Golden Gate Legal Review Independent Commentary on Law & Policy
November 23, 2021 · Privacy & the Fourth Amendment

Biometric Data Collection: Market Necessity or Unconstitutional Overkill

How state biometric statutes and the Fourth Amendment split the question of who may scan a fingerprint or face, and on what terms.

Few categories of personal information sit closer to the body than biometrics. A fingerprint, a voiceprint, or the geometry of a face cannot be reissued the way a compromised password or credit card can. That permanence is exactly what makes biometric identifiers commercially valuable and legally fraught. Employers use fingerprint scanners to clock workers in; retailers and venues use facial recognition to spot shoplifters and speed entry; phone makers unlock devices with a glance. The recurring question is whether this collection is an ordinary market efficiency that the law should accommodate, or an intrusion serious enough that the Constitution and a handful of state statutes ought to constrain it. The honest answer in 2021 is that the question is being settled in two separate forums at once, with very different rules.

Two legal regimes, not one

It helps to separate the constitutional question from the statutory one, because they protect against different actors. The Fourth Amendment restrains the government; it says nothing directly about a private gym scanning a member’s hand. So the “unconstitutional overkill” framing applies most cleanly when the state collects or buys biometric data. Private collection, by contrast, is largely a creature of statute. The result is a patchwork: a single act of facial scanning might be perfectly lawful in one state, expose a company to thousands of dollars in liquidated damages in another, and raise no constitutional issue at all unless a government actor is in the loop.

Illinois sits at the strict end of the statutory spectrum. Its Biometric Information Privacy Act, enacted in 2008, requires a private entity to give written notice, state the purpose and retention period, and obtain a written release before collecting a fingerprint, faceprint, or similar identifier. Crucially, it carries a private right of action with liquidated damages. Texas and Washington enacted their own biometric statutes but reserved enforcement to the state attorney general, which has made their practical bite far lighter.

What “aggrieved” means: the standing fight

The early defense to BIPA suits was that a plaintiff who suffered no data breach, identity theft, or tangible loss had not really been harmed and so could not sue. The Illinois Supreme Court rejected that reading in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, holding that a person need not allege injury beyond the violation of the statute’s own requirements to qualify as “aggrieved.” The court reasoned that when an entity ignores the notice-and-consent procedure, the individual’s control over their biometric identity is itself the injury. That holding turned BIPA from a sleepy compliance statute into one of the most litigated privacy laws in the country.

The federal courts reached a parallel conclusion on Article III standing. In Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019), the Ninth Circuit held that Facebook’s “Tag Suggestions” feature, which scanned uploaded photos to build face templates, inflicted a concrete injury because the statute protected a substantive privacy interest, not a merely procedural one. The Supreme Court declined review, and the litigation later resolved through a large class settlement. Together, Rosenbach and Patel answered the threshold objection that biometric plaintiffs have nothing to complain about.

The Fourth Amendment side: Carpenter and its reach

When the collector is the government, the analysis shifts to the reasonable-expectation-of-privacy framework that traces to Katz v. United States, 389 U.S. 347 (1967). The older third-party doctrine suggested that information voluntarily exposed to others, or visible in public, enjoyed little protection, and a face is exposed every time a person steps outside. That logic would seem to leave public facial recognition unregulated.

Carpenter v. United States, 585 U.S. 296 (2018), complicated the picture. The Court held that acquiring historical cell-site location records was a Fourth Amendment search, stressing that the older doctrine does not fit technologies capable of cataloging a person’s movements continuously and retrospectively. Lower courts and commentators have since debated whether a dense network of cameras running facial recognition is the same kind of pervasive surveillance the Carpenter majority worried about. A one-off identification at a checkpoint looks unlike Carpenter; a city-wide system that logs where everyone goes looks a great deal like it. The line remains unsettled, and the Court has not squarely decided it.

Market necessity or overkill?

Industry frames biometric collection as efficiency: faster building access, fraud reduction, frictionless payments, and timekeeping that defeats “buddy punching.” Those benefits are real, and BIPA does not forbid them; it conditions them on disclosure and consent. The friction the statute imposes is procedural, which is why the strongest defense of laws like BIPA is that they ask for the same informed-consent baseline the law already demands before other irreversible decisions about a person’s body or data.

