What does BIPA actually cost a business that gets it wrong?

Illinois BIPA (740 ILCS 14) authorizes statutory damages of $1,000 per negligent violation and $5,000 per intentional violation, plus attorney fees. Facebook settled a BIPA class action for $650 million, and the first BIPA jury trial returned a $228 million verdict. Each scan of an unenrolled person can be a separate violation. The risk concentration is so high that most carriers exclude BIPA defense from standard cyber-liability policies.

What does an employee opt-in for biometric access actually look like?

A BIPA-compliant program needs a written policy disclosed to employees, written informed consent signed before enrollment, a documented retention schedule (BIPA caps it at 3 years or end of purpose, whichever is sooner), and a destruction procedure. The consent has to specify what is collected, why, how long it is kept, and who it can be disclosed to. Keep signed consent on file per employee and audit annually.

When is ID verification the right answer instead of open facial recognition?

When you need to confirm a known person at a chokepoint, not scan a crowd. ID verification compares one face to one stored template the person enrolled themselves. It maps cleanly to consented enrollment and most state biometric privacy laws. Open recognition (scanning an arbitrary crowd against a watchlist) is the legally riskier shape and the one that's banned for government use in San Francisco, Boston, Portland, and others.

How accurate is facial recognition across demographics?

Mixed, and the buyer should ask hard questions before signing. NIST's Face Recognition Vendor Test publishes per-vendor demographic differentials. The 2019 NIST report found higher false-match rates for Asian and African American faces on some algorithms, with the gap closing in newer evaluations. Bias has not disappeared. Tec-Tel asks the vendor for current FRVT scores per demographic before recommending a model.

What's the right retention policy for facial templates?

BIPA caps Illinois retention at 3 years from last interaction or end of the original purpose, whichever is shorter. GDPR requires retention proportional to the lawful basis. Texas CUBI mandates destruction inside one year of the purpose ending. Most vendors default to indefinite retention; that default will get you sued. Set the retention window at deployment, document the purpose, and run a quarterly audit on enrolled templates.

Where is facial recognition straightforwardly banned?

For government use, San Francisco, Oakland, Berkeley, Boston, Cambridge, Somerville, Portland (Maine and Oregon), Minneapolis, New Orleans, and Pittsburgh have passed bans or moratoriums. For private use, several states require explicit consent (BIPA, CUBI, Washington, Maryland). Public-school facial recognition is restricted in New York, Colorado, and Massachusetts. None of these bans cover private access control with consented enrollment.

Does Tec-Tel sell or store the biometric data?

No. Tec-Tel deploys the platform; the customer is the controller of the data. We configure retention, consent flows, and access controls inside the customer's tenant. Storage stays with the customer or the customer's chosen cloud vendor. We sign the customer's data processing agreement on projects that touch biometric data. We do not operate a biometric data product of our own.

Can we deploy facial recognition only at the perimeter and turn it off elsewhere?

Yes, and it's often the right call. Most modern VMS platforms let facial-recognition modules be enabled per camera, per zone, per shift. A common deployment: enable at staff-only entries with consented enrollment, disable on customer-facing cameras, and disable entirely on cameras that capture public sidewalks. Document the per-camera state in the system configuration so an audit can verify what is on and off.

What does BIPA actually cost a business that gets it wrong?

Illinois BIPA (740 ILCS 14) authorizes statutory damages of $1,000 per negligent violation and $5,000 per intentional violation, plus attorney fees. Facebook settled a BIPA class action for $650 million, and the first BIPA jury trial returned a $228 million verdict. Each scan of an unenrolled person can be a separate violation. The risk concentration is so high that most carriers exclude BIPA defense from standard cyber-liability policies.

What does an employee opt-in for biometric access actually look like?

A BIPA-compliant program needs a written policy disclosed to employees, written informed consent signed before enrollment, a documented retention schedule (BIPA caps it at 3 years or end of purpose, whichever is sooner), and a destruction procedure. The consent has to specify what is collected, why, how long it is kept, and who it can be disclosed to. Keep signed consent on file per employee and audit annually.

