Facial Recognition Debt Collection: What Collectors Can and Cannot Do (2026 Laws)
Updated March 2026 · 10 min read · BIPA, FDCPA, and Privacy Rights
The Short Version
Debt collectors using facial recognition technology must comply with strict biometric privacy laws including BIPA (Illinois), Texas Capture or Use of Biometric Identifier Act, and Washington's biometric law. Collectors generally CANNOT scan your face without written consent, store your biometric data indefinitely, or share it with third parties. Violations can result in $1,000–$5,000 per scan in statutory damages.
A debt collector calls you. During the call, they mention they "identified you" from a social media profile or security camera footage using facial recognition. Or perhaps you discover a collector has been scanning faces at your workplace to locate debtors.
This is not science fiction. Debt collectors increasingly use technology to find and identify consumers. But facial recognition and biometric scanning are heavily regulated — and many collectors violate these laws without realizing it.
This guide explains what debt collectors can and cannot do with facial recognition, your rights under federal and state biometric privacy laws, and how to sue collectors who violate these protections.
Federal Law: FDCPA Limitations
The Fair Debt Collection Practices Act (FDCPA) does not specifically mention facial recognition, but several provisions limit how collectors can use technology to identify you:
FDCPA Section 806: Harassment or Abuse
Collectors cannot engage in conduct that would harass, oppress, or abuse you. Using invasive technology like facial recognition without consent could constitute harassment, especially if done repeatedly or in connection with other aggressive tactics.
FDCPA Section 805: Communication in Connection With Collection
Collectors cannot communicate with you in an unusual place or at an unusual time. Using facial recognition to locate you at your home or workplace when you have requested no contact could violate this provision.
FDCPA Section 807: False or Misleading Representations
Collectors cannot falsely represent the character, amount, or legal status of a debt. If a collector claims they "identified you through official government facial recognition databases" when they did not, this could be a false representation.
Key Limitation
The FDCPA applies only to third-party debt collectors, not original creditors. If your original creditor uses facial recognition, FDCPA protections may not apply (but state laws might).
State Biometric Privacy Laws
State laws provide much stronger protection against facial recognition abuse. The three major biometric privacy laws are:
1. Illinois BIPA (Biometric Information Privacy Act)
The strongest biometric privacy law in the U.S.
Requirement
What It Means
Written consent required
Collectors must get your written consent BEFORE scanning your face or other biometric data
Written retention schedule
Must provide written policy explaining when biometric data will be destroyed
Destruction requirement
Must destroy biometric data when the initial purpose is fulfilled or within 3 years of last interaction
No selling/profiting
Cannot sell, lease, trade, or otherwise profit from biometric data
Private right of action: Yes — you can sue directly
Damages: $1,000 per negligent violation, $5,000 per intentional/reckless violation
Attorney fees: Prevailing plaintiffs can recover fees and costs
Real Cases
BIPA has produced some of the largest privacy settlements in history: Facebook ($650 million), Google ($100 million), Ring ($17 million). Debt collectors using facial recognition without consent face similar liability.
