Biometric Underwriting Data: Privacy Rules to Know for 2026
A 2026 compliance brief on consent, retention, and disclosure expectations for biometric underwriting data, written for chief underwriting officers and compliance partners.
Accelerated and instant-issue programs have changed what flows into an underwriting decision. A questionnaire answer is a statement. A heart rate variability reading, a facial-scan-derived vital, or a voice biomarker is something else entirely: it is personal physiological data with its own regulatory weight. As carriers expand fluidless pathways, the governance question moves from "can we model this signal" to "are we allowed to collect, keep, and share it the way our pipeline assumes." For 2026, biometric underwriting data sits at the intersection of state biometric statutes, insurance-specific privacy model laws, and a maturing set of AI governance expectations that examiners are now actually checking.
By early 2026, more than 25 states plus Washington, D.C. had adopted the NAIC Model Bulletin on the Use of AI Systems by Insurers, which requires a documented written AI program covering data inputs such as biometric signals. Source: NAIC, 2023-2026.
What counts as biometric underwriting data, and why the category matters
The first compliance trap is definitional. Many underwriting leaders assume "biometric" means fingerprints and retina scans, the narrow set named in older statutes. The working definition is broadening. The Illinois Biometric Information Privacy Act (BIPA) covers a "biometric identifier" and "biometric information" derived from it, and courts have read that language expansively since the Illinois Supreme Court's 2019 Rosenbach v. Six Flags decision established that a procedural violation alone confers standing. Texas (CUBI) and Washington maintain parallel regimes, and Washington's My Health My Data Act, effective 2024, reaches "consumer health data" in a way that can capture physiological measurements gathered outside a clinical setting.
For a carrier, the practical test is this: if a data input is a measurement of the body that can be tied to an individual, treat it as biometric underwriting data and govern it accordingly, even if your vendor calls it a "wellness signal" or a "derived score." The regulatory direction of travel is toward broader, not narrower, coverage.
Three obligations recur across nearly every framework that touches this data:
- Consent that is informed, specific, and obtained before collection.
- A published retention schedule with a defined destruction trigger.
- Limits on disclosure, sale, and downstream use, with affirmative opt-in for the highest-risk transfers.
Comparing the major 2026 frameworks
The frameworks below do not align neatly, which is the core compliance problem. A single accelerated program may simultaneously face a state biometric statute, the insurance privacy model law, and the AI governance bulletin. The table summarizes where each lands on the obligations that matter most for underwriting data compliance.
| Framework | Consent standard | Retention rule | Disclosure / sale limit | Enforcement teeth |
|---|---|---|---|---|
| Illinois BIPA | Written, informed, pre-collection | Public schedule; destroy by purpose completion or 3 years after last interaction | No sale or profiting without consent | Private right of action; $1,000 negligent / $5,000 reckless per claim |
| Texas CUBI | Informed consent before capture | Destroy within reasonable time, generally 1 year after purpose ends | Restricted sale and disclosure | Attorney General enforcement; civil penalties |
| NAIC Model #672 (proposed amendments) | Affirmative opt-in to sell personal information | Consumer access, correction, and deletion rights | Opt-in before sale of personal data | State insurance department exams |
| NAIC AI Model Bulletin | Disclosure that AI systems are in use | Governed under written AIS Program | Vendor and third-party oversight required | Market conduct exams; adopted in 25+ states |
The mismatch in retention windows alone, three years under BIPA versus a shorter "reasonable" period under CUBI, means a national program cannot rely on a single retention clock. Most carriers operating across states default to the strictest applicable rule per jurisdiction.
Consent requirements underwriters cannot delegate away
Consent is where biometric programs most often fail an audit, and the failure is usually structural rather than malicious. A vendor captures a face scan in an app, the applicant taps "agree" on a generic terms-of-service screen, and the carrier assumes coverage. Under BIPA's consent requirements, that is frequently insufficient: the statute expects a written release that names the specific purpose and the duration of collection, storage, and use. Bundling biometric consent into a broad privacy policy has repeatedly drawn litigation.
For accelerated underwriting, three consent practices reduce exposure:
- Separate the biometric consent from the general application consent so it is specific and demonstrable.
- State the purpose narrowly (underwriting and risk classification) rather than open-ended "service improvement" language that invites scope challenges.
- Capture and store proof of consent with a timestamp, because the burden of showing valid consent falls on the entity that collected the data.
