Laws & Statutes MO MO-HB-1970
HB-1970
MO · State · USA
MO
USA
● Pre-filed
Proposed Effective Date
2026-08-28
Missouri HB 1970 — Biometric Information Privacy Act
Missouri's Biometric Information Privacy Act imposes comprehensive obligations on private entities that collect, possess, or use biometric identifiers and biometric information. Before collecting any biometric data, private entities must provide written notice of the collection and its purpose, and obtain informed written consent that cannot be obtained through general user agreements. Entities must maintain publicly available retention and destruction policies, are prohibited from selling biometric data, and must protect it using at least the same standard of care applied to other confidential and sensitive information. The act creates a private right of action with liquidated damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus mandatory attorney's fees. Exemptions apply to HIPAA-covered entities, financial institutions subject to Gramm-Leach-Bliley, and government contractors acting in their government capacity.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party (No data)
Bipartisan No
Prior session None
Legislative History
2025-12-01 introduced Prefiled (H)
2026-01-07 other Read First Time (H)
2026-01-08 other Read Second Time (H)
Mapped Requirements
D-01 Automated Processing Rights & Data Controls G-01 AI Governance Program & Documentation
Official Sources
Full Text
Entry Last Reviewed
2026-03-28
AI generated
Summary

Missouri's Biometric Information Privacy Act imposes comprehensive obligations on private entities that collect, possess, or use biometric identifiers and biometric information. Before collecting any biometric data, private entities must provide written notice of the collection and its purpose, and obtain informed written consent that cannot be obtained through general user agreements. Entities must maintain publicly available retention and destruction policies, are prohibited from selling biometric data, and must protect it using at least the same standard of care applied to other confidential and sensitive information. The act creates a private right of action with liquidated damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus mandatory attorney's fees. Exemptions apply to HIPAA-covered entities, financial institutions subject to Gramm-Leach-Bliley, and government contractors acting in their government capacity.

Enforcement & Penalties
Enforcement Authority
Private right of action. No designated agency enforcer. Any person aggrieved by a violation may bring suit in state circuit court or as a supplemental claim in federal district court, including class actions. Standing requires that the plaintiff be a person aggrieved by a violation of the act.
Penalties
For negligent violations: liquidated damages of $1,000 or actual damages, whichever is greater, per violation. For intentional or reckless violations: liquidated damages of $5,000 or actual damages, whichever is greater, per violation. Court shall award all attorney's fees and costs, including expert witness fees and other litigation expenses, to the prevailing plaintiff. Court may also award injunctive relief or other relief as appropriate. Liquidated damages do not require proof of actual monetary harm.
Who Is Covered
"Private entity", any individual acting in a commercial context, partnership, corporation, limited liability company, association, or other group however organized. "Private entity" does not include a state or local government agency. "Private entity" does not include any court of Missouri, a clerk of the court, or a judge or justice thereof.
Compliance Obligations 7 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
§ 1.566(2)(1)-(3)
Plain Language
Before collecting any biometric identifier or biometric information, a private entity must provide written notice to the individual (or their authorized representative) that biometric data is being collected, disclose the specific purpose and duration of collection, storage, and use, and obtain a written release. Critically, a valid written release cannot be obtained through a general release or user agreement — it must be specific to biometric data. In the employment context, written releases may only authorize biometric collection for physical/electronic access control (without location tracking) or timekeeping, and may be made a condition of employment.
Statutory Text
2. No private entity shall collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information unless it first: (1) Informs the person or customer, or the person's or customer's legally authorized representative, in writing that a biometric identifier or biometric information is being collected or stored; (2) Informs the person or customer, or the person's or customer's legally authorized representative, of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) Receives a written release executed by the person or customer, or the person's or customer's legally authorized representative.
G-01 AI Governance Program & Documentation · G-01.3 · Deployer · Biometrics
§ 1.566(1)
Plain Language
Any private entity possessing biometric identifiers or biometric information must create and publicly publish a written retention and destruction policy. The policy must establish a retention schedule and guidelines for permanently destroying biometric data when the original collection purpose has been satisfied or within one year of the individual's last interaction with the entity — whichever comes first. The entity must actually comply with its own published schedule and destruction guidelines, and may deviate only pursuant to a valid warrant or subpoena. This is both a documentation obligation (creating the policy) and an operational obligation (following it).