2. Texas Capture or Use of Biometric Identifier Act
Consent: Requires informed consent before collecting biometric data
Destruction: Must destroy within reasonable time
Private right of action: Limited — primarily enforced by Attorney General
Damages: Up to $25,000 per violation (civil penalty)
3. Washington Biometric Identifiers Law
Consent: Requires consent before enrolling biometric data in database
Commercial use: Prohibits commercial use without consent
Private right of action: Enforced by Attorney General only
Damages: Up to $25,000 per violation
4. California Consumer Privacy Act (CCPA/CPRA)
California treats biometric data as "sensitive personal information":
Right to know: You can request what biometric data a collector has
Right to delete: You can request deletion of biometric data
Right to limit use: Can limit use of sensitive personal information
Private right of action: Limited to data breaches
5. New York Biometric Privacy Law
Effective: July 2021
Consent: Requires written consent for commercial use
Private right of action: Yes
Damages: $500 per negligent violation, $5,000 per intentional violation
What Debt Collectors CANNOT Do
Illegal Practices
The following facial recognition uses by debt collectors are likely illegal:
Scan without consent: Using facial recognition to identify you from social media, security footage, or public cameras without your written consent
Store indefinitely: Keeping your biometric data forever without a destruction schedule
Share with others: Selling or sharing your facial scan data with other collectors or data brokers
Use for unrelated purposes: Using your biometric data for purposes beyond the original debt collection
Hide usage: Failing to disclose that they are using facial recognition technology
Workplace scanning: Using facial recognition at your workplace to publicly identify you as a debtor
What Debt Collectors CAN Do (Legally)
Use publicly available photos: Viewing your public social media profiles to confirm identity (but not scanning biometrically without consent)
Request consent: Asking for your written consent to use biometric verification (e.g., for phone authentication)
Verify with consent: Using facial recognition for identity verification IF you have provided written consent
Follow retention schedules: Storing biometric data temporarily if they have a written destruction policy
How to Sue a Debt Collector for Facial Recognition Violations
Gather Evidence
You need proof the collector used facial recognition:
Recorded calls where they mention facial recognition or "photo identification"
Written communications referencing biometric data
Witness testimony (coworkers who saw collector scanning faces)
Documentation of where/when scanning occurred
Send a Preservation Letter
Demand the collector preserve all biometric data and related documents. This prevents destruction of evidence.
File Administrative Complaints
Report violations to:
Illinois Attorney General (for BIPA violations)
FTC (for unfair/deceptive practices)
CFPB (for FDCPA violations)
Your state Attorney General
Consult a Privacy Attorney
BIPA and similar laws allow recovery of attorney fees, making it easier to find representation. Search for attorneys specializing in:
Biometric privacy litigation
Consumer privacy class actions
FDCPA violations
File Lawsuit
Depending on the violation:
BIPA: File in Illinois state or federal court
FDCPA: File in federal court
State law: File in your state court
Potential Damages
Law
Damages Per Violation
BIPA (negligent)
$1,000 per scan
BIPA (intentional/reckless)
$5,000 per scan
New York (negligent)
$500 per scan
New York (intentional)
$5,000 per scan
FDCPA
Up to $1,000 + actual damages
Actual damages
Emotional distress, lost wages, identity theft costs
Debt Collector Using Unlawful Tactics?
If a debt collector is violating your privacy rights, start by demanding they validate the debt and cease unlawful communication. Our free tool generates a legally-grounded letter in under 60 seconds.
Free · No sign-up required · Instantly downloadable
Checklist: Protecting Your Biometric Privacy
☐ Review social media privacy settings (limit public photos)
☐ Ask collectors if they use biometric technology
☐ Never give written consent for facial recognition unless necessary
☐ Document any mention of facial recognition by collectors
☐ Request deletion of any biometric data under CCPA
☐ File complaints with state Attorney General for violations
☐ Consult privacy attorney if you discover unauthorized scanning
Frequently Asked Questions
Can debt collectors use my social media photos to identify me?
Viewing public photos is generally legal, but using facial recognition technology to scan and identify you from those photos without consent likely violates BIPA and similar laws. The key distinction is manual viewing (generally legal) vs. automated biometric scanning (requires consent).
Do I need to live in Illinois to sue under BIPA?
Courts are split on this issue. Some cases have allowed out-of-state plaintiffs to sue if the collector is based in Illinois or the scanning technology is operated from Illinois. Consult an attorney about your specific situation.
Can I sue if the collector only scanned me once?
Yes. BIPA allows $1,000–$5,000 per violation, and each unlawful scan is a separate violation. A single scan can support a lawsuit, though damages would be limited to that one violation unless there is a pattern.
What if I gave consent but want to revoke it?
You can revoke consent at any time. Send written notice to the collector demanding they stop using your biometric data and delete existing scans. Under BIPA, they must comply within a reasonable time.
Are there criminal penalties for facial recognition abuse?
Generally no — biometric privacy laws are civil statutes. However, extreme cases involving stalking, harassment, or identity theft could potentially trigger criminal charges under other laws.
Legal Disclaimer: This article is for general informational purposes only and does not constitute legal advice. Biometric privacy laws are complex and vary by jurisdiction. For advice specific to your situation, consult a licensed privacy attorney or consumer rights attorney.