Resource guide

Facial Recognition Laws: What's Legal in the US and UK

Facial recognition is regulated very differently depending on where you live — here's how the US patchwork compares to the UK's court-driven approach.

Last updated July 15, 2026 1691-word guide Editor Ban the Bots

Is facial recognition legal? In the United States, mostly yes — with a patchwork of state laws that vary enormously in how much protection they give you. In the United Kingdom, the answer runs through the courts, where a landmark 2020 ruling put real limits on how police can use it. There is no single global rulebook, and conflating the American and British systems is one of the fastest ways to get the legal picture wrong. This guide keeps them separate.

The US has no federal facial recognition law

Congress has introduced multiple bills to regulate facial recognition nationally, but as of today none has become law. That leaves the United States with a state-by-state patchwork, similar to how it handles most consumer privacy issues. Some states have detailed biometric consent statutes, some have narrower rules folded into broader privacy laws, and many have nothing specific at all.

The one federal-level constant is that government agencies can and do use facial recognition. The Transportation Security Administration, for example, uses facial matching at security checkpoints in a number of US airports, and travelers are generally permitted to opt out and request a manual ID check instead. Immigration and law enforcement agencies also use the technology in various capacities, which is a separate policy debate from the commercial-use rules covered below.

Illinois BIPA: the strongest consumer protection in the US

The Biometric Information Privacy Act, enacted in 2008, is the reason Illinois shows up constantly in facial recognition news. It requires companies to get written consent before collecting a person's biometric identifier — a category that includes faceprints, fingerprints, and voiceprints — and to disclose how long they'll keep the data and when they'll destroy it.

What makes BIPA unusual isn't the consent requirement itself; several states have something similar. It's that BIPA gives individuals a private right of action. You don't have to wait for a state regulator to act — you can sue a company directly, and the law sets statutory damages per violation. That single feature has driven a wave of litigation and some very large settlements, including Meta's roughly $650 million settlement in 2021 over facial-tagging features in Facebook photos.

Why this matters beyond Illinois

Companies that do business nationally often build their consent and data-handling practices around BIPA's requirements because it's the strictest standard they're likely to face, even if they never planned to specifically target Illinois. That "compliance ceiling" effect is part of why the law has an outsized influence relative to its single-state reach.

Texas CUBI: consent required, but no private lawsuits

Texas has its own biometric privacy statute, the Capture or Use of Biometric Identifier Act, enacted in 2001 — actually older than Illinois' BIPA. CUBI similarly requires informed consent before a company captures someone's biometric identifier for a commercial purpose, and it restricts selling or disclosing that data.

The critical difference from BIPA is enforcement. CUBI does not include a private right of action, meaning individual Texans generally cannot sue a company themselves for a violation. Enforcement is left entirely to the Texas Attorney General. That's not merely theoretical: the Texas AG sued Meta in 2022 over its use of facial recognition on photos and videos without consent, and the case ended in a settlement of roughly $1.4 billion in 2024 — one of the largest privacy settlements in US history, and proof that AG-only enforcement can still have real teeth when the state chooses to use it.

How other states handle biometric privacy

Beyond Illinois and Texas, the legal landscape gets thinner and more varied. Washington State has its own biometric privacy law that requires notice and consent for commercial use of biometric identifiers, enforced by the state Attorney General rather than through private lawsuits. California folds biometric information into its broader consumer privacy framework, treating faceprints as "sensitive personal information" under the California Consumer Privacy Act and its amendments, which gives residents rights to know about, limit, and in some cases delete that data, though it doesn't mirror Illinois' consent-before-collection model exactly.

Several other states, including a handful with newer comprehensive privacy laws, have added narrower biometric-consent provisions as part of broader data-privacy statutes rather than standalone biometric laws. The trend is real, but the details differ enough state to state that it's worth checking your specific state's current statute rather than assuming Illinois-style protections apply where you live. Most states still have no biometric-specific law at all.

Police use and the city-by-city ban patchwork

Separate from commercial data collection, a number of US cities have passed local ordinances restricting government and police use of facial recognition specifically. San Francisco was the first major US city to ban government use of the technology, in 2019, and several other cities — mostly in California and a scattering of others around the country — followed with their own restrictions in the years after.

These local bans vary widely: some cover only city agencies, some carve out exceptions for specific investigations, and some have since been narrowed or repealed as political control of city councils changed. There is no reliable rule of thumb here — the legality of police facial recognition use depends entirely on the specific city and state you're in, and that patchwork keeps shifting.

The UK: R (Bridges) v South Wales Police

The United Kingdom's most important facial recognition ruling didn't come from a new statute — it came from a court. In R (Bridges) v Chief Constable of South Wales Police [2020] EWCA Civ 1058, the Court of Appeal for England and Wales reviewed South Wales Police's trial use of live facial recognition in public spaces, which had been challenged by civil liberties campaigner Ed Bridges.