When is ID verification the right answer instead of open facial recognition?

When you need to confirm a known person at a chokepoint, not scan a crowd. ID verification compares one face to one stored template the person enrolled themselves. It maps cleanly to consented enrollment and most state biometric privacy laws. Open recognition (scanning an arbitrary crowd against a watchlist) is the legally riskier shape and the one that's banned for government use in San Francisco, Boston, Portland, and others.

How accurate is facial recognition across demographics?

Mixed, and the buyer should ask hard questions before signing. NIST's Face Recognition Vendor Test publishes per-vendor demographic differentials. The 2019 NIST report found higher false-match rates for Asian and African American faces on some algorithms, with the gap closing in newer evaluations. Bias has not disappeared. Tec-Tel asks the vendor for current FRVT scores per demographic before recommending a model.

What's the right retention policy for facial templates?

BIPA caps Illinois retention at 3 years from last interaction or end of the original purpose, whichever is shorter. GDPR requires retention proportional to the lawful basis. Texas CUBI mandates destruction inside one year of the purpose ending. Most vendors default to indefinite retention; that default will get you sued. Set the retention window at deployment, document the purpose, and run a quarterly audit on enrolled templates.

Where is facial recognition straightforwardly banned?

For government use, San Francisco, Oakland, Berkeley, Boston, Cambridge, Somerville, Portland (Maine and Oregon), Minneapolis, New Orleans, and Pittsburgh have passed bans or moratoriums. For private use, several states require explicit consent (BIPA, CUBI, Washington, Maryland). Public-school facial recognition is restricted in New York, Colorado, and Massachusetts. None of these bans cover private access control with consented enrollment.

Does Tec-Tel sell or store the biometric data?

No. Tec-Tel deploys the platform; the customer is the controller of the data. We configure retention, consent flows, and access controls inside the customer's tenant. Storage stays with the customer or the customer's chosen cloud vendor. We sign the customer's data processing agreement on projects that touch biometric data. We do not operate a biometric data product of our own.

Can we deploy facial recognition only at the perimeter and turn it off elsewhere?

Yes, and it's often the right call. Most modern VMS platforms let facial-recognition modules be enabled per camera, per zone, per shift. A common deployment: enable at staff-only entries with consented enrollment, disable on customer-facing cameras, and disable entirely on cameras that capture public sidewalks. Document the per-camera state in the system configuration so an audit can verify what is on and off.

Solution · Identity

Facial recognition: where it's legal, where it isn't.

Facial recognition is legal for private security in most states with proper notice and consent, but tightly regulated. Tec-Tel runs the state-by-state legal-fit assessment before any deployment, and tells you when not to buy.

See it on your cameras

or reach us directly

Call us855-577-0400

NDAA-compliant
Platform-agnostic
1,000+ deployments over 15 years

Free

How can we help?

Tell us what you're working through. We'll route it to the right person.

Facial recognition is legal for private security in most US states with proper notice and access control, but tightly regulated. Illinois BIPA requires written informed consent and bans selling biometric data. Texas CUBI requires consent and limits retention. Washington, Maryland, New York, and the CCPA add overlay rules. San Francisco, Boston, and Portland have banned government use. Tec-Tel runs the legal-fit assessment before any deployment.

Legal-fit first

we run the state-by-state assessment before any deployment

1-to-1

ID verification: one consented face, one stored template

Per-camera enable

scoped to staff doors, off on customer-facing cameras

BIPA / CUBI / GDPR

the regimes a deployment has to survive

§01 Where it works clearly

Where facial recognition is defensible.

Three deployment shapes are reasonably defensible in most US states with the right consent and disclosure. Tec-Tel runs a legal-fit assessment before recommending any of them.

→

Private facility access control with employee opt-in Staff entrances, server rooms, and badge-replacement biometric readers. Enrolled and consented per BIPA standard, with documented retention and destruction. Common at financial institutions, defense subcontractors, and biotech facilities.

