Biometric Law: What Investigators Must Know Now

Here's a thought experiment. Two investigators both run facial comparisons this week. The first has a folder of photos handed over by a client — specific subject, documented chain of custody, written scope of work, lawful authority to possess the images. The second scrapes social media profiles, cross-references a few public photos, and runs the same technical process. Same software. Same algorithm. Completely different legal exposure.

That distinction — which looks invisible from a purely technical standpoint — is exactly the line regulators are drawing right now. And the investigators who don't understand it aren't just behind the curve. They're standing in the path of something that has already cost other industries billions of dollars.

The Law That Proved This Isn't Theoretical

Let's start with Illinois, because Illinois started this whole conversation back in 2008. The Biometric Information Privacy Act — BIPA, if you want to sound like you know what you're talking about at a conference — was the first US law to treat facial geometry and biometric identifiers as legally protected personal data. Not just sensitive. Protected. With private rights of action. Meaning anyone whose biometric data was collected without proper notice and consent could sue directly.

The numbers that followed are not subtle. BIPA litigation has generated over $2 billion in class-action settlements to date. Facebook paid $650 million. Google paid $100 million. TikTok settled for $92 million. These are not rounding errors. And here's the part that investigators consistently miss: the law doesn't care how big you are. Small businesses have been successfully sued under BIPA. The trigger is what you did with the images, not how many employees you have.

Illinois was first. But it's no longer alone. At least 12 US states enacted or significantly advanced biometric privacy legislation between 2022 and 2024, with active enforcement now running in Texas, Washington, and Colorado. This is not a patchwork anymore. It's a closing net — and it's moving faster than most solo investigators realize, because the news coverage tends to focus on big corporate defendants, not the small operators who face the same exposure with a fraction of the legal resources. This article is part of a series — start with Deepfake Detection Accuracy Gap Investigator Workf.

What the EU AI Act Actually Says (And Why It Matters to US Investigators)

Across the Atlantic, the regulatory architecture is even more explicit about the distinction that matters here. The EU AI Act — now in phased implementation and already being watched as a global benchmark by regulators from London to Singapore — draws a direct legal line between two categories of facial recognition use.

The first category: real-time remote biometric identification in public spaces. The Act classifies this as either high-risk or outright prohibited, depending on context. The reasoning is straightforward. Scanning a crowd, a street, or an airport gate without the knowledge or consent of the people being scanned treats every face as a data point to be harvested. That's the thing regulators have decided they don't want in a free society — and the legal architecture reflects that judgment with hard restrictions.

"Both European and American approaches to the technology face a common challenge: how to move fast enough to stay competitive with China and other authoritarian states while moving carefully enough to protect civil liberties." — William Echikson and Jensen Enterman, Center for European Policy Analysis

The second category — and this is the one investigators should be paying close attention to — is controlled, case-specific image comparison conducted under human oversight with documented lawful authority. This occupies a categorically different legal space under the Act's framework. The architecture of the law actually rewards scope limitation and documented consent. It's not a loophole. It's a design principle.

Think of it like a search warrant versus warrantless surveillance. A detective operating with a warrant — specific subject, specific location, specific legal authority — works inside clear legal protection. A detective photographing everyone on a block "just in case" works in the opposite direction entirely. Consent-based facial comparison is the warrant equivalent: scoped, documented, defensible. The comparison is almost too clean, but that's exactly how regulators are thinking about it.

As Mayer Brown noted in their January 2026 Global Privacy Watchlist, "the global data privacy and online safety landscape is undergoing a period of unprecedented regulatory transformation" — with AI and biometric technologies sitting at the center of that transformation across every major economic region simultaneously. This isn't one jurisdiction moving slowly. It's a coordinated global shift happening on an accelerated timeline. Previously in this series: Facial Comparison Triage Multi Camera Investigatio.

The Specific Thing Regulators Are Looking For

Here's where it gets genuinely interesting — and practically useful. When regulators and courts evaluate biometric compliance, the question they keep returning to is what legal scholars call "purposeful collection scope." It sounds like jargon, but the concept is simple: Can you document why each image was used, whose consent or lawful authority permitted it, and what the comparison was limited to?

That's it. That's the test. Investigators who can answer those three questions clearly — for every comparison they ran — occupy categorically safer legal ground than those who cannot. Not because they found a technicality. Because they operated in a way that the legal framework was specifically designed to protect.

The Bristol, Virginia Police Department offers a useful real-world model here. When they launched their facial recognition program in 2025, what distinguished them wasn't the technology — it was the policy architecture around the technology. Publicly accessible documentation. Annual oversight requirements. Strict accountability mechanisms. A commitment to running comparisons within clearly defined boundaries. The technology was the same software available to other agencies. The defensibility came from the documented process wrapped around it.

Solo investigators can take the same approach. In fact, understanding how to build that documentation trail — and being able to explain it clearly to a client or, if necessary, a court — is increasingly what separates professional-grade work from legally exposed work. If you want to understand how facial comparison technology fits into a privacy-conscious workflow more broadly, the breakdown at CaraComp's face recognition and privacy resource is worth reading alongside this regulatory context.

The Misconception That Gets People in Trouble

Most investigators — and most small business operators generally — assume that biometric law is a large-enterprise problem. The mental model goes something like: "BIPA is for Facebook, not for me." That model is wrong, and it's demonstrably wrong based on the litigation record. Up next: Brain Detects Deepfakes Facial Landmarks Visual In.

BIPA defines biometric identifiers broadly. A facial geometry scan extracted during image comparison is a biometric identifier under the statute. The law doesn't ask how many employees your firm has. It asks whether you collected, used, or stored biometric data without proper notice, consent, and a publicly available retention policy. Those requirements apply to a solo investigator with a laptop just as much as they apply to a Fortune 500 company — the only difference is that the Fortune 500 company has a legal department that told them about it years ago.

The good news — and there genuinely is good news here — is that the remedy isn't complicated. It's documentation, scope definition, and process. The investigators who will own this industry in 2026 aren't necessarily running more sophisticated algorithms than their competitors. They're the ones who can walk a client, a regulator, or a courtroom through exactly why every comparison they ran was legally clean.

So here's the question worth sitting with: if a client handed you a folder of face photos right now, could you clearly articulate — not just feel confident about, but actually articulate — which comparisons are safe to run, under what authority, with what retention limits, and why? Because the regulators writing the next round of rules are already assuming the answer is yes. The investigators who can actually say yes are the ones they'll never need to call.