Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

Biometric identifier notice, consent, and retention schedule

biometric-data-consent-policyDomain: data-privacyType: policy

Description

A written program governing how a product captures, stores, uses, and destroys biometric identifiers (fingerprints, voiceprints, face geometry, iris and retina scans). The state biometric statutes share a common skeleton even where their enforcement teeth differ: notice before capture, consent (or in Washington an opt-out mechanism), a use limitation tied to the original purpose, a no-sale default, reasonable-care storage, and a destruction schedule keyed to when the collection purpose expires. Texas CUBI puts a one-year outer bound on retention after the purpose lapses; Illinois BIPA pairs the same skeleton with a private right of action and per-violation statutory damages, which is why the Illinois exposure is litigation-driven while Texas and Washington exposure is attorney-general-driven. The control is the policy plus the implementing data flows: a consent capture step wired ahead of any biometric enrollment, a retention timer that triggers destruction, and an audit record showing both. The mistake that recurs is treating a feature as non-biometric because it processes a photo rather than a template; voiceprints and records of face geometry derived from media are squarely in scope under several of these statutes.

Required by (3 regulations)

  • Texas CUBI

    Requires notice and consent before capturing a biometric identifier for a commercial purpose, a no-sale default, reasonable-care storage, and destruction within a reasonable time but not later than the first anniversary of the date the collection purpose expires.

    Capture or Use of Biometric Identifier Act (CUBI), Tex. Bus. & Com. Code § 503.001; effective 2009-09-01

    Source →

  • Washington Biometric Privacy

    Prohibits enrolling a biometric identifier in a database for a commercial purpose without first giving notice, obtaining consent, or providing a mechanism to prevent subsequent commercial use; imposes use-limitation and reasonable-care storage duties.

    Washington Biometric Identifiers Act, Chapter 19.375 RCW (HB 1493, 2017); effective 2017-07-23

    Source →

  • BIPA

    Requires a written, publicly available retention-and-destruction schedule and informed written consent before collecting biometric identifiers or biometric information; carries a private right of action with per-violation statutory damages.

    Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/15

Evidence formats

  • written biometric data policy covering notice, consent, retention, and destruction
  • consent capture records timestamped ahead of biometric enrollment
  • retention-and-destruction schedule with purpose-expiry triggers
  • data-flow map identifying every biometric capture surface in the product

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn