This is engineering guidance, not legal advice. Confirm specifics with qualified counsel.

Why this matters

This is the US-side companion to the EU article GDPR for video surveillance, and it is written for the same reader: a security integrator, product manager, retail or smart-building lead, or enterprise security owner who is specifying, buying, or building a system that will run in the United States. Biometric analytics — face recognition above all — carry the single highest legal exposure of anything in a modern surveillance system, and in the US that exposure is concentrated, strange, and easy to walk into by accident, because the rules differ by state and the most dangerous one rewards lawsuits brought by the people in your footage. You do not need a legal background to read this: every term is defined in plain language and tied to the named statute, and the goal is to leave you able to recognise a design that will get sued before it is built, and to ask a vendor or an engineer the right question — "does this create a faceprint, and if so, where, and with whose consent?" This is the highest-liability topic in the whole surveillance section, so the article errs toward caution and tells you where the law is still moving.

First, the frame: there is no "US GDPR"

The most important fact about US biometric law is what is missing. There is no comprehensive federal privacy statute equivalent to Europe's General Data Protection Regulation (GDPR). Federal law in the US covers data only in slices — health data under HIPAA, financial data under the Gramm-Leach-Bliley Act, children under 13 under COPPA, education records under FERPA, and a general "unfair or deceptive practices" backstop the Federal Trade Commission enforces. None of those is a general biometric law. So the rules that decide whether your camera system is legal come almost entirely from individual states, and they do not agree with each other.

For surveillance, the state landscape sorts into three layers, and getting the layers straight is most of the battle.

The first layer is the small group of states with a dedicated biometric statute — a law written specifically about fingerprints, faceprints, and the like. There are three that matter: Illinois (BIPA, 2008), Texas (the Capture or Use of Biometric Identifier Act, "CUBI," 2009), and Washington (codified at RCW 19.375, 2017). All three say roughly the same thing about the core duty — get consent before you capture a biometric — but they differ enormously in who can enforce them, and that difference is the whole game.

The second layer is the wave of comprehensive consumer-privacy laws that roughly twenty states have now enacted, modelled loosely on GDPR — California, Colorado, Connecticut, Virginia, Oregon, Texas, and more. These are not biometric laws, but almost all of them classify biometric data as "sensitive data" that requires a person's explicit opt-in consent before you may process it. They add a second, broader layer of consent duty on top of (or instead of) a dedicated biometric statute.

The third layer is everything else — the FTC's general authority, sector rules, and a steady stream of new bills. It is the layer most likely to change between when you read this and when you deploy.

The one line to carry out of this section: across all of it, only Illinois gives the individuals in your footage the right to sue you themselves. That single design choice is why Illinois, a state with about 4% of the US population, is where essentially every large biometric case is filed.

A map-style diagram of the US biometric privacy patchwork: no federal law at the top, then a layer of three dedicated state biometric statutes (Illinois BIPA, Texas CUBI, Washington), a layer of about twenty comprehensive privacy laws treating biometrics as sensitive data, with only Illinois marked as allowing private lawsuits. Figure 1. The US has no federal biometric law — only a three-layer patchwork of state rules. Three states have dedicated biometric statutes (IL, TX, WA); about twenty more treat biometrics as "sensitive data" under general privacy laws; and only Illinois lets the people in your footage sue you directly.

What actually counts as "biometric" — and the line that trips surveillance

Before any duty attaches, you have to know whether your system is even touching biometric data, and this is where most surveillance teams guess wrong. The instinct is that "we have cameras, so we have biometrics." That is backwards. Under BIPA the controlling definition (Section 10) is narrow and specific.

A biometric identifier is "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry." A scan of face geometry is the key one for surveillance: it is the mathematical map a face-recognition system builds when it measures the distances and shapes of your facial features and turns them into a compact string of numbers — often called a faceprint or a template — that lets the software pick you out of a crowd later. The statute then draws an explicit line: biometric identifiers do not include "photographs," writing samples, or "physical descriptions such as height, weight, hair color, or eye color." A separate term, biometric information, sweeps in any other data you derive from an identifier and use to identify someone.

