Biometric Data in Insurance: Privacy, Consent, and Compliance Guide

The insurance industry is collecting more biometric data than ever before. Fingerprints for agent authentication, facial recognition for fraud detection, voice prints for call center verification, and now camera-based vital signs for underwriting. Each of these data types triggers a different set of legal obligations depending on where the policyholder lives, how the data gets stored, and who else touches it along the way. Getting biometric data insurance privacy compliance wrong isn't an abstract risk. In 2025, a federal court approved a $10.85 million class action settlement against Biometric Impressions for collecting biometric data without proper consent under Illinois' BIPA statute, according to reporting by Top Class Actions. That's one company, one state law.

"All three digital underwriting evidence sources demonstrated significant value, both individually and in combination." — RGA, "Assessing Mortality Impact of Digital Underwriting Evidence" (2025)

What counts as biometric data under current law

The definition of biometric data varies more than most insurance compliance teams realize. Illinois' Biometric Information Privacy Act defines biometric identifiers as retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry. It explicitly excludes writing samples, photographs (when not used for facial geometry), demographic data, and physical descriptions. Texas' Capture or Use of Biometric Identifier Act covers retina or iris scans, fingerprints, voiceprints, and hand or face geometry records, but uses different consent and enforcement mechanisms.

The complication for insurance is that newer data types don't fit neatly into these definitions. Remote photoplethysmography — where a smartphone camera reads heart rate and blood pressure indicators from facial skin — captures video of a person's face. Whether that constitutes a "scan of face geometry" depends on the jurisdiction and how the data gets processed. Some state laws have started addressing this ambiguity. According to the Husch Blackwell 2025 State Biometric Privacy Law Tracker, at least 15 states now have biometric privacy provisions on the books or in active legislation, up from three (Illinois, Texas, Washington) just a few years ago.

For underwriting teams, the practical question isn't philosophical. It's operational: does the data you're collecting trigger consent requirements, and if so, which ones?

Data type	BIPA (Illinois)	CUBI (Texas)	WA H.B. 1493	GDPR (EU)	CCPA/CPRA (California)
Fingerprint scan	Covered — written consent required	Covered — consent required	Covered — consent required	Special category — explicit consent	Covered as biometric information
Facial geometry scan	Covered — written consent required	Covered — consent required	Covered — consent required	Special category — explicit consent	Covered as biometric information
Voiceprint	Covered — written consent required	Covered — consent required	Covered — consent required	Special category — explicit consent	Covered as biometric information
rPPG vital signs from camera	Unclear — depends on facial data retention	Likely covered if face geometry stored	Likely covered	Special category if health data derived	Covered if biometric identifier generated
Heart rate / HRV data only	Not covered (physiological data, not identifier)	Not covered	Not covered	Special category — health data	Covered as biometric information
Photograph (standard)	Explicitly excluded	Not covered	Not covered	Not special category alone	Not covered alone

The gray areas in that table are where most of the current legal risk sits.

BIPA: the law driving the biggest insurance losses

Illinois' BIPA remains the most consequential biometric privacy statute for insurers, both as a compliance obligation and as a source of insurance claims. The law was enacted in 2008, but litigation didn't really accelerate until the Illinois Supreme Court's 2019 decision in Rosenbach v. Six Flags, which held that a plaintiff doesn't need to show actual harm to bring a BIPA claim — a mere technical violation is enough.

The statutory damages are what make BIPA so expensive. The law allows $1,000 per negligent violation and $5,000 per intentional or reckless violation. When you multiply those numbers across a class of employees or customers whose biometric data was collected without proper consent, the math gets alarming fast.

The 2024 BIPA amendment (SB 2909) brought some relief by clarifying that multiple scans of the same biometric identifier constitute a single violation rather than separate violations per scan. Before that amendment, the Illinois Supreme Court's 2023 ruling in Cothron v. White Castle had created the possibility of per-scan damages, which would have been financially catastrophic for companies processing biometric data at scale.

For insurance carriers specifically, BIPA creates liability on two fronts. First, carriers that collect biometric data from applicants or policyholders for underwriting, fraud detection, or authentication must comply with BIPA's notice and consent requirements for Illinois residents. Second, carriers writing cyber, E&O, or general liability policies need to understand BIPA exposure when underwriting other companies. According to AXA XL, BIPA claims have already led to tightening of coverage terms for companies with biometric exposure in the U.S. market.

Reed Smith attorneys noted in a 2025 analysis that as costs of biometric privacy liability continue rising, insurance coverage disputes are increasing. The question of whether a general liability policy's "personal and advertising injury" coverage extends to BIPA claims has been litigated repeatedly, with inconsistent results across jurisdictions.