The asymmetry that drives the doctrine

Courts keep returning to one feature of biometrics: a leaked faceprint or fingerprint cannot be changed. A breached password is an inconvenience; a breached biometric template is permanent. That irreversibility is why violations are treated as real harm even without a downstream theft, and why “we only collected it, nothing bad happened” has fared poorly as a defense.

The “overkill” critique has its own force. BIPA’s per-violation damages can aggregate into figures wildly disproportionate to any demonstrable loss, and the statute can sweep in routine, low-risk uses alongside genuinely invasive ones. Subsequent developments have pushed on exactly this pressure point, as courts wrestled with whether each separate scan counts as its own violation and as the legislature revisited the damages structure. Readers tracking those moves should treat the damages calculus as a moving target rather than a fixed rule, because it has shifted since these doctrines first took shape.

Where the doctrine is heading

The trajectory points toward consent-and-notice as the dominant private-sector model and toward a slow, case-by-case extension of Carpenter to government facial recognition. What is missing is a comprehensive federal statute; until one exists, a company’s exposure depends largely on which state’s residents it scans, and a citizen’s constitutional protection depends on whether a government actor is involved and how pervasive the surveillance is. Litigation over scraped face databases, employer timeclocks, and law-enforcement matching will keep refining the contours. For now, biometric collection is neither plainly lawful nor plainly forbidden; it is permitted on terms, and the terms are still being written. Related questions about location surveillance are taken up in this publication’s analysis of geofence warrants and the Fourth Amendment, and the workplace dimension surfaces in its discussion of employee privacy rights. Further commentary appears in the commentary archive.

Questions readers ask

What counts as biometric data under laws like BIPA?

Typically identifiers drawn from a person’s biology or behavior used to identify them, such as fingerprints, voiceprints, retina or iris scans, and faceprints. Illinois law also covers “biometric information” derived from those identifiers, while excluding things like photographs standing alone or physical descriptions.

Does the Fourth Amendment protect my face from a private company’s camera?

No. The Fourth Amendment restrains government action. A private retailer or employer scanning faces is governed by state biometric statutes and general privacy law, not the Constitution, unless the data is shared with or collected on behalf of the government.

Why is Illinois’s BIPA considered the strongest biometric law?

Because it gives individuals a private right of action with liquidated damages, rather than leaving enforcement only to a state attorney general. That feature, paired with the consent requirement, is what generated large-scale class litigation.

What did Rosenbach v. Six Flags decide?

That a person need not prove a separate, concrete injury beyond the statutory violation itself to be “aggrieved” and sue under BIPA. The loss of control over one’s biometric identity counts as the harm.

What did Patel v. Facebook add?

The Ninth Circuit held that a BIPA violation can satisfy federal Article III standing because the statute protects a substantive privacy interest, not a merely procedural one. The case later settled for a substantial sum.

How does Carpenter v. United States relate to facial recognition?

Carpenter held that obtaining historical cell-site location data is a Fourth Amendment search and signaled that pervasive, technology-enabled tracking may not fit older doctrine. Courts are still debating how far that reasoning extends to government facial-recognition networks.

Is collecting a fingerprint for a timeclock illegal?

Not inherently. In Illinois it is lawful if the employer first provides written notice of the purpose and retention period and obtains written consent. Skipping those steps, not the scanning itself, is what generates liability.

Can biometric data be “reset” if it is breached?

No, and that is central to the legal concern. Unlike a password, a fingerprint or faceprint is permanent, so a breach creates a lasting risk that courts treat as genuine harm.

Do Texas and Washington offer the same protection as Illinois?

They have biometric statutes, but enforcement is reserved to state officials rather than private plaintiffs, which has made them far less active in practice than BIPA.

Is there a federal biometric privacy law?

There is no comprehensive federal statute. Protection currently depends on the patchwork of state laws and, where the government is the actor, on evolving Fourth Amendment doctrine.

This publication offers commentary and analysis on developments in the law and does not provide legal advice.

Diane M. Calloway

Diane M. Calloway

Contributing Editor ยท Constitutional Law

Diane M. Calloway writes on the Fourth Amendment, digital privacy, and appellate procedure. A former appellate clerk, she follows how courts apply older search-and-seizure doctrine to new surveillance technology.