Laws & Statutes MO MO-HB-1970
HB-1970
MO · State · USA
MO
USA
● Pending
Proposed Effective Date
2026-08-28
Missouri HB 1970 — Biometric Information Privacy Act
Missouri's Biometric Information Privacy Act imposes obligations on private entities that collect, possess, or use biometric identifiers or biometric information. Private entities must obtain written informed consent before collecting biometric data, develop publicly available retention and destruction policies, and may not sell, lease, or trade biometric data. The Act prohibits conditioning goods or services on biometric data collection unless strictly necessary and prohibits retaliatory pricing against individuals exercising their rights. Enforcement is exclusively through a private right of action, with liquidated damages of $1,000 per negligent violation or $5,000 per intentional/reckless violation, plus mandatory attorney's fees. The Act exempts government agencies, HIPAA-covered entities (for HIPAA-governed data), financial institutions subject to GLBA, and government contractors acting on behalf of government.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party (No data)
Bipartisan No
Prior session None
Legislative History
2025-12-01 introduced Prefiled (H)
2026-01-07 other Read First Time (H)
2026-01-08 other Read Second Time (H)
2026-05-15 Referred: Emerging Issues(H) Referred: Emerging Issues(H)
Mapped Requirements
D-01 Automated Processing Rights & Data Controls G-01 AI Governance Program & Documentation
Official Sources
Full Text
Entry Last Reviewed
2026-05-16
AI generated
Summary

Missouri's Biometric Information Privacy Act imposes obligations on private entities that collect, possess, or use biometric identifiers or biometric information. Private entities must obtain written informed consent before collecting biometric data, develop publicly available retention and destruction policies, and may not sell, lease, or trade biometric data. The Act prohibits conditioning goods or services on biometric data collection unless strictly necessary and prohibits retaliatory pricing against individuals exercising their rights. Enforcement is exclusively through a private right of action, with liquidated damages of $1,000 per negligent violation or $5,000 per intentional/reckless violation, plus mandatory attorney's fees. The Act exempts government agencies, HIPAA-covered entities (for HIPAA-governed data), financial institutions subject to GLBA, and government contractors acting on behalf of government.

Enforcement & Penalties
Enforcement Authority
Private right of action. No designated agency enforcer. Any person aggrieved by a violation may bring a civil action in state circuit court or as a supplemental claim in federal district court, including class actions. Standing requires the plaintiff to be 'aggrieved by a violation.' No cure period or safe harbor is provided.
Penalties
For negligent violations: liquidated damages of $1,000 or actual damages per violation, whichever is greater. For intentional or reckless violations: liquidated damages of $5,000 or actual damages per violation, whichever is greater. Prevailing plaintiffs are awarded all attorney's fees and costs, including expert witness fees and other litigation expenses. Courts may also award injunctive relief and other relief as deemed appropriate. Liquidated damages do not require proof of actual monetary harm.
Who Is Covered
"Private entity", any individual acting in a commercial context, partnership, corporation, limited liability company, association, or other group however organized. "Private entity" does not include a state or local government agency. "Private entity" does not include any court of Missouri, a clerk of the court, or a judge or justice thereof.
Compliance Obligations 8 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
RSMo § 1.566(2)(1)-(3)
Plain Language
Before collecting any biometric identifier or biometric information, a private entity must: (1) provide written notice that biometric data is being collected or stored, (2) disclose the specific purpose and duration of collection, storage, and use, and (3) obtain a written release from the individual or their legally authorized representative. A general release or user agreement is insufficient — the consent must be specific. In the employment context, consent is further limited to access-control and timekeeping purposes and may not be used for location tracking or tracking time spent on applications. Employers may require consent as a condition of employment.
Statutory Text
2. No private entity shall collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information unless it first: (1) Informs the person or customer, or the person's or customer's legally authorized representative, in writing that a biometric identifier or biometric information is being collected or stored; (2) Informs the person or customer, or the person's or customer's legally authorized representative, of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) Receives a written release executed by the person or customer, or the person's or customer's legally authorized representative.
G-01 AI Governance Program & Documentation · G-01.3 · Deployer · Biometrics
RSMo § 1.566(1)
Plain Language
Any private entity that possesses biometric identifiers or biometric information must create and publicly publish a written policy establishing a retention schedule and guidelines for permanent destruction of biometric data. Destruction must occur when the original purpose for collection has been satisfied or within one year of the individual's last interaction with the entity — whichever comes first. The entity must comply with its own published schedule unless a valid warrant or subpoena requires retention. This is both a documentation and a data lifecycle management obligation.
Statutory Text
1. Any private entity in possession of biometric identifiers or biometric information shall develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within one year of the individual's last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information shall comply with its established retention schedule and destruction guidelines.