Read those two together and the surveillance rule falls out cleanly. Recording video is not the regulated act. Building a faceprint from it is. A camera that captures and stores footage of a lobby is handling photographs and ordinary video — outside BIPA's biometric definition. The instant a piece of software analyses those frames to extract a face-geometry template and match it against a gallery, it has created a biometric identifier, and the full weight of the law lands. This is exactly the same fault line we drew in Europe: under GDPR, ordinary recording runs on a normal lawful basis while facial recognition creates special-category data, the step-change covered in GDPR for video surveillance. Different statute, same boundary.

Two practical consequences follow. First, voiceprints are in scope too — if your system captures and analyses voices to identify speakers, that is a biometric identifier, the audio analogue of a faceprint. A surveillance system that records audio along with video can wander into biometric territory without anyone deciding to. Second, the distinction maps directly onto the difference between detection and recognition that we draw in face recognition in surveillance: detecting that "a face is present" (a box around a head, no identity) does not build a template; recognising "this is a specific person" does. The same split governs license-plate recognition, though a plate is not biometric — it is covered by other rules, not BIPA.

Common mistake: assuming all camera footage is "biometric data." It is not, and over-applying the label is almost as costly as ignoring it — it can stall a lawful, useful deployment in compliance review for no reason. The trigger is the template: a faceprint, voiceprint, fingerprint, or iris/retina scan used to identify a person. Plain recording, motion detection, and people-counting that never builds an identity template generally sit outside BIPA. Knowing precisely where your pipeline crosses the line is the whole skill.

Illinois BIPA: the law with teeth

BIPA is short, but every clause has been litigated, so it pays to read it as a sequence of concrete duties on a system that does handle biometric identifiers. They live in Section 15.

The duty that breaks open-area surveillance is Section 15(b): consent before capture. A private entity may not "collect, capture, purchase, receive through trade, or otherwise obtain" a person's biometric identifier unless it first does three things: (1) tells the person, in writing, that a biometric identifier is being collected or stored; (2) tells them, in writing, the specific purpose and the length of term for which it will be collected, stored, and used; and (3) receives a written release — an actual signed consent — from that person. Note the order. The notice and the signature must come before the capture, not after. In a controlled setting where you enrol known people one at a time — employees clocking in with a fingerprint, members joining a gym — that is workable. In an open space where a camera builds a faceprint of everyone who walks past, it is structurally impossible: you cannot get a signed release from a stranger before your software has already measured their face. That impossibility, not any single court case, is why public-space face recognition is the third rail of US surveillance.

The other Section 15 duties shape the rest of the system. Section 15(a) requires a written, public retention-and-destruction policy: you must destroy biometric identifiers when the purpose you collected them for is satisfied, or within three years of the person's last interaction with you, whichever comes first. Section 15(c) flatly forbids selling, leasing, trading, or otherwise profiting from someone's biometric data. Section 15(d) bars disclosing it without consent (with narrow exceptions for completing a transaction the person asked for, or a legal requirement). Section 15(e) sets a security floor: protect biometric data with at least the "reasonable standard of care" for your industry, and at least as well as you protect your other confidential information. The retention rule connects straight to the engineering policy in retention limits and lawful deletion — under BIPA, "keep the faceprints forever just in case" is itself a violation.

There are limits to BIPA's reach worth knowing. It binds private entities, not state or local government agencies or the courts. And Section 25 carves out specific contexts — data already covered by HIPAA in a health-care setting, financial institutions under Gramm-Leach-Bliley, and government contractors acting for the agency. Those carve-outs are narrower than they sound; for an ordinary retailer, building operator, or product vendor, none of them apply.

A flow diagram of the BIPA Section 15(b) consent gate before capturing a biometric identifier: a private entity must first give written notice that data is collected, state the specific purpose and length of term, and receive a signed written release, with a branch showing open-area surveillance failing the gate because a stranger cannot sign in advance. Figure 2. BIPA Section 15(b) is a gate, not a checkbox. Before a system may build a faceprint it must give written notice, state the purpose and retention term, and receive a signed release — in that order. Enrolling known individuals can pass it; a camera faceprinting everyone who walks past cannot.

Why Illinois is the one that can bankrupt a project: the private right of action

Texas and Washington have nearly identical consent rules. What makes Illinois different — and dangerous — is Section 20: the private right of action. It lets "any person aggrieved by a violation" sue the offending company directly, and it fixes the damages in advance: $1,000 or actual damages, whichever is greater, for a negligent violation; $5,000 or actual damages for an intentional or reckless one, plus attorneys' fees and an injunction. "Liquidated damages" simply means a fixed sum the law sets so a plaintiff does not have to prove a dollar figure. A private right of action means the individuals themselves — not just a government regulator — can bring the case, which in practice means class-action lawsuits on behalf of everyone whose biometric was captured.

