Biometric Data in Retail: What’s Changing ⏤ and Why It Matters

Biometric Data in Retail: What’s Changing ⏤ and Why It Matters

Biometric Data in Retail: What’s Changing ⏤ and Why It Matters 600 320 Lynn Kuzneski

The use of biometric technologies in retail store settings—from facial recognition when shopping to palm-based payments—is expanding rapidly. What began as a tool for security is now being applied in marketing, analytics, and customer experience, raising broader questions about privacy and data ownership.

Retail chains like Wegmans and ShopRite have faced public scrutiny for testing facial recognition for loss prevention and store security—particularly where notice to employees and customers has been limited or unclear. These practices have also drawn legislative attention, including proposals to tighten restrictions or ban certain uses altogether.

OGC has been tracking this trend closely, including a survey of biometric data privacy obligations in early 2024. This 2-part blog series builds on that foundation. In Part One, we highlight how retailers are using biometric technologies today, recent legislative developments, and why the distinction between security and marketing uses is quickly becoming one of the most important lines to draw.

What Is Biometric Data and How Are Retailers Using It?

Biometric data generally refers to measurements derived from an individual’s physical, physiological, or behavioral characteristics that can be used to uniquely identify that person. Common examples include fingerprints, facial geometry, voiceprints, iris scans, and gait patterns.

Retailers are deploying biometric technologies across multiple functions:

  • Employee Authentication
    Use of fingerprint or handprint time clocks, as well as controlled access to stock rooms.
  • Loss Prevention and Security
    Facial recognition to identify repeat shoplifters or banned individuals.
  • Customer Experience
    Palm or facial recognition for payment systems and expedited checkout.
  • Marketing and Analytics
    Facial analysis for age/gender estimation, tracking repeat visits, and targeted in-store promotions.

The Issue Beneath the Surface: Not All Uses Are Treated Equally

While these use cases may seem similar from a technology standpoint, they are treated very differently under emerging state biometric and privacy laws.

In some jurisdictions, “security” and “fraud prevention” uses may qualify for specific exclusions, while “marketing, analytics, and profiling” uses are more likely to trigger strict consent and disclosure requirements—or be banned altogether in certain contexts.

This distinction plays out in different ways across state law frameworks.

A Patchwork of State Laws

There is currently no comprehensive federal law governing biometric data, leaving retailers to navigate a growing patchwork of state laws—some narrowly tailored, others very broad. There are now over 20 US states that have enacted or proposed biometric privacy laws to restrict how private companies collect, store, and share biometric identifiers.

Illinois: The High-Water Mark

Currently, Illinois has one of the most stringent laws regulating biometric data applications. The Illinois Biometric Information Privacy Act (BIPA) applies to all use cases—employee timekeeping, marketing, and loss prevention—and:

  • Requires notice and written consent before collecting any biometric data from any individual;
  • Requires a publicly available written retention schedule and a deletion guideline policy for biometric data; and
  • Provides a private right of action 1 (meaning affected individuals can bring an action under the BIPA in addition to the state Attorney General doing so).

Notably, the BIPA does not distinguish between security and marketing uses. For example, a retailer using facial recognition to identify repeat shoplifters and one using facial analysis to estimate customer demographics for marketing purposes are both subject to the same notice, consent, and retention requirements.

Other State Law Frameworks

1. Texas and Washington: Use-Triggered Frameworks

Biometric data laws in Texas 2 and Washington 3 are less stringent than the BIPA, focusing on the use of biometrics to further commercial interest, such as marketing, advertising, or the sale or other disclosure of biometric identifiers to third parties. Biometrics used solely for security or fraud prevention purposes are more likely to fall outside the scope of the law or qualify for statutory exclusions.

Under these laws:

  • Notice, consent, and reasonable security measures are required when used for commercial purposes;
  • Enforcement is handled by state regulators (no private lawsuits); and
  • Violations may result in substantial civil penalties.

2. Colorado: A More Comprehensive Framework

By contrast, Colorado’s Biometric Data Privacy Amendment to the Colorado Privacy Act (effective July 1, 2025) takes a more comprehensive, structured approach by treating biometric identifiers as a regulated category of sensitive data:

  • Biometric data is defined broadly as identifiers derived from biological, physical, or behavioral characteristics used for unique identification (e.g., facial geometry, voiceprints).
  • Although notice and consent are only required when biometrics are used for marketing purposes, Colorado does impose certain operational and recordkeeping controls no matter the purpose (applying to any use of biometric data, whether for marketing or security), including:
    • Adoption of written policies (retention, deletion, incident response);
    • Implementation of security controls; and
    • Obtaining opt-in consent for processing biometric identifiers as sensitive data.

As a result, Colorado places more consistent and affirmative obligations on businesses, particularly where biometric identifiers are used in customer facing functions or sold or shared with third parties.

In the employment context, recent amendments allow employers to require consent as a condition of employment, but only for specific security and operational purposes such as access control, timekeeping and workplace safety. Use of biometric data for productivity monitoring or location tracking requires separate, voluntary consent and may require a strong justification.

Like Washington and Texas, Colorado does not provide a private right of action; enforcement rests with the state attorney general.