State-by-state patchwork and what it means for national carriers

A carrier writing policies in all 50 states — or collecting applicant data from all 50 states — faces a compliance patchwork that's getting more complex every year. The three original biometric privacy states (Illinois, Texas, Washington) have been joined by a wave of comprehensive privacy laws that include biometric data provisions.

According to JD Supra's U.S. Biometric Laws and Pending Legislation Tracker from January 2026, the landscape now includes:

• Illinois BIPA: private right of action, $1,000–$5,000 per violation
• Texas CUBI: enforced by the state attorney general, up to $25,000 per violation
• Washington H.B. 1493: no private right of action, enforced under Consumer Protection Act
• Comprehensive state privacy laws (Colorado, Connecticut, Virginia, Oregon, Delaware, and others) that classify biometric data as "sensitive data" requiring opt-in consent
• California's CCPA/CPRA: biometric information included in the definition of personal information, with private right of action for data breaches

The enforcement mechanisms matter as much as the definitions. BIPA's private right of action is what made it the litigation magnet it's become. Texas, despite having a biometric law since 2009, saw relatively little enforcement until the attorney general's office started pursuing cases more aggressively in recent years. Washington's law, which lacks a private right of action entirely, has generated almost no litigation.

For national insurance carriers, this means compliance can't be one-size-fits-all. A consent workflow that satisfies Texas requirements might not meet Illinois' written consent standard. Data retention and destruction policies need to account for varying timelines and triggers across states.

Insurance-specific consent workflows

The consent challenge is particularly acute in insurance because data flows through multiple parties. A life insurance application might involve the applicant, an agent or broker, an MGA, the carrier, a reinsurer, and various third-party data vendors. If biometric data gets collected at any point in that chain, every entity that touches it may have independent consent and handling obligations.

A practical consent framework for biometric data in insurance should address:

• Separate, specific notice that biometric data will be collected (not buried in general terms and conditions)
• Written consent from the applicant before any biometric data capture begins
• Clear disclosure of what the biometric data will be used for
• Identification of every entity that will receive, store, or process the biometric data
• A published retention schedule and destruction policy
• A mechanism for the applicant to withdraw consent

That list sounds like basic privacy hygiene, and it is. The problem is that most insurance application workflows were designed before biometric data collection existed, and retrofitting consent mechanisms into those workflows isn't trivial.

GDPR and international considerations

Carriers or insurtechs operating in European markets face an additional layer under GDPR, which classifies biometric data as a "special category" of personal data under Article 9. Processing special category data is prohibited by default, with limited exceptions. The most relevant exception for insurance is explicit consent — but GDPR's standard for explicit consent is higher than most U.S. state laws.

Under GDPR, consent must be freely given, specific, informed, and unambiguous. For biometric data, it must also be "explicit," which the European Data Protection Board has interpreted to mean an affirmative statement or clear action specifically directed at the processing of biometric data. Pre-checked boxes, bundled consent, or implied consent don't qualify.

There's also the question of whether biometric data collected for health assessment purposes gets dual-classified as both biometric data and health data under GDPR — both are special categories, but the legal bases and safeguards may differ depending on the primary purpose of processing.

Data storage, retention, and destruction obligations

Collecting biometric data with proper consent is only the first compliance hurdle. How that data gets stored, how long it's kept, and how it gets destroyed all carry separate legal requirements.

BIPA requires that private entities in possession of biometric data develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric data. The destruction trigger is the earlier of: (a) when the initial purpose for collecting the data has been satisfied, or (b) within three years of the individual's last interaction with the entity.

For insurance underwriting, "when the initial purpose has been satisfied" is ambiguous. Is the purpose satisfied when the underwriting decision is made? When the policy is issued? When the policy terminates? If biometric data was used to detect fraud indicators, does the purpose extend through the contestability period?

Compliance requirement	BIPA	Texas CUBI	GDPR	CCPA/CPRA
Written retention policy	Required — must be public	Required	Required via records of processing	Required via privacy policy disclosure
Maximum retention period	3 years after last interaction or purpose fulfilled	Until purpose fulfilled — must destroy in reasonable time	No fixed period — data minimization principle	No fixed period — purpose limitation applies
Destruction standard	Not specified	Not specified	Must ensure data cannot be reconstituted	Reasonable security measures
Breach notification	Not specifically addressed in BIPA	TX breach notification law applies	72-hour notification to supervisory authority	Notification required — private right of action for breaches
Third-party sharing restrictions	Cannot sell, lease, trade, or profit from biometric data	Cannot sell biometric data	Requires data processing agreement and legal basis	Must disclose in privacy policy — consumers can opt out of sale

The storage security question is where insurance and compliance intersect most directly. Biometric data can't be changed if it's compromised. You can issue a new credit card number, but you can't issue someone a new fingerprint. That permanence is why regulators treat biometric data differently from other personal data — and it's why cyber insurers are paying close attention to how their policyholders handle it.