→

Security-cleared facilities under federal statute CMMC Level 2 environments, classified spaces, and federal contractor sites under explicit authority. Deployment is constrained by NIST SP 800-53 PE-3 and the contracting agency, not by state biometric privacy laws.

→

ID verification at consented kiosks Visitor-management kiosks where the visitor presents an ID, the system extracts the photo, and the camera matches them to that single template at check-in. The visitor controls enrollment. Maps cleanly to BIPA, CUBI, and most state regimes.

§02 The legal landscape

No federal law. Five regimes that decide the deployment.

The United States has no single federal biometric privacy law. The rules are state-by-state and city-by-city, and they decide whether a deployment is viable before any camera goes up. This is a buyer's starting point, not legal advice; confirm with counsel first.

→ Illinois BIPA: the strictest US biometric law. Written informed consent before capture, no sale of biometric data, statutory damages of $1,000 to $5,000 per violation plus attorney fees. Facebook settled one BIPA class action for $650 million (2020).
→ Texas CUBI: informed consent before capture, no sale, retention capped at one year past the purpose. Attorney-General enforced; Meta settled for $1.4 billion (Texas AG, 2024).
→ Washington, Maryland, New York: notice-and-consent regimes with different mechanics. Maryland treats face geometry as protected health-related data; New York City requires posted disclosure for any commercial use.
→ California CCPA/CPRA: biometric data is "sensitive personal information" - a notice, opt-out, and use-restriction overlay on any California deployment.
→ GDPR: for any site touching EU residents, facial geometry is Article 9 "special category" data and almost always requires explicit consent or a narrow lawful basis.

§03 Where it does not work

The deployments that draw lawsuits and bans.

Some shapes are legally risky enough that Tec-Tel recommends against them outright. Knowing the no-go list up front saves a customer from BIPA litigation a year after install.

→ Retail customer tracking in Illinois: walking customers through a store and matching them to a watchlist without written consent is the textbook BIPA violation. Multiple retailers have settled class actions on exactly this fact pattern.
→ Public surveillance in cities that ban government use: San Francisco, Oakland, Berkeley, Boston, Portland, and others. Private deployments that integrate with city law enforcement hit the same constraint.
→ Public-school student matching in restricted states: New York, Colorado, and Massachusetts restrict student-facing facial recognition. Front-office visitor management is a different posture.
→ Open watchlist scanning of crowds without notice: even where technically legal, the reputational risk and consent gap usually outweigh the security benefit. Event-day staffing, bag check, and weapons detection get the same outcome.

§04 Two different products

ID verification is not open facial recognition.

ID verification is a one-to-one match. The person enrolls themselves (badge photo, license scan, kiosk capture) and the system later compares one face to that one stored template at a chokepoint. The person controls enrollment, knows the purpose, and consents in the same moment as the capture.

Open facial recognition is a one-to-many match: the system scans an arbitrary face against a watchlist or customer database. The matched person didn't enroll, probably didn't consent, and may not know the camera is there. That is the shape that draws BIPA suits and city ordinance bans. Buyers asking for facial recognition often want ID verification, and the recommendation is to scope down before signing.

§05 The Tec-Tel position

Don't sell what you can't legally deploy.

A lot of vendors will sell facial recognition without asking which state your sites are in. That is how customers end up in BIPA litigation. Tec-Tel runs a legal-fit assessment first: where are the cameras, who do they capture, what is the lawful basis, what is the consent flow. If the deployment does not survive a BIPA audit, we say so and recommend the alternative, usually badge-and-PIN access control plus selective ID verification at consented chokepoints.

Most major VMS platforms ship a facial-recognition module that is off by default and enabled only per camera, per zone, per shift. On cost: per-camera licensing and per-identity-template licensing both exist, plus hybrid pricing that surprises buyers at the 12-month mark. The bigger hidden cost is the consent and audit overhead. Tec-Tel itemizes both the license and the compliance lines on every proposal.

