputes regarding workplace biometric compliance. Without a paper trail, companies face significant legal exposure under modern data retention policies.

Signage for Public Spaces: If a business collects biometric data from customers - think a retail store using facial recognition for loyalty programs - local ordinances can impose additional notice obligations. New York City, for example, requires “clear and conspicuous signage” near all customer entrances that explains any collection, retention, storage, or sharing of biometric data. While the brief does not cover every municipality, the NYC rule illustrates how local rules can supplement state statutes. This ensures that facial recognition regulations are transparent to the public before they even step through the door.

What Counts as Biometric Data?

Most statutes define biometric data narrowly: fingerprints, voiceprints, iris scans, and similar physiological identifiers. Importantly, photographs, video, or audio recordings are expressly excluded from the definition of “biometric data” in several states. This distinction matters because a simple photo of a face may not trigger the same legal obligations as a facial-recognition template. However, as technology advances, the line between a standard image and fingerprint data security protocols becomes thinner, necessitating tools like EyeQ to parse the technicalities of a company's privacy disclosure.

Common Uses and Why Employers Collect

Employers often turn to biometric identifiers for practical reasons:

• Access control – Scanning a fingerprint or face to unlock doors or secure areas.

• Device authentication – Using a face scan or fingerprint to log into laptops and mobile devices.

• Time-keeping – Recording clock-in and clock-out events with a fingerprint to reduce buddy-punching.

These applications improve security and efficiency, but they also create a legal responsibility to handle the data correctly. The research underscores how commonplace these practices are, noting that employers may use employee fingerprints or face scans for laptop login or timekeeping. When these employee data rights are respected, the workplace becomes more secure; when they are ignored, the company risks severe penalties.

Risks of Non-Compliance

Even with clear statutes, several gray areas remain. Penalties are not uniformly disclosed. The research does not detail specific monetary fines or civil damages for violations, making it harder to gauge the financial risk. Furthermore, data retention policies are often vague. No source provides a maximum time that a company may keep biometric data, so organizations must set conservative retention policies.

Implied consent is another area of uncertainty. It is not always clear whether simply using a scanner (without a signed form) satisfies legal consent requirements. Additionally, consumer-focused rules are often missing in current legislation. While employer-centric statutes are discussed, research often overlooks requirements for non-employee consumers, such as shoppers in a retail environment. Because of these unknowns, the safest approach is to treat biometric data as highly sensitive, obtain explicit written consent, and retain the data only as long as necessary for the stated purpose. The Federal Trade Commission (FTC) has increasingly signaled that it will use its authority to police unfair or deceptive biometric practices.

How to Verify a Company’s Practices

Before you let a company scan your face or fingerprint, run through this quick verification checklist:

• Ask for the written consent form. It should explain what data is collected, why, how it will be stored, and how long it will be kept.

• Check for clear signage if you’re in a public venue. Look for notices near entrances that describe biometric collection.

• Review the privacy policy for a dedicated biometric data section. If the policy is vague, request clarification.

• Confirm security measures – encryption at rest, limited access, and regular audits are hallmarks of compliance and robust fingerprint data security.

• Inquire about data retention. Ask how long the biometric template will be stored and when it will be securely destroyed.

• Look for a data-subject rights process. You should be able to request deletion of your biometric data at any time.

If any of these steps raise red flags, consider whether you’re comfortable proceeding. When in doubt, use a verification tool to dig deeper into the company's workplace biometric compliance history.

How ShouldEye Helps You Check This

ShouldEye aggregates consent language, notice requirements, and security clauses from a company’s public documents. By scanning a privacy policy, it highlights any biometric-related sections, flags missing consent forms, and surfaces state-specific obligations that may apply. The platform also cross-references complaints and enforcement actions, giving you a risk snapshot before you share a scan. ShouldEye effectively translates dense legal jargon into actionable insights regarding facial recognition regulations and employee data rights.

Using EyeQ for a Faster Decision

Instead of reading pages of legal text, use EyeQ to ask: “Does this company’s privacy policy cover biometric data storage, consent, and retention?” EyeQ will return a concise summary and point out any gaps, so you can decide whether to proceed. This is particularly useful when checking if a firm adheres to standard data retention policies or if they are cutting corners on fingerprint data security.

Bottom Line

Biometric data laws are evolving, and the regulatory environment varies dramatically across states. While Illinois, Texas, and Washington have explicit employer-focused statutes, many other states are moving toward broader privacy frameworks. The safest path is to demand written consent, verify clear notice, and ensure robust security and limited retention. When you’re unsure, a tool like ShouldEye or EyeQ can quickly surface the missing pieces.

Take a moment to double-check any biometric request you receive. Your face and fingerprints are uniquely yours - protect them with the same care you would any other personal information. As the legal landscape for biometric privacy laws matures, staying informed through resources like the Electronic Frontier Foundation (EFF) will remain a vital part of your digital defense strategy. By combining personal vigilance with the analytical power of ShouldEye and EyeQ, you can ensure your most personal data remains under your control.

FAQs

Do any U.S. federal laws ban companies from storing biometric data?

Which states have specific biometric privacy statutes for employers?

Is written consent always required before a company can collect my fingerprint?

Do photographs or video recordings count as biometric data under these laws?

What should I look for in a company’s privacy policy regarding biometric data?

Can I rely on a sign at a store entrance as sufficient notice?