Blog Post by Nicholas Caicedo, Junior Associate

What happens when the very features that make us human — our faces, our voices, and fingerprints — are transformed into assets owned by private entities? In the United States, unlike the European Union’s General Data Protection Regulation (“GDPR”)[1], Mexico’s Federal Law on the Protection of Personal Data Held by Private Parties (“LFPDPPP”)[2], in addition to Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”)[3], the United States has no framework regulating the use of biometric data.[4] This blog is simple. It does not examine surveillance or the merits of our government’s biometric use. Rather, it exposes two gaps. First, the United States has no federal law regulating private entities’ use of biometric data.[5] Second, the United States–Mexico–Canada Agreement (“USMCA”), despite Canada and Mexico having biometric protections, establishes no cross-border provision to govern private companies’ use.[6]

Background

Over the last two decades, technologies once relegated to the realm of science fiction such as facial recognition, voice authentication and iris scans have become everyday tools.[7] Biometrics are essentially measurements of an individual’s unique physical or behavioral traits, from fingerprints to facial geometry and retinal pattern.[8] Unlike a password, these identifiers cannot be modified once compromised.[9] This permanence makes them attractive to corporations as an efficient and cost-effective means of authentication, yet it leaves individuals exposed when such data is collected without meaningful protections or consent.[10]

U.S. Federal Law

In the United States, the Federal Trade Commission may act against “unfair or deceptive practices”, but only where such conduct has caused or is likely to cause substantial consumer injury.[11] And although Illinois’s Biometric Information Privacy Act (“BIPA”) stands out for its robust protections — requiring notice, informed consent, and granting a private right of action — the United States as a whole lacks similar enforcement comparable to the GDPR, LFPDPPP, and PIPEDA.[12] This gap has serious consequences. In the absence of clear parameters, corporations are free to build biometric databases, exposing consumers to identity theft, surveillance, and privacy harms.[13] Unlike a credit card, which can be canceled or replaced, stolen biometric data is permanent.[14]

USMCA Provision

The USMCA offers minimal relief. Although it guarantees the flow of digital information across North America, it is silent on biometric privacy.[15] In practice, biometric data collected by a private company in any of the three countries can circulate without restrictions on how the data is stored or monetized.[16] An amended USMCA could close this gap, creating GDPR-style rules across North America that mandate consent, retention limits, and guarantees the ability to lodge complaints and seek relief.[17] Just like the GDPR, a USMCA provision could impose penalties and hold corporations accountable for exploiting biometrics.[18] And with artificial intelligence catalyzing biometric technologies into airport security kiosks, workplaces, and even grocery checkouts, the need for robust, cross-border safeguards is now more pressing than ever.[19]

Conclusion

Until the United States enacts federal legislation and the USMCA adopts cross-border provisions, these two gaps will endure — permitting biometric commerce to flourish unchecked and leaving human identity vulnerable to commodification.

[1] Regulation (EU) 2016/679 (General Data Protection Regulation), 2016 O.J. (L 119) 1 [hereinafter, GDPR] (establishing numerous data protections, including consent requirements, restrictions on technical processing of biometric data, and rights to complaints, judicial remedies, and compensation).

[2] Ley Federal de Protección de Datos Personales en Posesión de los Particulares [Federal Law on the Protection of Personal Data Held by Private Parties], Diario Oficial de la Federación [DOF] 05-07-2010, últimas reformas DOF 20-03-2025 (Mexico) [hereinafter, LFPDPPP] https://www.google.com/url?q=https://www.gob.mx/indesol/documentos/ley-federal-de-proteccion-de-datos-personales-en-posesion-de-los-particulares&sa=D&source=docs&ust=1761353978832733&usg=AOvVaw10_OQR52AauUks9yCm2AON (regulating the use of personal data by private entities, requiring consent for its collection and providing that individuals may at any time request from a data controller access to, rectification of, cancellation of, or objection to the management of their personal data).

[3] Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, amended by S.C. 2024, c. 17 (Canada) [hereinafter, PIPEDA] (providing that organizations may collect personal information only with “meaningful consent” for identified purposes, and requiring that such information be retained only as long as necessary for the purposes for which it was collected).

[4] Ariana Naranjo, U.S. Biometric Data Laws, TCWGlobal (Apr. 1, 2025), https://www.tcwglobal.com/blog/u.s.-biometric-data-law (noting that “[i]n the United States, there is currently no federal law specifically governing the collection, use, storage, or disclosure of biometric data”).

[5] Id.

[6] United States–Mexico–Canada Agreement, ch. 19, Nov. 30, 2018, 134 Stat. 11, 2020, Can. T.S. No. 5 [hereinafter USMCA], https://www.google.com/url?q=https://ustr.gov/issue-areas/services-investment/telecom-e-commerce/e-commerce-fta-chapters&sa=D&source=docs&ust=1761353978831770&usg=AOvVaw3OkrRSp7FADFkceGBZqxRr (although set to terminate in 2036, it is scheduled for Joint Review on July 1, 2026) (requiring the Parties to adopt digital trade rules, including personal information protections grounded in collection limits and compliance for cross-border data flows, while remaining silent on biometric data requirements for private entities and safeguards for consumers).

[7] Susan Willey & Ivy R. White, Facial Recognition, Fingerprints, and Retina Scans, Oh, My! Exploring Privacy and Security Concerns Raised by Business Collection, Use, and Distribution of Biometric Data Through a Multicomponent Team Project, 42 J. Legal Stud. Educ. 55 (2025) [hereinafter, Oh My!].

[8] Id. at 59.

[9] Id. at 55; see also Lauren Hendrickson, Privacy Concerns with Biometric Data Collection, Identity (Sept. 4, 2025), https://www.identity.com/privacy-concerns-with-biometric-data-collection/ (explaining that “[u]nlike a password, a fingerprint or voiceprint cannot be reset once compromised”).

[10] Jing Zhang, Zilong Liu & Xin (Robert) Luo, Unraveling juxtaposed effects of biometric characteristics on user security behaviors: A controversial information technology perspective, 183 Decis. Support. Syst. 114267 (2024), https://www.sciencedirect.com/science/article/pii/S0167923624001003.

[11] 15 U.S.C. § 45.

[12] Bloomberg Law, Is Biometric Information Protected by Privacy Laws?, Bloomberg Law, (June 20, 2024), https://pro.bloomberglaw.com/insights/privacy/biometric-data-privacy-laws/.

[13] Hendrickson, supra note 9.

[14] Oh, My!, supra note 7, at 55; Hendrickson, supra note 9.

[15] USMCA, supra note 6.

[16] See id. (illustrating that although the agreement protects free data flows, it contains no provisions limiting how biometric data may be stored, monetized, or exchanged).

[17] GDPR, supra note 1.

[18] Id.

[19] See KPMG, AI and Privacy: A Look at Biometric Tech & Data, KPMG (Jan. 2025), https://kpmg.com/us/en/articles/2025/ai-and-privacy-a-look-at-biometric-tech-and-data-reg-alert.html (noting that AI biometric technologies are growing and raising risks to privacy); see also Chris Burt, Advance of Retail Biometrics Runs Up Against Corporate Trust, Transparency Concerns, Biometric Update (Aug. 28, 2025, 5:22 PM EDT), https://www.biometricupdate.com/202508/advance-of-retail-biometrics-runs-up-against-corporate-trust-transparency-concerns (describing the adoption of biometric systems in U.S. retail and BIPA related litigation).