The Court of Appeal ruled the force's use of the technology unlawful on several grounds: it interfered with the right to private life under Article 8 of the European Convention on Human Rights without sufficiently clear legal safeguards, the force's data protection impact assessment was inadequate, and — notably — the police had not done enough to verify whether the facial recognition software had a racial or gender bias problem, meaning they couldn't discharge their public sector equality duty.

What Bridges did and didn't change

It's worth being precise here: Bridges did not ban facial recognition in the UK. It was a judicial review of one police force's specific deployment, not a blanket prohibition. But because it was a Court of Appeal decision, it set a binding precedent that forced UK police forces generally to tighten their policies, document their bias testing, and build in clearer legal safeguards before rolling out live facial recognition again.

Why this is a different legal tradition than the US

It's tempting to treat Bridges as the UK's version of an American court striking down a law, but the mechanics are genuinely different. US courts weighing facial recognition tend to work through Fourth Amendment search-and-seizure doctrine and evidentiary admissibility in criminal cases — questions that remain unsettled and haven't produced a definitive nationwide ruling. UK courts work through judicial review: asking whether a public authority's decision to deploy a technology was lawful under human rights and data protection statutes, independent of any specific criminal prosecution. Same underlying technology, two structurally different legal questions.

Which Ban the Bots page do you actually need?

Frequently asked questions

Does BIPA apply to me if I don't live in Illinois? Generally no — BIPA protects people whose biometric data is collected in Illinois or by an Illinois-connected company's practices, though many national companies apply BIPA-level consent practices everywhere to reduce legal risk.

Can a company in Texas scan my face without telling me? Not legally under CUBI, which requires consent before capturing a biometric identifier for a commercial purpose — but because only the Attorney General can enforce it, individual violations often go unaddressed unless the state takes action.

Did the Bridges case end live facial recognition in the UK? No. UK police forces still use live facial recognition, but the Bridges ruling requires them to do more rigorous bias testing and build clearer legal safeguards into how they deploy it.

Is there a federal facial recognition law in the works in the US? Several bills have been proposed in Congress over the years, but none has passed as of this writing, so the state patchwork remains the operative legal reality.

Conclusion

Facial recognition law is really two separate stories wearing the same trench coat. In the US, your protection depends heavily on your zip code — strong in Illinois, moderate and AG-only in Texas, thinner or nonexistent in much of the rest of the country, with a separate and shifting patchwork of city-level police bans layered on top. In the UK, the protection comes from courts applying human rights and data protection law to specific police deployments, with Bridges as the landmark case establishing that police forces can't roll out live facial recognition without real bias testing and legal safeguards.

If you want to understand the technology these laws are trying to regulate, read our explainer on facial recognition. If you're worried about being found through a face search rather than a police camera, Facial Recognition Search covers tools like PimEyes and how to get yourself removed. And for the bigger picture on how the public is pushing back against all of this, see AI Backlash and Fighting Back.

Frequently asked questions

Is facial recognition illegal in the United States?
No, there is no federal law banning facial recognition. It is regulated at the state and local level, with Illinois having the strongest consumer protections through BIPA and other states taking narrower approaches or none at all.
What is Illinois BIPA and why is it different from other state laws?
The Biometric Information Privacy Act is a 2008 Illinois law that requires written consent before a company collects someone's faceprint or other biometric identifier. Unlike most biometric laws, it gives individuals a private right of action, meaning ordinary people can sue companies directly rather than waiting on a regulator.
Can I sue a company for scanning my face under Texas law?
Generally no. Texas' Capture or Use of Biometric Identifier Act requires consent before commercial use of biometric data, but only the Texas Attorney General can enforce it, not private individuals.
What did the UK's Bridges case actually decide?
In R (Bridges) v Chief Constable of South Wales Police, the Court of Appeal ruled that South Wales Police's live facial recognition trials were unlawful because the force had not properly assessed privacy impacts or the risk of racial and gender bias in the software. It did not ban facial recognition outright, but it forced UK police forces to tighten their policies.
Are US and UK facial recognition laws based on the same legal principles?
No. US law is built around state statutes and evolving Fourth Amendment case law about government searches, while UK law works through judicial review of whether a public authority acted lawfully under human rights and data protection statutes. They are separate legal traditions that happen to be grappling with the same technology.
Do any US cities ban police from using facial recognition?
Yes. Several cities, led by San Francisco in 2019, have passed local ordinances restricting or banning government and police use of facial recognition technology, though these bans vary widely in scope and are not consistent nationwide.

Latest related briefings