Two Illinois Supreme Court decisions turned that structure into the most feared privacy regime in the country. In Rosenbach v. Six Flags (2019), the court held that a person is "aggrieved," and can sue, the moment their BIPA rights are violated — they do not have to show any additional injury, lost money, or harm. A bare failure to get the signature is enough. In Cothron v. White Castle (2023), the court held that a separate claim accrues each time biometric data is captured or transmitted without consent — so a fingerprint clock punched twice a day for years could, in theory, generate thousands of $1,000-to-$5,000 violations per employee. White Castle estimated its own class-wide exposure on that reading at over $17 billion, and the court, plainly uneasy, invited the legislature to step in.

The legislature did. In August 2024, an amendment (Senate Bill 2979, Public Act 103-769) changed Section 20 so that capturing or disclosing the same biometric from the same person by the same method counts as a single violation with, at most, one recovery — collapsing the per-scan theory back toward one statutory award per person. Federal appeals courts have since held that this damages limit applies retroactively to cases already pending. That softened the ceiling, but it did not change the floor: the exposure is still per person, and it still requires no proof of harm. The law in this area is actively moving, with courts continuing to test the boundaries of the temporal window and the damages calculation, so treat any specific figure as current-as-of-now and re-check it.

Walk the math, because the scale is the point. Suppose a retailer switches on face recognition across its Illinois stores and, over a year, builds faceprints of 50,000 shoppers without a written release:

Negligent violation (per person):   $1,000
Reckless/intentional (per person):   $5,000

50,000 people × $1,000  =  $50,000,000   (negligent)
50,000 people × $5,000  = $250,000,000   (reckless / intentional)

Even after the 2024 single-recovery amendment caps each person to one award rather than one-per-scan, the exposure is tens to hundreds of millions of dollars for one switched-on feature — before attorneys' fees. That is not a hypothetical: real settlements have matched it. Facebook paid $650 million in 2021 to settle a BIPA class action over its photo-tagging faceprints. And in 2025 a federal court approved a first-of-its-kind BIPA settlement with Clearview AI — the company that scraped billions of face images to build a recognition database — in which the class received roughly a 23% equity stake in the company, valued around $51.75 million, a structure novel enough that attorneys general from 22 states and DC objected to it.

A diagram of the Illinois BIPA litigation engine showing how a single consent failure scales into class-action exposure: the private right of action plus Rosenbach (no injury required) plus per-person statutory damages of $1,000 or $5,000, multiplied across a class, with the 2024 single-recovery amendment shown as a cap that limits per-scan stacking but not the per-person multiplier. Figure 3. Why Illinois is the dangerous one. A private right of action (Sec. 20) plus no-injury-required standing (Rosenbach) plus fixed per-person damages turns one missing signature into class-scale exposure. The 2024 amendment caps per-scan stacking but leaves the per-person multiplier intact.

Common mistake: "no one was harmed, so there's no claim." Under Rosenbach, harm is irrelevant in Illinois — the violation is the injury. A perfectly secure system that never leaks a single faceprint, never misidentifies anyone, and benefits the people it scans is still fully liable if it skipped the written-release step. Engineers reason about breach and accuracy; BIPA reasons about consent. The cleanest faceprint pipeline in the world is a multimillion-dollar liability the moment it runs in Illinois without signatures.

The other two dedicated states: Texas CUBI and Washington

Texas and Washington protect biometrics with the same instinct as Illinois but a very different enforcement model — and the difference is the reason they generate fewer headlines and, paradoxically, can still produce the single largest numbers.

Texas's CUBI (Business & Commerce Code Section 503.001) says a person may not "capture a biometric identifier of an individual for a commercial purpose" unless they first inform the individual and receive consent. It also requires reasonable protection and destruction within a reasonable time, and no later than one year after the purpose for collection expires. The crucial difference from Illinois: there is no private right of action. Only the Texas Attorney General can enforce CUBI, and the penalty is a civil one of up to $25,000 per violation. You might expect that to make Texas the softer regime — and for class-action lawyers it is, because they cannot file there. But "AG-only" is not "low-stakes": in July 2024 the Texas AG settled a CUBI and related case against Meta for $1.4 billion, the largest privacy settlement any state attorney general has ever obtained, over facial-geometry data from the same photo-tagging feature. One motivated regulator with a $25,000-per-violation multiplier and millions of residents is its own kind of catastrophe.

