What does properly securing biometric data look like?
Privacy regulation around biometric data varies from state to state, one expert says.
• 4 min read
Brianna Monsanto is a reporter for IT Brew who covers news about cybersecurity, cloud computing, and strategic IT decisions made at different companies.
Some New Yorkers have been living out Rockwell’s ’80s hit, “Somebody’s Watching Me,” now that a popular regional supermarket chain has disclosed its choice to collect and store customer biometric data.
As first reported by Gothamist in January, several Wegmans Food Markets locations in New York City hung up signage alerting customers that the company “collects, retains, converts, stores, or shares” customer biometric information, which the retailer said includes facial recognition, eye scans, and voice prints. The move is allegedly an expansion of a 2024 facial recognition program pilot, which was rolled out to help bolster physical security and did not collect customer data. Wegmans did not return IT Brew’s request for comment on the move and the security protocols behind it.
Watch party. Wegmans is not the only retailer leveraging biometric technology in its stores. Last year, a class-action lawsuit filed against Home Depot alleged the home-improvement giant retained facial scans collected during the self-checkout process. In 2023, the FTC banned Rite Aid from using facial recognition technology for surveillance purposes for five years after it concluded the company misused biometric data collected in its stores.
But for the most part, it’s a new frontier for US companies when it comes to their responsibility to disclose biometric data collection. Greg Pollock, head of research and insights at cyber resilience platform company UpGuard, told IT Brew privacy laws around biometric data in the US are regulated in a piecemeal fashion.
“Privacy around the world is usually done federally, but the US, we have what’s called a patchwork of state level privacy laws,” Pollock said, meaning that biometric privacy regulation varies from state to state. He said Illinois, Texas, and Washington are some of the few states with more fleshed out regulation around biometric privacy.
Uh…security? IT Brew caught up with a couple of security experts to understand the security risks of general nonconsensual public biometric scanning. Amy Natasha Osteen, general counsel at Alcatraz, which builds AI-powered facial authentication technology, said that, when it comes to situations like Wegmans leveraging facial scanning, the real area of concern is the lack of transparency.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“What are you doing with the data?” Osteen said. “Can a law enforcement group get this?...How long are you keeping the data and can it be reverse-engineered?”
Pollock added that third-party risk is another concern, especially if businesses rely on external vendors to secure biometric information. Just under one-third (30%) of breaches between 2021 and 2025 were caused by a supply-chain attack, according to a 2026 Identity Theft Resource Center report.
What companies should be doing. Unlike a password, biometric data also cannot be altered, making it essential for businesses collecting it to make sure it’s secured. “If they get captured, what are you gonna do? Change your fingerprints, change your face?” KnowBe4 CISO Advisor Roger Grimes told IT Brew last year.
Fortunately, despite the absence of federal rules requiring organizations to disclose customer surveillance, securing biometric data can be straightforward. Pollock said there are two main factors to consider: first, technical controls such as encryption and patching vulnerabilities proactively, and second, data controls, such as the principles of least privilege.
Beyond that, Pollock emphasized the importance of a good security program, referring to organizations like the National Institute of Standards and Technology and International Organization for Standardization as good frameworks to follow.
“Biometric data is really just data like any other,” Pollock said. “And we do have good frameworks for how to secure things. You encrypt it and you avoid vulnerabilities, and then you limit who can access it.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.