Massachusetts has allowed businesses to use facial‑recognition technology in 2026 — but only if they follow the state’s strict biometric‑privacy rules. Companies must obtain a written, informed opt‑in from each individual, give a clear privacy notice, and safeguard the data with industry‑standard encryption. Failure to meet these requirements can trigger civil penalties of up to $1,000 per violation and possible private lawsuits. In short, the technology is legal, but the compliance burden is substantial.
The Legal Framework in 2026
Massachusetts’ biometric‑privacy regime is anchored in Chapter 93L of the General Laws, enacted in 2022 and amended in 2024 to explicitly define facial images as biometric information. The statute mirrors the federal BIPA‑style approach of Illinois, demanding an affirmative, written consent before collection, storage, or sharing of any facial data. It also imposes a “notice‑and‑choice” requirement: businesses must provide a concise privacy notice that explains the purpose of collection, duration of retention, and third‑party sharing practices.
Key Compliance Obligations
- Written Opt‑In – Every customer, employee, or visitor must sign a separate consent form that is specific to facial‑recognition use. Verbal consent is insufficient.
- Transparent Notice – The notice must be presented before data capture, written in plain language, and include contact information for a data‑privacy officer.
- Data Security – Biometric data must be stored encrypted at rest and in transit, with access restricted to authorized personnel only.
- Retention Limits – Records cannot be kept longer than necessary for the disclosed purpose; automatic deletion after a defined period (typically 90 days) is recommended.
- Vendor Management – If a third‑party provider processes facial data, the business must have a written agreement that obligates the vendor to meet or exceed Massachusetts standards.
Risks and Penalties
Violations trigger civil liability under MGL 93L‑71. Courts have awarded up to $1,000 per each unlawful capture, and aggregated damages can quickly become crippling for large‑scale deployments such as retail site‑wide cameras. Additionally, the Attorney General may pursue injunctive relief, forcing a business to cease biometric surveillance until compliance is achieved.
Practical Steps for Businesses
- Conduct a biometric data audit to identify all points where facial images are captured.
- Draft a standardized consent form that includes the purpose, duration, and a clear opt‑out mechanism.
- Implement encryption protocols aligned with NIST SP 800‑53 guidelines.
- Establish a data‑retention schedule and automated deletion scripts.
- Review all vendor contracts to embed biometric‑privacy clauses.
Looking Ahead
The Massachusetts legislature is monitoring the national conversation on AI ethics, and a 2025 bill proposes a “risk‑assessment” requirement before deploying any real‑time facial‑recognition system in public spaces. Companies should anticipate tighter oversight and consider adopting privacy‑by‑design frameworks now to stay ahead of potential regulatory tightening.
FAQ
What constitutes “biometric data” under Massachusetts law?
Biometric data includes any physiological or behavioral characteristic that can uniquely identify an individual, such as facial images, fingerprints, iris scans, or voiceprints. Facial‑recognition outputs are explicitly covered by the 2024 amendment to Chapter 93L.
Can an employer use facial recognition for time‑and‑attendance without employee consent?
No. Even for internal purposes, an employer must obtain a written opt‑in from each employee before collecting or storing facial images, and must disclose how the data will be used and retained.
Are there any exemptions for law‑enforcement use of facial recognition?
The statute applies primarily to private entities. Law‑enforcement agencies are governed by separate statutes and may use facial‑recognition technology under different statutory authority, but private contractors working for agencies must still comply with Chapter 93L.
What remedies do individuals have if a business violates the law?
Individuals may file a civil action seeking statutory damages of up to $1,000 per violation, plus attorney’s fees and injunctive relief. Class‑action suits are also permissible when many consumers are affected.
How does Massachusetts’ law compare to Illinois’ BIPA?
Both statutes require written opt‑in consent and impose a $1,000 per‑violation penalty. However, Massachusetts’ 2024 amendment clarifies that facial images alone constitute biometric data, whereas Illinois’ BIPA historically focused on “scans” of biometric identifiers. The enforcement landscape is similar, but Massachusetts adds a specific notice‑and‑choice provision that is not explicit in BIPA.