What carriers should be doing now

The regulatory trend is clear: more states are passing biometric privacy laws, existing laws are being interpreted more broadly, and enforcement is accelerating. Carriers that collect biometric data for any purpose — underwriting, authentication, fraud detection — should be treating compliance as an operational priority rather than a legal afterthought.

A few concrete steps that carriers and insurtechs are already taking:

• Mapping every biometric data touchpoint in the insurance lifecycle, from application through claims
• Building jurisdiction-specific consent workflows rather than relying on a single national template
• Separating biometric data storage from other policyholder data, with independent access controls and audit trails
• Establishing retention schedules tied to specific business purposes, with automated destruction triggers
• Running vendor due diligence on every third party that processes biometric data, including data enrichment providers and reinsurers
• Adding biometric data handling to existing privacy impact assessments

The carriers getting this right tend to be the ones that brought privacy counsel into the product design process early, rather than asking legal to review the workflow after it was already built. That's harder when you're working with legacy underwriting systems, but the alternative — retrofitting compliance after a regulatory action or class action — is more expensive by orders of magnitude.

Current research and evidence

The legal landscape around biometric data in insurance is being shaped by active litigation and regulatory action. The 2025 Year-in-Review from Privacy World documented continued class action and mass arbitration activity under BIPA, with settlements and verdicts reaching into the hundreds of millions of dollars collectively across the insurance and technology sectors.

Anderson Kill's analysis of insurance considerations for facial recognition technology noted that the patchwork of state and local laws has created significant liability uncertainty for businesses collecting biometric data, and that coverage disputes between policyholders and their insurers are becoming a distinct litigation category.

The Sidley Austin firm observed in late 2024 that even after the BIPA amendment capping certain damages, biometric litigation risks remain significant. The amendment addressed the per-scan damages question but didn't change the fundamental consent and notice requirements that generate most BIPA claims in the first place.

Where biometric data regulation is heading

The federal landscape may eventually simplify things. Multiple federal biometric privacy bills have been introduced in Congress, though none have passed as of early 2026. The American Data Privacy and Protection Act, which stalled in previous sessions, included biometric data provisions that would have created a national standard — but also would have preempted some stronger state laws, which privacy advocates opposed.

In the absence of federal action, the state-by-state expansion will continue. The Axiom Law analysis of 2026 state privacy changes identified several new states implementing comprehensive privacy laws with biometric provisions, and existing states like Colorado and Connecticut strengthening enforcement of their existing frameworks.

For insurance specifically, the intersection of biometric data collection and health data creates a regulatory environment that's more complex than what most other industries face. An insurer collecting rPPG vital signs data from an applicant is simultaneously handling biometric identifiers (the facial video), health data (the vital signs readings), and insurance underwriting data (the risk assessment derived from those readings). Each of those data categories may trigger different legal obligations under different statutes.

Solutions like Circadify are building privacy-by-design into contactless vital signs collection, processing biometric data in ways that address consent, minimization, and retention requirements from the start rather than as compliance add-ons.

Frequently asked questions

Does BIPA apply to insurance companies collecting biometric data?

Yes, if the insurance company collects biometric identifiers (as defined by BIPA) from Illinois residents. This includes fingerprints, facial geometry scans, voiceprints, and potentially camera-based health assessments that capture facial data. The carrier must provide written notice, obtain written consent, and maintain a public data retention and destruction policy.

Can insurers share biometric data with reinsurers or third-party vendors?

Under BIPA, private entities cannot sell, lease, trade, or otherwise profit from biometric data. Sharing with reinsurers or vendors for purposes disclosed in the original consent notice may be permissible, but each receiving entity should be named in the consent disclosure. Under GDPR, a data processing agreement is required for each third party. Under CCPA/CPRA, the sharing must be disclosed in the privacy policy and consumers can opt out of sales.

What happens if biometric data collected for underwriting is breached?

Biometric data breaches are particularly serious because biometric identifiers can't be changed. Under CCPA/CPRA, consumers have a private right of action for data breaches involving unencrypted biometric data. Under GDPR, the supervisory authority must be notified within 72 hours. The cyber insurance implications are significant — carriers writing cyber policies should verify that their policyholders' biometric data storage meets the encrypted-at-rest and in-transit standards that most policies require.

Are rPPG vital signs readings considered biometric data?

It depends on the jurisdiction and the specific data retained. If the system captures and stores facial video or facial geometry data, that likely falls under biometric privacy statutes. If the system processes the video in real time and only retains the derived vital signs readings (heart rate, blood pressure estimates) without storing facial data, the analysis is different. The safest approach is to treat the entire data pipeline as potentially biometric and build consent accordingly.