Questions buyers ask us

FAQ

What does BIPA actually cost a business that gets it wrong?: Illinois BIPA (740 ILCS 14) authorizes statutory damages of $1,000 per negligent violation and $5,000 per intentional violation, plus attorney fees. Facebook settled a BIPA class action for $650 million, and the first BIPA jury trial returned a $228 million verdict. Each scan of an unenrolled person can be a separate violation. The risk concentration is so high that most carriers exclude BIPA defense from standard cyber-liability policies.
What does an employee opt-in for biometric access actually look like?: A BIPA-compliant program needs a written policy disclosed to employees, written informed consent signed before enrollment, a documented retention schedule (BIPA caps it at 3 years or end of purpose, whichever is sooner), and a destruction procedure. The consent has to specify what is collected, why, how long it is kept, and who it can be disclosed to. Keep signed consent on file per employee and audit annually.
When is ID verification the right answer instead of open facial recognition?: When you need to confirm a known person at a chokepoint, not scan a crowd. ID verification compares one face to one stored template the person enrolled themselves. It maps cleanly to consented enrollment and most state biometric privacy laws. Open recognition (scanning an arbitrary crowd against a watchlist) is the legally riskier shape and the one that's banned for government use in San Francisco, Boston, Portland, and others.
How accurate is facial recognition across demographics?: Mixed, and the buyer should ask hard questions before signing. NIST's Face Recognition Vendor Test publishes per-vendor demographic differentials. The 2019 NIST report found higher false-match rates for Asian and African American faces on some algorithms, with the gap closing in newer evaluations. Bias has not disappeared. Tec-Tel asks the vendor for current FRVT scores per demographic before recommending a model.
What's the right retention policy for facial templates?: BIPA caps Illinois retention at 3 years from last interaction or end of the original purpose, whichever is shorter. GDPR requires retention proportional to the lawful basis. Texas CUBI mandates destruction inside one year of the purpose ending. Most vendors default to indefinite retention; that default will get you sued. Set the retention window at deployment, document the purpose, and run a quarterly audit on enrolled templates.
Where is facial recognition straightforwardly banned?: For government use, San Francisco, Oakland, Berkeley, Boston, Cambridge, Somerville, Portland (Maine and Oregon), Minneapolis, New Orleans, and Pittsburgh have passed bans or moratoriums. For private use, several states require explicit consent (BIPA, CUBI, Washington, Maryland). Public-school facial recognition is restricted in New York, Colorado, and Massachusetts. None of these bans cover private access control with consented enrollment.
Does Tec-Tel sell or store the biometric data?: No. Tec-Tel deploys the platform; the customer is the controller of the data. We configure retention, consent flows, and access controls inside the customer's tenant. Storage stays with the customer or the customer's chosen cloud vendor. We sign the customer's data processing agreement on projects that touch biometric data. We do not operate a biometric data product of our own.
Can we deploy facial recognition only at the perimeter and turn it off elsewhere?: Yes, and it's often the right call. Most modern VMS platforms let facial-recognition modules be enabled per camera, per zone, per shift. A common deployment: enable at staff-only entries with consented enrollment, disable on customer-facing cameras, and disable entirely on cameras that capture public sidewalks. Document the per-camera state in the system configuration so an audit can verify what is on and off.

Book a walkthrough

Want a legal-fit assessment for your sites?

The free consultation walks which states your cameras cover, what biometric privacy laws apply, where the deployment survives an audit, and whether ID verification is the better fit. We'll tell you when not to buy.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.
Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

See it on your cameras 855-577-0400

Or send the details

How can we help?

What you're looking for, plus any details. We review it and follow up, usually the same day.

Related from Tec-Tel

Hub

Facial recognition: where it's legal, where it isn't.

How can we help?

Where facial recognition is defensible.

No federal law. Five regimes that decide the deployment.

The deployments that draw lawsuits and bans.

ID verification is not open facial recognition.

Don't sell what you can't legally deploy.

FAQ

Want a legal-fit assessment for your sites?

How can we help?

AI & analytics hub

Compliance quick reference

Access control

Visitor & contractor management