2025 Governors and Legislatures (Projected)
image/svg+xml Skip to main content
Search image/svg+xml

Key Takeaways:

  • Biometric ID is a growing trend in retail stores as a way to pay for goods. This includes the use of biometric ID as a way to purchase age-restricted goods such as alcohol.
  • States lack clear laws on how to limit biometric data sharing and what penalties should be imposed on entities that violate these laws.
  • Illinois, Texas, and Washington are the only states that have regulations on the books about biometric identity collection, the use of that information, and the consequences for noncompliance.


The rise of biometric and touchless identification has begun to insert itself more directly into daily purchases that people make. Biometric identification systems are present everywhere from stadiums to local grocery stores. Even the TSA has begun to explore face recognition technology in lieu of examining physical IDs. 


A Primer on Biometric and Touchless Identification

There are two basic ways that biometric systems confirm a person’s age. The first is a more traditional method. A person goes into a physical location, provides a physical ID, and has their face or palm scanned so that anytime they use it again the system remembers that initial signup and confirms what it already knows. The airport security program CLEAR, which requires you to upload a photo of your government ID, is one of these programs. 

The second and more controversial method uses neural networks to estimate a person’s age. The neural networks are trained on millions of faces without  any form of physical identification from any individual. By not using any sort of physical ID as a baseline to establish accuracy, there is potential for racial bias, or misuse if there are not effective laws protecting people’s biometric privacy. 


Why Does This Matter?

Identification requirements for certain purposes are nothing new. Some purchases have always required strict identification, like alcohol. This makes biometric identification an intriguing use case for buying alcohol, which lawmakers have begun to explore. For alcohol purchases, biometric identifiers are not only going to be used to confirm the identity of an individual but also to confirm a person’s age. This is welcome news for alcohol vendors who would not need to rely on humans to verify physical IDs (sorry, McLovin). However, this kind of expansion of biometric data will generate more concern over an individual’s privacy. 


State Legislation Addressing Biometrics and Touchless ID 

Legislation Considered in the 2024 State Legislative Sessions

Lawmakers in several states have introduced bills aimed at addressing what biometric identifiers can and cannot be used for, but these bills are often not explicit enough to address concerns about data privacy. This year, 13 states have considered biometric privacy bills, shown in purple in the map below.  

State Biometrics and Touchless ID Laws Already in Effect

Illinois was one of the first states to enact a law on the collection, use, and storage of biometric information. Lawmakers passed the Illinois Biometric Information Privacy Act in 2008, well before the mainstream use of this kind of technology. Since then, both Washington and Texas enacted similar laws. 

Arizona enacted a law in 2023 on the use of biometric identifiers as a way to pay for alcohol purchases. The law defines a biometric identity verification device as a device that verifies a person’s ID through a scan of their iris, fingerprint, facial image, or other biometric characteristics. Arizona’s law does not exclude physical forms of identification to be used, it just allows the venues in question to utilize these biometric systems as a legally legitimate alternative to that system. However, this bill does not explicitly mention how this data should be stored or whether it can be distributed to other third-party entities, leaving  a gap in user privacy. 

Congress has yet to act on comprehensive privacy, which has left room for states to enact comprehensive privacy laws. Many of these laws regulate how companies process biometric information and require consent before collection. But so far, the only comprehensive privacy laws enacted lack a private right of action, and instead rely on enforcement by the attorney general.  

Advocacy groups have voiced concerns over the use of retail stores using biometric identification in ways that target potential customers. This brings up the question of enforcement/penalties for violating this law. In terms of penalties, these bills are vague. However, Illinois private right of action has led to a series of lawsuits, and some of these have been successful. The Texas biometric privacy law provides that only the state attorney general can bring civil action against those who violate this law with up to $25,000 in civil penalties per violation. But the average individual may not know when their biometric information is being misused or even that they have the ability for legal recourse in that scenario.


What’s Next?

As this kind of technology becomes more commodified, state lawmakers will likely grapple with how to protect the privacy of their citizens, while also ensuring that they are not creating prohibitive barriers to new technology. The fact that only three states have enacted laws addressing demonstrates the policy lag we often see in the technology arena. As this issue evolves, we will be monitoring how other states respond and what legislation is crafted to tackle this issue. 


Influence Tech Policy

Tech policy impacts nearly every company, and state policymakers are becoming increasingly active in this space. MultiState’s team understands the issues, knows the key players and organizations, and we harness that expertise to help our clients effectively navigate and engage on their policy priorities. We offer customized strategic solutions to help you develop and execute a proactive multistate agenda focused on your company’s goals. Learn more about our Tech Policy Practice