Biometric Data Online Notice and Consent

Summary

This biometric data online notice and consent template is for use by companies to obtain online (i.e., electronic) informed consent to process data that may be considered biometric identifiers or biometric information under applicable law (referred to as "Biometric Data" in this template). This template includes practical guidance, drafting notes, and alternate clauses. This template is intended for use as a model for compliance with the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (BIPA); Texas Capture or Use of Biometric Identifiers Act, Tex. Bus. and Com. Code § 503.001 (CUBI); and Washington's HB 1493 biometrics statute, Wash Rev. Code § 19.375.010, et seq. (HB 1493). Colorado also passed a biometric privacy law, which became effective on July 1, 2025. See Colo. Rev. Stat. § 6-1-1314. Organizations must carefully draft their own notice and consent language to satisfy the specific compliance requirements for the applicable jurisdiction(s). This template assumes that the organization uses biometric technologies and biometric data solely within the United States. For a full listing of related data security and privacy content in a particular state, see our state-specific Data Privacy and Cybersecurity State Law Compliance Resource Kits listed here. For more on biometrics, see Biometric Privacy State Legislation Tracker (2025), Biometric Data Online Notice and Consent, Biometric Data Privacy Policy, Biometrics: Mitigating Legal Risks When Using Biometric Technologies, Biometrics Workplace Compliance and Best Practices for Employers, Biometric Privacy and Artificial Intelligence Legal Developments, Biometrics and Data Privacy Podcast, Biometric Data Privacy Policy, and Biometrics Compliance Checklist. For a survey of state biometric legislation, see Biometric Privacy State Law Survey. For consumer privacy legislation tracking, see Privacy Legislation Tracker: State Comprehensive Consumer Privacy Bills (2025). Varying Notice and Consent Requirements Under BIPA, CUBI, and HB 1493 This notice and consent form must be tailored to reflect the specific notice and consent-related compliance obligations imposed on the organization. Compliance obligations vary between BIPA, CUBI, and Washington HB 1493. Importantly, these laws all require that notice be given, and consent obtained, before any biometric data is collected, captured, or otherwise acquired from data subjects, or through any other methods or mechanisms. BIPA requires both notice and consent to be in writing. However, neither CUBI nor HB 1493 impose any similar "in writing" requirement. More specifically, BIPA requires that organizations: (1) provide written notice; and (2) obtain written consent. 740 ILCS 14/15(b). An organization's written notice must inform data subjects: • That biometric data is being collected or stored • The specific purpose(s) for which biometric data is being collected, stored, and used –and– • The specific length of term for which the biometric data is being collected, stored, and used 740 ILCS 14/15(b)(1)-(2). With respect to consent, BIPA requires organizations to "receive[] a written release executed by the subject of the [biometric data] or the subject's legally authorized representative." 740 ILCS 14/15(b)(3). "Written release" means "informed written consent, electronic signature, or, in the context of employment, a release executed by an employee as a condition of employment." 740 ILCS 14/10. "Electronic signature" means "an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record." Id. Texas CUBI requires organizations to: (1) inform the individual before capturing biometric data; and (2) receive the individual's consent to capture biometric data. Tex. Bus. and Com. Code § 503.001(b). Washington HB 1493 requires organizations to: (1) provide notice and (2) obtain consent. Wash. Rev. Code § 19.375.020(1). HB 1493 further provides that "[n]otice is a disclosure, that is not considered affirmative consent, that is given through a procedure reasonably designed to be readily available to affected individuals. The exact notice and type of consent required to achieve compliance with [HB 1493's notice and consent requirements] is context-dependent." Wash. Rev. Code § 19.375.020(2).