Biometric Data in the Age of AI: The Next Regulatory Minefield Executives Cannot Ignore
The Illinois Biometric Information Privacy Act (BIPA) has generated over $2.5 billion in settlements since 2008 and continues to produce record litigation. In 2025, Texas and Washington expanded similar legislation. In Europe, the AI Act classifies remote identification biometric systems as high risk. The proliferation of facial recognition cameras and voice authentication in the corporate environment exposes companies to increasing legal risks.
Facial recognition at turnstiles, voice authentication in call centres, expression analysis in candidates' video interviews. Biometric technologies are penetrating the corporate environment at a speed that surpasses the development of regulatory frameworks and internal governance policies. The result is increasing legal exposure that has already cost billions of dollars in settlements and is expected to intensify in 2026.
The American Precedent: BIPA as a Model
The Illinois Biometric Information Privacy Act, in effect since 2008, is the most litigated biometric privacy law in the United States. It requires informed consent before biometric data collection, prohibits the sale or transfer of data without consent, and imposes a minimum data retention period, with mandatory destruction once the original purpose has been fulfilled.
The financial consequence is significant. BIPA has generated over $2.5 billion in class action settlements since its enactment, including $650 million paid by Facebook in 2021 for using facial recognition for photo tagging without consent, and $228 million paid by BNSF Railway for biometric readings of truck drivers without the necessary authorisations.
In 2025, Texas and Washington approved expansions of their biometric privacy legislation, broadening the scope of obligations for companies of all sizes that collect these data from residents in those states.
The European Framework
The EU AI Act classifies remote biometric identification systems in public spaces as "high risk" and prohibits, with narrow exceptions, the use of real-time biometric identification systems by law enforcement agencies. For corporate use, any system that employs biometrics for decision-making affecting individuals, such as candidate selection or performance monitoring, is subject to the AI Act's high-risk obligations.
The GDPR already prohibited the processing of biometric data without a specific legal basis. The intersection with the AI Act creates a dual layer of compliance that directly impacts corporate authentication systems, physical access control, and human resources tools that incorporate biometric analysis.
The Specific Risk of HR and Recruitment
One particularly underestimated category of risk is the use of AI in candidate selection and assessment processes. Various jurisdictions, including Maryland (USA) and the EU under the AI Act, require candidates to be informed when AI is used in interviews and to be able to request human review of the decision. The use of micro-expression analysis or voice tone as selection criteria without the necessary disclosures and legal bases has already generated litigation on both sides of the Atlantic.
For the CHRO and the General Counsel together, the 2026 agenda includes auditing all biometric data collection points within the organisation, reviewing contracts with HR tech providers that incorporate behaviour or expression analysis, and developing policies for the retention and destruction of biometric data that are auditable.