Statutory Text
1. Any private entity in possession of biometric identifiers or biometric information shall develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within one year of the individual's last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information shall comply with its established retention schedule and destruction guidelines.
D-01 Automated Processing Rights & Data Controls · D-01.5 · Deployer · Biometrics
§ 1.566(3)(2)
Plain Language
Private entities are categorically prohibited from selling, leasing, or trading any biometric identifier or biometric information they possess. There are no exceptions to this prohibition — even with consent, sale or trade of biometric data is not permitted. This is distinct from the disclosure restrictions in § 1.566(4), which allow disclosure with consent or for certain enumerated purposes; the sale/trade ban is absolute.
Statutory Text
(2) No private entity in possession of a biometric identifier or biometric information shall sell, lease, or trade a person's or a customer's biometric identifier or biometric information.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics
§ 1.566(4)(1)-(4)
Plain Language
Private entities may not disclose, redisclose, or otherwise disseminate biometric identifiers or biometric information except in four narrow circumstances: (1) the individual or authorized representative provides a written release; (2) the disclosure completes a financial transaction the individual requested or authorized; (3) disclosure is required by law; or (4) disclosure is compelled by a valid warrant or subpoena. Any disclosure outside these four exceptions is a violation. Note that the written release requirement here is separate from the collection consent in § 1.566(2) — consent to collect does not automatically authorize disclosure to third parties.
Statutory Text
4. No private entity in possession of a biometric identifier or biometric information shall disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) The person or customer, or the person's or customer's legally authorized representative, provides written release to the disclosure or redisclosure; (2) The disclosure or redisclosure completes a financial transaction requested or authorized by the person or customer, or the person's or customer's legally authorized representative; (3) The disclosure or redisclosure is required by state law, federal law, or municipal ordinance; or (4) The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
Other · Deployer · Biometrics
§ 1.566(5)(1)-(2)
Plain Language
Private entities must protect biometric identifiers and biometric information with at least two security baselines: (1) the reasonable standard of care within their industry, and (2) a level of protection at least equal to how they protect other confidential and sensitive information such as Social Security numbers, account numbers, and driver's license numbers. Both standards must be met — the entity must satisfy whichever is more protective. This is an ongoing operational obligation covering storage, transmission, and protection from disclosure.
Statutory Text
5. A private entity in possession of a biometric identifier or biometric information shall: (1) Store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and (2) Store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.
Other · Deployer · Biometrics
§ 1.567(1)-(2)
Plain Language
Private entities face two prohibitions: (1) they may not condition goods or services on biometric data collection unless the biometric identifier is strictly necessary to provide the good or service — this is a high bar requiring functional necessity, not merely convenience; and (2) they may not engage in retaliatory pricing or service degradation against individuals who exercise their rights under the act. Together, these provisions prevent entities from coercing consent by withholding services and from punishing individuals who refuse to provide biometric data or who exercise other statutory rights.
Statutory Text
1.567. A private entity shall not: (1) Condition the provision of a good or service on the collection, use, disclosure, transfer, sale, retention, or processing of a biometric identifier unless the biometric identifier is strictly necessary to provide the good or service; or (2) Charge different prices or rates for goods or services or provide a different level of quality of a good or service to any individual who exercises the individual's rights under sections 1.561 to 1.572.
Other · Deployer · BiometricsHealthcare
§ 1.566(3)(1)
Plain Language
HIPAA-covered entities and individuals must treat all biometric identifiers and biometric information as individually identifiable health information and unique health identifiers under HIPAA. This means biometric data held by HIPAA-covered entities is subject to the full range of HIPAA privacy, security, and breach notification requirements. This provision extends existing HIPAA protections to biometric data rather than creating a new standalone obligation.
Statutory Text
3. (1) Any entity or individual required to comply with the federal Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, shall treat biometric identifiers and biometric information as individually identifiable health information and unique health identifiers protected under that act and the rules promulgated thereunder.