Broader Privacy Laws: Higher Risk for Marketing and Analytics Uses

Even where no separate biometric-specific law exists, broader consumer privacy laws can still impose meaningful obligations on biometric uses —particularly where:

  • Biometric data is used for targeted advertising and profiling
    Laws such as Delaware’s require data protection assessments for certain targeted advertising and profiling activities and may impose consent or opt-out obligations where biometric data is used to analyze or predict consumer behavior.
  • Minors are involved
    Laws like New York’s Child Data Protection Act restrict targeted advertising and certain profiling of individuals under 18, increasing risk where biometric tools are deployed in environments frequented by minors.
  • Biometric data is classified as sensitive data
    States like Minnesota classify biometric data as “sensitive,” which often triggers opt-in consent requirements—especially where it is used for customer analytics or behavioral tracking.

Marketing vs. Security Uses: Why the Distinction Matters

Across these frameworks, a consistent theme has emerged: how biometric data is used—particularly whether for security or marketing—often determines the level of regulatory scrutiny.

Security and Fraud Prevention

Many laws recognize “security” or “fraud prevention” as a legitimate basis for collecting and processing biometric data. With the exception of Illinois’ BIPA, which requires prior notice, written consent, and data retention and deletion policies regardless of the stated purpose, most state requirements are more limited or may not apply at all to security-only uses.

For example, in many jurisdictions outside of Illinois, retailers are allowed to use facial recognition to identify banned individuals or repeat shoplifters, or to control access to restricted “back-of-house” areas, without obtaining consent or posting public retention policies. Biometric authentication used for secure employee login or to verify high-risk financial or payment transactions may also fall outside the statutory consent requirements.

That said, even in states where security uses are permitted without consent, broader data privacy laws may still require transparency (e.g., posted notices), proportionality, and appropriate safeguards. Likewise, overbroad claims of “security” to justify expansive data collection may draw regulatory scrutiny. These requirements will continue to evolve as states continue to update and expand their biometric and broader privacy laws.

Marketing, Analytics, and Profiling

By contrast, the use of biometric data for marketing or customer analytics is often subject to much greater regulatory scrutiny under comprehensive state privacy laws.

Examples include:

  • Facial analysis for demographic estimation (e.g., age or gender) to tailor advertising,
  • In-store camera analytics monitoring shopper navigation and return visits to inform product placement, store design, and personalized marketing, and
  • Linking biometric identifiers (e.g., face or palm scans) to loyalty programs, purchases, or preferences.

In many states, these activities are more likely to be treated as targeted advertising or high-risk profiling, triggering:

  • Opt-in consent requirements (not just notice)
  • Heightened regulatory and reputational risks

Key Takeaway

As biometric tools become more deeply embedded in retail environments, the operative question is no longer whether to use them – but how they are categorized, and what that classification means for compliance obligations and risk exposure.

Statutory penalties that accrue on a per-violation basis can be severe. In Texas, penalties under CUBI can reach up to $25,000 per violation; in Colorado, up to $20,000 per violation; and in Washington, up to $7,500 per violation. Because penalties are often calculated on a “per-violation” basis, exposure can scale quickly. For example, a single unlawful practice affecting 100 individuals could be treated as 100 violations, and repeated conduct involving the same individual may be treated as multiple violations, depending on how a particular statute and enforcement authority define and apply “per-violation” penalties.

Ultimately, this isn’t just a compliance issue—it’s a business decision with legal, operational, and reputational implications.

In Part Two, we will cover practical steps that retailers may wish to take to manage the risks associated with biometric data use.

Stacey Heller is an experienced transactional attorney and has worked with companies in a variety of industries, including technology, retail, telecom, advertising, hospitality, and real estate and construction. Stacey regularly handles a broad range of work for her clients, from commercial agreements to real estate (commercial leasing and construction), as well as dispute resolution matters. Stacey can be reached at sheller@outsidegc.com.

 

 

 

  1. An amendment to the BIPA effective August 2, 2024 limits statutory damages to a per-person basis, rather than a per scan basis, in an effort to clarify that multiple scans of the same person using the same method only count as one violation. Statutory damages are capped at $1,000 for each negligent violation and $5,000 for intentional or reckless ones. The amendment does not change the rule that individuals may still bring BIPA claims without proving any additional harm beyond a violation of the statute.
  2. The Capture or Use of Biometric Identifiers (CUBI), amended January 1, 2026.
  3. The Washington Biometric Privacy Act.
Website Tracking and CIPA Risk: A Practical Guide for U.S. Website Operators

This publication should not be construed as legal advice or a legal opinion on any specific facts or circumstances nor an offer to represent you. It is not intended to create, and receipt does not constitute, an attorney-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal questions you may have. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising. Prior results do not guarantee a similar outcome.

YOUR PARTNER

Outside GC.
Inside Advantage.

Business-minded counsel, delivered with an in-house perspective.

Get Started
Outside GC Logo
501 Boylston Street,
10th Floor Boston, MA 02116

Stay In The Know

Quicklinks

Home
Practice Areas
Industries
Contact Us
FAQS
Careers
Blog
Our Attorneys
About Us

Privacy Policy   |  Terms of Use  |  CA Privacy Policy  |  CA Notice at Collection
Attorney Advertising. Prior results do not guarantee a similar outcome. © 2026 Outside General Counsel, LLP. All Rights Reserved.
Enter your
text here