Washington's law (RCW 19.375, from House Bill 1493) prohibits enrolling a biometric identifier in a database for a commercial purpose without first giving notice and obtaining consent, or providing a mechanism to prevent commercial use. Like Texas, it is enforced only by the state attorney general, under the state Consumer Protection Act, with no private right of action. Washington has generated far less litigation than Illinois precisely because individuals cannot sue.

The pattern across the three dedicated states is consistent: the duty (consent before capture) is similar everywhere; the risk profile is set almost entirely by who holds the right to sue.

Dimension Illinois — BIPA Texas — CUBI Washington — RCW 19.375 Comprehensive privacy laws (~20 states)
Triggers on Capturing a biometric identifier (faceprint, fingerprint, iris, voiceprint) Capturing a biometric identifier for a commercial purpose Enrolling a biometric identifier in a database for commercial use Processing biometric data as "sensitive data"
Consent model Written notice + signed release before capture Inform + consent before capture Notice + consent before enrolment Opt-in consent before processing
Who can enforce The individual (private right of action) + class actions State Attorney General only State Attorney General only State Attorney General (generally no private suit)
Headline exposure $1,000 / $5,000 per person, fees, injunction Up to $25,000 per violation (AG) Consumer Protection Act penalties (AG) Statutory fines per violation (AG)
Real-world result Facebook $650M; Clearview equity settlement Meta $1.4B (2024) Little litigation to date Enforcement still emerging

Common mistake: "we're not in Illinois, so biometrics are fine." Texas and Washington gate biometric capture on consent just as firmly, and the Texas AG's $1.4 billion Meta settlement shows the AG-enforced states are not a safe harbour. On top of that, roughly twenty states' comprehensive privacy laws now demand opt-in consent before any biometric processing. A US-wide deployment touches all three layers at once. The right question is never "are we in Illinois?" but "where do we build templates, and do we have consent everywhere we do?"

The wider map: comprehensive privacy laws treat biometrics as "sensitive"

Even outside the three dedicated-statute states, biometrics are rarely unregulated anymore. As of 2026, about twenty states have enacted broad consumer-privacy laws — California's CCPA/CPRA, Colorado, Connecticut, Virginia, Oregon, Texas's own Data Privacy and Security Act, and others. Nearly all of them name biometric data as a category of "sensitive data," and for sensitive data the default rule is opt-in consent: you must get the person's affirmative agreement before you process it, and you must honour rights to access and delete it. These laws are generally enforced by the state attorney general (California has a dedicated privacy agency), and most do not give individuals a private right to sue — California's narrow exception applies mainly to certain data breaches.

For a surveillance product the takeaway is that the consent-before-biometrics principle is becoming the national baseline, even where no BIPA-style lawsuit looms. A face-recognition feature that ships nationally now has to clear a dedicated biometric statute in three states, a private-lawsuit gauntlet in one of them, and a sensitive-data opt-in requirement in a growing majority of the rest. The detailed state-by-state breakdown — which keeps shifting as new laws take effect — is the subject of regional regulation: a map of where the rules differ; this article gives you the shape of it and the one rule that holds everywhere: don't build an identity template without consent.

How this maps onto a surveillance build

The legal picture converts into a short list of engineering decisions, and they are the same decisions whether you build the system or buy it.

Treat biometric analytics as a gated feature, off by default. Face recognition, voice identification, and any other template-building analytic should require a deliberate, documented decision to enable — never a default left on because the VMS (the Video Management System, the software platform that runs your cameras) ships with it. The decision needs its own consent design and, for any serious deployment, an impact assessment, exactly as we argue in privacy by design for surveillance and consent and notice for surveillance and biometrics.

Where you cannot get consent, don't create the template. This is data minimisation as legal armour: a system that detects, counts, and tracks people without ever resolving identity stays clear of the biometric statutes entirely. If you need the analytic but not the identity, face masking, redaction, and privacy-preserving analytics shows how to keep the useful signal and shed the biometric risk. And recognise that accuracy does not save you — face recognition in real surveillance conditions runs at a precision/recall range, never a perfect number (the realities are in face recognition in surveillance) — but BIPA liability turns on consent, not accuracy, so even a flawless matcher is exposed without signatures.

