Biometric Privacy Laws 2026: Texas CUBI vs. Illinois BIPA

Chat to Caira 24/7. Upload your employer notices or privacy policies for Caira to review. She can draft statements and review your filled in forms. Free trial

Summary: You can easily change a compromised password, but you cannot change your fingerprint, your retina, or the geometry of your face. As corporations increasingly rely on biometric data for time-clocks, security, and targeted advertising, two states have emerged as absolute heavyweights in regulating this permanent biological data. This guide compares the aggressive Illinois BIPA against the state-enforced Texas CUBI to explain exactly who can scan your face and what happens if they do it without your permission.

The expansion of biometric technology has rapidly normalized the scanning of our physical bodies. When you start a new warehouse job, you might be told to press your thumb against a scanner to clock in. When you upload a photo to social media, an algorithm instantly maps the geometry of your face to suggest a tag.

But what happens when that data is mishandled? In a data breach involving credit cards, the bank simply sends you a new plastic square. If a hacker steals the digital rendering of your fingerprint or your iris, that biometric identifier is permanently compromised for the rest of your life.

Because the federal government has largely failed to pass comprehensive biometric privacy legislation, state laws dictate your safety. When examining the landscape of biometric regulation in 2026, two states command the entire conversation: Illinois and Texas. While both states heavily restrict the collection of biometrics, how those laws are punished is starkly different.

Illinois BIPA: The Most Feared Privacy Law in America

Enacted all the way back in 2008, the Illinois Biometric Information Privacy Act (BIPA) is widely considered the most aggressive and feared consumer privacy law in the United States.

The core of BIPA is simple: No private entity can collect, capture, purchase, or trade your biometric identifiers (fingerprints, retina scans, voiceprints, facial geometry) without first obtaining your explicit, written, informed consent. They must also publicly disclose exactly how long they will retain your data and when it will be permanently destroyed.

What makes BIPA truly terrifying for corporations is the Private Right of Action.

If a company scans your face in Illinois without written permission, you do not have to wait for the government to step in. You, the individual consumer, have the right to use Caira and sue the company directly. The law mandates penalties ranging from $1,000 for negligent violations to $5,000 for reckless or intentional violations per scan.

Because an employee might use a fingerprint time-clock four times a day, the potential damages are astronomical. This Private Right of Action has resulted in massive, historic class-action payouts to Illinois citizens, including a $650 million settlement against Facebook and hundreds of millions more extracted from employers who failed to get signed consent forms before installing biometric time-clocks.

Texas CUBI: Billion-Dollar State Enforcement

Texas was actually one of the very first states to regulate this technology when it passed the Capture or Use of Biometric Identifier Act (CUBI) in 2001. Like Illinois, Texas CUBI strictly prohibits companies from capturing biometric data for commercial purposes without your prior informed consent. It also requires the data to be destroyed within a reasonable time—typically no later than one year after the initial purpose of collection expires.

However, there is one massive difference between Texas and Illinois. CUBI does not have a Private Right of Action.

If your boss in Dallas forces you to use a fingerprint scanner without getting your consent, you cannot use Caira to sue the company for a $5,000 payout. Only the Texas Attorney General has the legal authority to enforce CUBI.

While this prevents employees from launching direct class-action lawsuits to line their own pockets, the Texas Attorney General’s office does not pull its punches. The AG can sue companies for civil penalties of up to $25,000 per violation.

• The Catch: When Texas wins these massive CUBI lawsuits, the money goes directly into the state's General Revenue Fund—not your pocket.

• In 2024, Texas utilized CUBI to secure a historic $1.4 billion settlement against Meta (Facebook) for routinely mapping the facial geometry of millions of Texans over a decade without explicit consent.

Protecting Your Biological Blueprint

As facial recognition technology becomes integrated with generative AI, protecting your bodily data is more critical than ever.

If you live in Illinois and your employer introduces a fingerprint scanner or facial recognition camera, do not engage with the system until HR provides a comprehensive BIPA consent form detailing their retention and destruction policies. If they refuse, consult Caira immediately—you likely have a lucrative legal claim.

If you live in Texas, be vigilant about what apps you allow to scan your face, and recognize that while you cannot sue them directly for a CUBI violation, filing a detailed complaint with the Attorney General's office is the specific trigger required to unleash state-sponsored regulatory action. Your face belongs to you; no corporation has the right to map it in the dark.

Disclaimer: This article is general information, not legal, financial, tax or medical advice.