As biometric technology and personal data collection become deeply embedded in everyday life—from smartphones and smartwatches to healthcare portals and workplace security—so do the risks surrounding them. From facial recognition and iris scans to credit card numbers, bank account details, and Social Security Numbers (SSNs), businesses today are handling more sensitive PII and biometric data than ever before.

Yet while technology evolves at breakneck speed, privacy regulations are struggling to keep pace. There’s no clear national standard defining or restricting the use of biometric data and personally identifiable information (PII). In response, individual states are stepping in with their own rules—creating a growing patchwork of laws that businesses must navigate.

This legal uncertainty raises real risks. Companies that fail to comply—even unintentionally—may face steep penalties, reputational damage, or class-action lawsuits. For legal professionals, compliance officers, and business leaders alike, preparing for evolving PII and biometric data regulation is now a strategic imperative.

Let’s break down where data privacy laws are headed—and what businesses must do to ensure compliance.

What Counts as Biometric Data and PII?

While biometric data and PII often appear together in privacy law discussions, they are distinct in nature and legal treatment. Many states regulate them under separate statutes, though both are considered forms of sensitive information.

Biometric data refers to measurable, unique physical or behavioral characteristics used to identify an individual. These include:

• Fingerprints

• Iris scans

• Facial recognition

• Voiceprints

• DNA sequences

This data is increasingly central to modern biometric authentication systems—from law enforcement using fingerprints to mobile devices using facial recognition. Unlike passwords, biometric identifiers are irreplaceable. Once compromised, they cannot be changed, making breaches involving this data particularly serious.

PII includes any information that can directly or indirectly identify a specific individual or their individual identity, especially when combined with other data points. Examples of PII include:

• Full name

• Social Security Number (SSN)

• Driver’s license number, passport number, and other government-issued ID numbers

• Mother’s maiden name

• Credit card and bank account numbers

• Medical records

• Place of birth

• LinkedIn profiles

• Date of birth

• Phone number

• Gender or age

While some of these elements may seem harmless on their own, combined they can form a complete profile—making them prime targets for identity theft and fraud.

And the real-world risks are serious. Cybercriminals don’t need a full profile to cause harm. A leaked place of birth, SSN, or mother’s maiden name can unlock bank accounts or credit card details. Publicly visible data—like LinkedIn profiles—can be used in phishing scams or impersonation schemes.

Biometric identifiers add fuel to the fire, enabling long-term, irreversible damage when exposed.

Why This Data Is Under Attack

The reason is simple: it’s valuable. A single data breach can expose thousands of consumers’ financial information, health records, or biometric credentials. Cybercriminals can use this data to commit fraud, steal identities, or sell it on the dark web.

For example:

• Access control systems using facial recognition could be bypassed if facial data is leaked.

• Healthcare systems using fingerprint logins may unintentionally expose protected health information (PHI) if breached.

• Unlike a credit card number, you can’t replace your fingerprint or iris scan if it’s stolen.

As threats evolve, businesses must rethink how they approach PII protection and enforce smarter access control policies to stay ahead.

Key Privacy Laws Shaping Compliance

BIPA – Illinois’ Biometric Law

The Biometric Information Privacy Act (BIPA) is one of the strongest biometric privacy laws in the U.S. It requires:

• Informed, written consent before collecting biometric data

• A public policy outlining data retention and deletion

• A ban on profiting from biometric data

• A private right of action allowing individuals to sue

BIPA has triggered major class-action lawsuits and multimillion-dollar settlements.

HIPAA – Healthcare and Biometric Data

In healthcare, any biometric tools used to access Protected Health Information (PHI) must meet HIPAA requirements:

• Encrypt biometric data tied to PHI

• Enforce strict access control

• Report any breaches involving biometric-linked PHI

If you collect health information and use biometrics, robust privacy compliance is essential.

CCPA/CPRA – California’s Consumer Privacy Laws

The California Consumer Privacy Act (CCPA) and its update, CPRA, classify biometric data as sensitive personal information. Businesses must:

• Disclose what biometric data is collected and why

• Allow users to opt out of data sales

• Delete biometric data upon request

California continues to influence privacy laws nationwide.

The Patchwork Problem Across States

States like Texas, New York, and Washington have enacted biometric privacy laws, but few offer the individual right to sue found in Illinois’ BIPA. This disparity creates a compliance maze for businesses operating across multiple jurisdictions.

The result is a fragmented regulatory landscape—forcing organizations to navigate a patchwork of privacy regulations, often with inconsistent requirements and limited guidance.

To stay compliant:

• Understand each state’s rules regarding biometric data and sensitive PII

• Apply the strictest applicable standard across all operations to maintain consistency and reduce risk

Cybersecurity Best Practices for PII and Biometric Data

To protect PII and biometric data, organizations should:

• Minimize data collection: Only gather what’s necessary

• Encrypt all sensitive data—both in transit and at rest

• Implement access controls and multi-factor authentication

• Conduct regular employee training to reduce human error

• Review third-party vendor practices to ensure compliance

These foundational practices help prevent data breaches and build a resilient privacy compliance framework.

The Path Forward: Don’t Wait for Federal Law

While groups like the Uniform Law Commission are proposing standardized data privacy acts (like the CUPID Act), a federal solution isn’t coming anytime soon. Meanwhile, the EU’s GDPR is influencing global standards with its strict rules around biometric data and PII.

U.S. businesses should act now by:

• Reviewing their data collection practices

• Understanding their obligations under HIPAA, BIPA, and CCPA

• Investing in robust cybersecurity infrastructure

Waiting for federal legislation could leave businesses vulnerable in the meantime.

Staying Informed: Legal Education for Evolving Privacy Laws

As data privacy laws continue to evolve, staying informed is critical. New regulations around biometric data, PII, and sensitive information can have wide-reaching compliance impacts.

To help navigate this complex and shifting landscape, NBI offers a variety of Privacy Law courses designed to provide attorneys and professionals with the foundational knowledge and timely updates they need. These programs cover key topics like:

• Data security

• Privacy compliance

• HIPAA and healthcare law

• Access control

• State-by-state privacy legislation

Whether you're advising clients or managing in-house policies, ongoing education is essential to maintaining compliance and building trust.

Conclusion

Biometric data and PII are now central to how businesses operate—and to how malicious actors exploit digital systems. Whether you're handling passport numbers, SSNs, health information, or iris scans, compliance isn’t just about law—it’s about safeguarding identity, ensuring accountability, and building public trust in a data-driven world.

By staying ahead of evolving privacy regulations and following proven data security practices, organizations can reduce legal risk, maintain compliance, and build lasting consumer trust.