D-01 Automated Processing Rights & Data Controls · D-01.5 · Deployer · Biometrics
RSMo § 1.566(3)(2)
Plain Language
Private entities are categorically prohibited from selling, leasing, or trading any person's biometric identifier or biometric information. There are no exceptions — this is an absolute prohibition on commercial transfer of biometric data.
Statutory Text
(2) No private entity in possession of a biometric identifier or biometric information shall sell, lease, or trade a person's or a customer's biometric identifier or biometric information.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics
RSMo § 1.566(4)(1)-(4)
Plain Language
Private entities may not disclose, redisclose, or disseminate a person's biometric identifier or biometric information except in four narrow circumstances: (1) the individual provides a written release, (2) the disclosure completes a financial transaction the individual requested or authorized, (3) the disclosure is required by law or ordinance, or (4) the disclosure is required by a valid warrant or subpoena. All other disclosures are prohibited. This is a purpose limitation and disclosure restriction — biometric data may only be shared beyond the collecting entity under these enumerated exceptions.
Statutory Text
4. No private entity in possession of a biometric identifier or biometric information shall disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) The person or customer, or the person's or customer's legally authorized representative, provides written release to the disclosure or redisclosure; (2) The disclosure or redisclosure completes a financial transaction requested or authorized by the person or customer, or the person's or customer's legally authorized representative; (3) The disclosure or redisclosure is required by state law, federal law, or municipal ordinance; or (4) The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
Other · Deployer · Biometrics
RSMo § 1.566(5)(1)-(2)
Plain Language
Private entities must store, transmit, and protect biometric data using (1) the reasonable standard of care within their industry, and (2) protections at least as strong as those applied to the entity's other confidential and sensitive information (such as SSNs, account numbers, and PINs). This is a dual-floor security obligation — entities must meet both the industry standard and their own internal standard for other sensitive data, whichever is higher.
Statutory Text
5. A private entity in possession of a biometric identifier or biometric information shall: (1) Store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and (2) Store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.
Other · Deployer · Biometrics
RSMo § 1.567(1)-(2)
Plain Language
Private entities may not require individuals to provide biometric data as a condition of receiving goods or services unless the biometric identifier is strictly necessary to deliver the good or service. Additionally, entities may not impose differential pricing, rates, or service quality on individuals who exercise their rights under the Act (e.g., refusing consent to biometric collection). This is an anti-conditioning and anti-retaliation provision protecting individuals who decline biometric data collection.
Statutory Text
1.567. A private entity shall not: (1) Condition the provision of a good or service on the collection, use, disclosure, transfer, sale, retention, or processing of a biometric identifier unless the biometric identifier is strictly necessary to provide the good or service; or (2) Charge different prices or rates for goods or services or provide a different level of quality of a good or service to any individual who exercises the individual's rights under sections 1.561 to 1.572.
Other · Biometrics
RSMo § 1.566(3)(1)
Plain Language
HIPAA-covered entities must treat biometric identifiers and biometric information as protected health information (PHI) subject to HIPAA's protections. This effectively extends HIPAA's existing requirements to biometric data when held by covered entities and business associates — it does not create a new compliance framework but rather incorporates biometric data into the existing HIPAA regime.
Statutory Text
3. (1) Any entity or individual required to comply with the federal Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, shall treat biometric identifiers and biometric information as individually identifiable health information and unique health identifiers protected under that act and the rules promulgated thereunder.
Other · Biometrics
RSMo § 1.569
Plain Language
This section creates the enforcement mechanism for the Act. Any aggrieved person may sue in state circuit court or federal district court, including via class action. Prevailing plaintiffs receive mandatory attorney's fees and costs. Damages are tiered: $1,000 or actual damages (whichever is greater) for negligent violations, $5,000 or actual damages (whichever is greater) for intentional or reckless violations. Courts may also award injunctive relief. This provision creates no independent compliance obligation — it is the remedial framework for violations of the substantive sections.
Statutory Text
1.569. Any person aggrieved by a violation of sections 1.561 to 1.572 shall have a right of action in a state circuit court or as a supplemental claim in federal district court against an offending party including, but not limited to, a class action brought pursuant to the rules of the Missouri supreme court. The court shall award all attorney's fees and costs, including expert witness fees and other litigation expenses, to the prevailing plaintiff. A prevailing plaintiff may recover for each violation: (1) Against a private entity that negligently violates a provision of sections 1.561 to 1.572, liquidated damages of one thousand dollars or actual damages, whichever is greater; (2) Against a private entity that intentionally or recklessly violates a provision of sections 1.561 to 1.572, liquidated damages of five thousand dollars or actual damages, whichever is greater; and (3) Other relief, including an injunction, as the state or federal court may deem appropriate.