The Case for the National Biometric Information Privacy Act

by Brenda Alvez

            In the summer of 2020, Senators Merkley and Sanders introduced the National Biometric Information Privacy Act (“NBIP”).[1] The NBIP was intended to regulate the collection, retention, disclosure, and destruction of biometric information.[2] Biometric information is any information, regardless of how it is captured, based on an individual’s biometric identifier used to identify an individual.[3] Biometric identifiers can be retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry.[4] Ultimately, the NBIP never made it past being introduced. As of 2022, only three states have enacted biometric laws one being Illinois which allows for a private right of action.[5] With biometrics being used in American’s daily lives, how this data is used and who is using it becomes concerning. Using biometrics can be incredibly efficient and convenient, like when running late to catch a flight and wanting to breeze through security.[6] Currently, over 75% of Americans claim to have used biometrics technology from fingerprinting to hand geometry.[7] But the question becomes, do biometrics impede on our right to privacy?

            The NBIP limited the ability of private entities to collect, capture, purchase, receive through trade, or otherwise obtain a person’s biometric data from those persons without first informing those persons of such.[8] Additionally, private entities were limited in only collecting the data if they provide a service to the person or pursuant to a valid business reason that is established in that entities policy.[9]  Without some kind of regulation, private entities have free biometric range. Take the case of 14-year-old Alexander Rosenbach who went on a class trip to Six Flags in 2014.[10] His mother, Stacy Rosenbach, had purchased a season pass for Alexander to use on his trip.[11] When Alexander got to the park, Six Flags used his thumbprint for him to gain access as a season pass holder.[12] Neither Alexander nor Stacy was informed by Six Flags of the collection of Alexander’s thumbprint.[13] Stacy Rosenbach filed suit under the Illinois Biometric Information Privacy Act,[14] which limits biometric data use for private entities much like the NBIP intended to. Without Illinois’s biometric law, Stacy, and others similarly situated would not have a right to action.

            Private entities are keeping the most unique information about us to sell to advertisers, or in some cases, be used by law enforcement.[15] Although the technology behind biometric data collection is fascinating and exciting, it must be regulated for the protection individual privacy and this protection must come from the federal level.

[1] S. 4400, 116th Cong. (2020).

[2] Id.

[3] Id. at § 2.

[4] Id.

[5] Molly S. DiRago et al., A Fresh “Face” of Privacy: 2022 Biometric Laws, Troutman Pepper (Apr. 5, 2022),

[6] Clear, (last visited Sept. 2, 2022).

[7] Biometric Trends and Statistics to Keep an Eye on in 2022, Imageware, (last visited Sept. 16, 2022).

[8] S. 4400, § 3.

[9] Id.  

[10] Rosenbach v. Six Flags Ent. Corp., 129 N.E.3d 1197 (Ill. 2019).

[11] Id. at 1200.

[12] Id.

[13] Id. at 1200-01.

[14] S. 2400, 95th Gen. Assemb., Reg. Sess. (Ill. 2007).

[15] Ryan Mac et al., Your Local Police Department Might Have Used This Facial Recognition Tool to Surveil You. Find Out Here, BuzzFeed News (Apr. 9, 2021, 8:09 PM),