States are increasingly clamping down on how tech companies digitally scan and analyze our most sensitive and potentially lucrative commodity: the faces, eyeballs and other "biometric" data of millions of people.
While facial recognition technology is unregulated at the federal level, 23 states have now passed or expanded laws to restrict the mass scraping of biometric data, according to the National Conference of State Legislatures.
Last month, Colorado enacted new biometric privacy rules, requiring consent before facial or voice recognition technology is used, while also banning the sale of the data. Texas passed an artificial intelligence law in June that similarly outlaws the collection of biometric data without permission. Last year, Oregon approved data privacy rules requiring consumer opt-in before companies hoover up face, eye and voice data.
"What we need are laws that change the behavior of technology companies," Adam Schwartz, the privacy litigation director at the Electronic Frontier Foundation. "Otherwise these companies will continue to profit on what should be our private information."
Tech companies have long been deploying facial recognition technology. At times, the industry has pulled back from it, like in 2021 when Facebook shut down its face-recognition system following a biometric privacy lawsuit.
But since cutting-edge AI systems have been incorporated in nearly every facet of modern life, the presence of some form of facial recognition technology in many apps and phones has become newly ubiquitous, said University of Essex professor Pete Fussey, who recently published a book on facial recognition in the AI era.
"Facial recognition is everywhere. And partially, we're complicit in that. We get a convenience dividend by being able to open our phones easily, or get through airports faster, or access our finances," Fussey said. "But there's no downstream control over how our biometric data is used."
Not all state laws give people right to sue tech companies
The states that have passed the safeguards view them as a defense against the prevalence of digital tracking in everyday lives, and in a number of cases, the laws have been used to extract large payouts from tech companies.
Google and Meta have each paid Texas $1.4 billion over allegations that the companies datamine users' facial recognition data without permission; Clearview AI, a facial recognition company popular with law enforcement, ponied up $51 million to settle a case approved in March over the firm scraping billions of facial images online without consent; And in July, Google resolved a smaller case for $9 million in Illinois after a lawsuit alleged the company did not obtain written consent from students who used a Google educational tool that collected their voice and facial data.
Illinois's requirement that companies receive written permission before gathering biometric data goes farther than most states, which require digital consent — or checking a box for a company's terms and conditions policy, something experts say is a largely symbolic gesture in practice.
"I'm not saying it's better than nothing, but if you're hanging these legal frameworks on a model of informed consent, it's clearly ineffective," said Michael Karanicolas, a legal scholar at Dalhousie University in Canada who studies digital privacy. "Nobody is reading these terms of service. Absolutely nobody can effectively engage with the permission we're giving these companies in our surveillance economy."
Karanicolas said Illinois' biometric privacy law, which was passed in 2008, has real teeth because it allows individuals to sue companies, which privacy advocates say the tech industry has lobbied hard against. California and Washington state allow residents to sue in some types of cases.
But most of the laws, like in Texas, Oregon, Virginia and Connecticut and elsewhere, rely on state attorneys general to enforce them. Advocates say allowing citizens to sue, what's known as "a private right of action," helps people fight back against data-guzzling companies.
"And that can lead to these big class-action settlements, and there are legitimate critiques of them, with class members often getting very little money, and lawyers getting rich, but they can be genuinely effective at shaping companies' attitudes about personal information and generate corporate change," Karanicolas said.
Suing PimEyes? Good luck finding them
In some instances, however, even the toughest digital privacy law cannot compete with evasive facial recognition companies operating overseas.
PimEyes is a popular "face search engine" that finds matches across the web based on the distinctive features of someone's face without the safeguards that Google, Meta and other large tech companies employ.
Critics of PimEyes have said the service can enable stalkers, identify porn performers and unearth photos of children.
But the company often promotes its service as a way to combat identity theft, deepfake porn, copyright infringement and a way to catch a dating app "catfisher," or a person posing on a profile as another person.
Because of Illinois' strict privacy law, PimEyes has pulled out of the state and the site is not easily accessible there.
Still, lawyer Brandon Wise found that the images of Illinois residents were still in the company's database among nearly 3 billion other searchable images, which he said is a violation of state law, since PimEyes got the images without consent. So, Wise filed a lawsuit representing five Illinois residents seeking class action status.
But the case never had its day in court. That's because PimEyes could not be found.
Wise's law firm attempted to serve PimEyes CEO Giorgi Gobronidze, who is based in the Georgian capital of Tbilisi to no avail. Wise found an address connected to him in Dubai, where he also could not be located.
PimEyes appears to have a corporate headquarters in Belize, where Wise sent a process server, who could not find any official connected to the company.
After the case was pending for nearly two years, it was finally dropped.
"It was incredibly frustrating," Wise said. "But it felt like we were suing a ghost."
PimEyes did not return a request for comment.
It's a lesson, Wise said, in the limitations of state privacy laws when attempting to go after digital surveillance companies that operate elusive overseas operations.
"We learned it's not that easy sometimes," he said.
'People are getting fed up' with facial recognition
In Congress, various facial recognition bills have been introduced, including a recent proposal requiring the Transportation Security Administration to inform passengers of their right to opt out of face screenings, but it, like many before it, has stalled.
Schwartz with the Electronic Frontier Foundation has lobbied Washington to pass a national biometric privacy law that mirrors Illinois' protections with no luck.
"And the singular reason is that tech companies show up and say, 'these laws would intrude on our profits,' and they hire lobbyists to influence the process," Schwartz said. "But I think people are getting more and more fed up with tech companies ignoring their privacy."
Copyright 2025 NPR
