Texas and Colorado take diverging paths on biometric privacy

In a rare convergence of legislative action on biometric privacy, both Texas and Colorado are enacting new laws in 2025 that reshape how biometric data is regulated and safeguarded, though in markedly different ways. While both states are addressing biometric technologies within the broader context of AI governance, their legal approaches diverge significantly in intent and scope.

On June 22, Texas Governor Greg Abbott signed the Texas Responsible Artificial Intelligence Governance Act (TRIAGA) into law. The measure, House Bill 149, positions Texas as only the second state after Colorado to adopt broad AI regulations applicable to both the public and private sectors.

TRIAGA follows a “prohibited use” model that narrowly targets harmful AI applications, such as systems designed to induce self-harm, generate exploitative content, or facilitate social scoring by state entities.

Embedded within TRIAGA is a key provision that bars state and local governments from collecting biometric data without consent where doing so would infringe on individual rights or violate existing law. While this does not amount to a broad ban on biometric technologies, it signals a cautious approach to government use of these systems and adds a consent framework absent from previous Texas law.

More consequential, however, are the amendments TRIAGA makes to the 2009 Texas Capture or Use of Biometric Identifiers Act (CUBI). Previously vague and ambiguous, especially regarding what constituted a “commercial purpose,” CUBI’s undefined terms created uncertainty for developers and vendors of security and surveillance technologies.

Many refrained from offering biometric-enabled systems to Texas customers due to compliance risks. This hesitance intensified after high-profile enforcement actions were brought under CUBI against tech giants like Google and Meta, including a major settlement in 2024.

HB 149 brings long-needed clarity by distinguishing between commercial and security uses of biometric data. It explicitly exempts from CUBI’s notice and consent requirements the use of biometric information by artificial intelligence systems for purposes related to security, fraud prevention, law enforcement investigations, and system integrity.

This ensures that technologies used for physical access control, emergency response, or school safety systems can operate within legal bounds without triggering penalties. The exemption also aligns CUBI with the 2023 Texas Data Privacy and Security Act, creating consistency across the state’s data protection laws.

Texas lawmakers also addressed the issue of biometric data used in AI training. Under the amended law, developers are exempt from CUBI when using biometric identifiers to train AI models, unless the resulting system is deployed to uniquely identify individuals.

However, if a system originally trained on biometric data is later used for commercial biometric identification, the full scope of CUBI’s requirements – including consent, disclosure, and data destruction – comes into play. Additional caveats clarify that public images containing biometric identifiers do not count as consent unless those images were voluntarily posted by the individual.

The regulatory landscape in Colorado, meanwhile, is shifting in a more comprehensive direction. Set to take effect July 1, House Bill 24-1130 expands the Colorado Privacy Act to provide sweeping protections for biometric data.

The law classifies biometric identifiers such as fingerprint scans, iris patterns, and facial recognition templates as a distinct and sensitive category of personal data. Controllers of such data must now adhere to stringent rules around notice, consent, retention, and deletion.

Unlike Texas’s targeted exemptions, Colorado’s framework applies to nearly all organizations handling biometric data, regardless of size. Consent is mandatory before any biometric data may be collected, especially when used for identification purposes.

In employment settings, companies must obtain valid employee consent for biometric applications tied to access control or safety but may condition employment on such use under limited circumstances.

The law also mandates clear retention schedules, requiring deletion of biometric data within 24 months of the last interaction or as soon as the original purpose has been fulfilled, whichever comes first.

Another key feature of the Colorado amendment is its prohibition on the sale, lease, or trade of biometric identifiers without explicit consent or legal requirement. Consumers cannot be penalized with higher prices or service denials for refusing to consent, unless the biometric data is essential to delivering the service.

Notably, the law lacks a private right of action, unlike Illinois’s Biometric Information Privacy Act, and instead grants enforcement authority solely to the Colorado Attorney General or district attorneys, with penalties reaching up to $20,000 per violation.

Both laws reflect growing legislative recognition that biometric data requires heightened protection, but they also underscore the ideological divide in how that protection should be structured. Colorado’s approach is expansive, consumer-centric, and heavily prescriptive, establishing a European-style privacy regime within a U.S. state context.

Texas, by contrast, emphasizes business continuity, security use cases, and government restraint, offering exemptions that aim to ensure AI-powered biometric systems can flourish in public safety domains without legal ambiguity.

What unites these efforts is the acknowledgment that biometric technologies are now embedded in daily life and that regulatory gaps left unresolved for over a decade are no longer tenable.

Whether through comprehensive consumer rights or refined exemptions for security, both Colorado and Texas have taken major steps toward establishing a new legal foundation for biometric data governance in an age of rapid technological transformation.

Article Topics

biometric data  |  biometric identifiers  |  biometrics  |  Colorado  |  CUBI  |  data privacy  |  data protection  |  legislation  |  Texas  |  TRAIGA  |  United States