Make geography a first-class input. Because the risk is set by where the capture happens, a system that can geo-fence biometric features — disabling faceprinting on cameras in Illinois, or anywhere you lack a consent flow — converts a national liability into a manageable, per-site policy. Build the retention-and-destruction clock in from the start (BIPA's three-year cap, Texas's one-year cap), because "we kept the templates indefinitely" is a standalone violation. And in any build-vs-buy evaluation, read the biometric feature as your liability, not the vendor's: when you enable a supplier's face-recognition module on your cameras, you are the entity capturing biometric identifiers, and "the vendor offered it" is not a defence.

A decision-and-architecture diagram translating US biometric law into a surveillance build: a gate that keeps face recognition off by default, a consent-or-don't-build-the-template branch, a geo-fence that disables biometric capture where there is no consent flow, and a retention clock enforcing the three-year and one-year destruction limits. Figure 4. The law as a build checklist. Keep biometric analytics off by default; only build a template where you have consent; geo-fence capture to where a consent flow exists; and enforce the statutory destruction clocks. Detection-only pipelines stay outside the biometric statutes entirely.

Where Fora Soft fits in

US biometric law is where a face-recognition demo and a shippable US product diverge, because the demo never has to produce a written release, geo-fence a feature by state, or prove a template was destroyed on schedule. Fora Soft has built video streaming, real-time video, and computer-vision systems since 2005 — more than 625 shipped projects for 400+ clients — and the surveillance work sits exactly where video analytics meet US privacy law. When we design or integrate a face-recognition or other biometric capability, we treat the capture decision as an explicit, documented gate rather than a default; we build the compliance-critical mechanics — consent capture, per-site geo-fencing of biometric analytics, role-scoped access, and automatic retention-and-destruction — into the pipeline instead of bolting them on; and we keep detection-only and identity-resolving paths cleanly separated so a deployment can have the analytic value without crossing into a biometric identifier where it must not. The accuracy-vs-performance habit carries straight across: we lead with how the system behaves and what it exposes under real load, then the capability — because a faceprint captured without consent is a liability no recognition score can offset.

What to read next

Download the US biometric privacy compliance starter (PDF) — the what-counts-as-biometric line, the three-state comparison (Illinois BIPA, Texas CUBI, Washington), the BIPA Section 15(b) consent gate and Section 15(a) retention rule, the per-person damages math and the 2024 single-recovery amendment, the comprehensive-privacy-law opt-in layer, and an engineering checklist for gating, geo-fencing, and destroying biometric data — each tied to its statute.

Call to action

References

  1. Illinois Biometric Information Privacy Act, 740 ILCS 14/ (BIPA), esp. Sec. 10 (definitions), Sec. 15 (retention, consent, disclosure, destruction), Sec. 20 (right of action), Sec. 25 (construction), Illinois General Assembly. The controlling statute: defines "biometric identifier" (retina/iris scan, fingerprint, voiceprint, scan of hand or face geometry; photographs excluded), requires written notice and a signed release before capture (15(b)), a public retention/destruction policy (≤3 years, 15(a)), and the private right of action with $1,000/$5,000 liquidated damages (20). Enacted P.A. 95-994 (eff. 2008-10-03); amended P.A. 103-769 (eff. 2024-08-02). Tier 1 (statute). https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57 (text read at law.justia.com/codes/illinois/chapter-740/act-740-ilcs-14, accessed 2026-06-09)
  2. 740 ILCS 14/20, as amended by Public Act 103-769 (Senate Bill 2979, eff. 2024-08-02) — single-violation / single-recovery limit, Illinois General Assembly. Capturing or disclosing the same biometric from the same person by the same method is a single violation with at most one recovery — the legislative response to the per-scan theory of Cothron. Tier 1 (statute). https://www.ilga.gov/legislation/ilcs/fulltext.asp?DocName=074000140K20 (accessed 2026-06-09)
  3. Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, Illinois Supreme Court. Holds that a person is "aggrieved" and may sue under BIPA upon a bare violation of the Act's requirements, with no need to plead actual injury beyond the statutory violation — the ruling that opened BIPA class actions. Tier 1 (controlling case law). https://www.illinoiscourts.gov/Resources/f71510f1-fb2a-43d8-ba14-292c8009dfd9/123186.pdf (accessed 2026-06-09)
  4. Cothron v. White Castle System, Inc., 2023 IL 128004, Illinois Supreme Court. Holds that a separate BIPA claim accrues with each unconsented capture or transmission (the "per-scan" accrual), producing the multibillion-dollar exposure that prompted the 2024 amendment; the court expressly invited legislative correction. Tier 1 (controlling case law). https://www.illinoiscourts.gov/ (accessed 2026-06-09)
  5. Texas Capture or Use of Biometric Identifier Act (CUBI), Tex. Bus. & Com. Code Sec. 503.001, Texas Legislature / Office of the Attorney General. Bars capturing a biometric identifier for a commercial purpose without informing the individual and receiving consent; requires destruction within a reasonable time, no later than one year after the purpose expires; AG-only enforcement, civil penalty up to $25,000 per violation. Tier 1 (statute). https://statutes.capitol.texas.gov/Docs/BC/htm/BC.503.htm (accessed 2026-06-09)
  6. Washington Biometric Identifiers Act, RCW Chapter 19.375 (House Bill 1493, 2017), Washington State Legislature. Prohibits enrolling a biometric identifier in a database for a commercial purpose without notice and consent (or an opt-out mechanism); enforced solely by the Attorney General under the Consumer Protection Act, with no private right of action. Tier 1 (statute). https://app.leg.wa.gov/RCW/default.aspx?cite=19.375&full=true (accessed 2026-06-09)
  7. GDPR (Regulation (EU) 2016/679), Art. 9 and Art. 4(14) — special-category biometric data, European Union. The EU analogue used here for contrast: biometric data processed to uniquely identify a person is special-category data, prohibited by default — the same recording-vs-recognition boundary BIPA draws via its definitions. Tier 1 (statute). https://gdpr-info.eu/art-9-gdpr/ (accessed 2026-06-09)
  8. Texas Attorney General — Meta $1.4 billion CUBI settlement (announced 2024-07-30), Office of the Texas Attorney General. The first lawsuit and first settlement under CUBI, over facial-geometry data from photo-tagging; the largest privacy settlement ever obtained by a state AG — the proof that AG-only enforcement is not low-stakes. Tier 5 (enforcement record). https://www.texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-secures-14-billion-settlement-metas-unauthorized-capture-personal (accessed 2026-06-09)
  9. In re Facebook Biometric Information Privacy Litigation — $650 million BIPA settlement (final approval 2021), U.S. District Court, N.D. Cal. A landmark BIPA class settlement over face-geometry templates from photo tag-suggestions, illustrating the per-person class-action exposure unique to Illinois. Tier 5 (enforcement record). https://www.facebookbipaclassaction.com/ (accessed 2026-06-09)
  10. Clearview AI BIPA settlement — final approval 2025 (equity-based, ~$51.75M / ~23% stake), U.S. District Court, N.D. Ill. A first-of-its-kind BIPA resolution in which the class received an equity stake rather than cash, over a face-recognition database scraped from billions of public images; opposed by AGs from 22 states and DC. Tier 5 (enforcement record). https://natlawreview.com/article/first-bipa-litigation-class-members-receive-equity-clearview-ai (accessed 2026-06-09)
  11. State comprehensive privacy laws treating biometric data as "sensitive data" (2026); no comprehensive federal privacy law, MultiState / industry trackers. About twenty states (incl. California, Colorado, Connecticut, Virginia, Oregon, Texas) require opt-in consent before processing biometric "sensitive data," generally AG-enforced; the US has only sectoral federal laws (HIPAA, GLBA, COPPA, FERPA, FTC Act). Tier 5 (legal-industry tracker; verify against each statute). https://www.multistate.us/insider/2026/2/4/all-of-the-comprehensive-privacy-laws-that-take-effect-in-2026 (accessed 2026-06-09)

Where sources differ, the statute text controls and the court decisions supply the binding interpretation. The definitions, consent, retention, and damages points are taken directly from 740 ILCS 14 (Secs. 10, 15, 20, 25), Tex. Bus. & Com. Code 503.001, and RCW 19.375; Rosenbach and Cothron supply the standing and accrual rulings; the 2024 single-recovery amendment and its retroactive application reflect Public Act 103-769 and subsequent appellate rulings and should be re-verified, as the damages doctrine is still moving; settlement figures are from the courts' and the Texas AG's published records and reputable reporting.