The financial-institution exemption under BIPA Section 25(c), available to entities subject to Title V of the Gramm-Leach-Bliley Act, has offered some insurers relief, but its application is fact-specific and contested. Counsel at firms including Dorsey & Whitney have cautioned through 2025 and 2026 that carriers should not assume the exemption covers every biometric workflow, particularly those involving third-party vendors who are not themselves GLBA-covered.
Industry applications: where the rules bite in practice
Instant-issue and app-based capture
Smartphone-based vitals capture is the fastest-growing source of biometric underwriting data, and it is also the most exposed because collection happens directly on a consumer device. The disclosure obligation under the NAIC AI Model Bulletin pairs with state biometric consent here: applicants should be told both that biometric data is being collected and that an AI system may use it in a decision affecting them.
Vendor and reinsurer data sharing
Reinsurers increasingly want access to the underlying biometric signals to validate mortality assumptions, not just the final decision. Each transfer is a disclosure event. The proposed NAIC Model #672 amendments point toward affirmative opt-in before selling personal information and grant consumers access, correction, and deletion rights, which reframes data-sharing agreements that were drafted when only structured questionnaire data moved between parties.
Adverse action and explainability
When a biometric-influenced model contributes to a decline or a rating, fair-credit-style adverse action expectations and the bulletin's fairness and non-discrimination principles converge. Carriers should be able to trace which inputs drove a decision and document that the model was tested for proxy discrimination, since physiological signals can correlate with protected characteristics.
Current research and evidence
The regulatory record for 2026 is unusually active. The NAIC adopted its Model Bulletin on the Use of AI Systems by Insurers in December 2023, and the National Association of Insurance Commissioners reports adoption by more than 25 states and Washington, D.C. by early 2026. The bulletin requires insurers to maintain a written AI Systems (AIS) Program governing data inputs, vendor oversight, transparency, and accountability, which directly captures biometric inputs used in underwriting.
On the litigation side, the Seventh Circuit in April 2026 addressed BIPA damage accrual, applying a 2024 legislative amendment that limits recovery to a single claim per person rather than per scan. As analyzed by WilmerHale and Hunton Andrews Kurth in 2026, this meaningfully reduces aggregate exposure but does not change the underlying consent and retention duties; it changes only the size of the potential penalty. Separately, Erie County, New York enacted a local biometric privacy ordinance effective June 5, 2026, requiring consent and deletion policies, a reminder that municipal rules now add a layer beneath state law.
The NAIC Privacy Protections Working Group continued through 2025 and into 2026 to revise Model #672, adding explicit definitions for biometric and genetic information and expanding consumer rights to access, correct, and delete nonpublic personal information. Carlton Fields and Mayer Brown have tracked this work as the most consequential near-term shift for insurance-specific data governance.
The future of biometric underwriting data governance
The trajectory is toward convergence with general consumer privacy norms and away from the carve-outs insurers historically relied on. Three developments are worth watching:
- Harmonization of insurance privacy law with comprehensive state privacy acts, narrowing the GLBA and insurance exemptions that currently shield some workflows.
- Examiner focus shifting from policy existence to operational evidence, meaning carriers will need to produce consent logs, retention destruction records, and bias-testing results on demand.
- Expansion of what qualifies as biometric or consumer health data, pulling derived scores and inferred physiological metrics into scope.
For chief underwriting officers, the strategic implication is that biometric data programs should be built with governance as a design input, not a downstream compliance review. The carriers that document consent provenance, retention triggers, and model explainability now will move fastest when biometric pathways become the default rather than the experiment.
Frequently asked questions
Is biometric underwriting data treated differently from other underwriting data? Yes. Biometric data carries heightened consent, retention, and disclosure obligations under state statutes such as BIPA and CUBI, and is increasingly named in insurance privacy model laws. Standard application data does not face the same per-violation penalties or mandatory destruction timelines.
What consent is required before collecting biometric data for underwriting? Most frameworks require informed, specific, written consent obtained before collection, stating the purpose and the duration of storage and use. Bundling biometric consent into a general privacy policy has repeatedly been challenged, so a separate, documented release is the safer practice.
How long can a carrier retain biometric underwriting data? It depends on jurisdiction. BIPA requires destruction when the collection purpose is satisfied or within three years of the individual's last interaction, whichever comes first. Texas CUBI uses a shorter reasonable-time standard. National programs typically apply the strictest applicable rule per state.
Does the NAIC AI Model Bulletin apply to biometric data? Yes, indirectly. The bulletin governs AI systems and their data inputs, requiring a written AIS Program, consumer disclosure, vendor oversight, and bias testing. Biometric signals used in an underwriting model fall within that program's scope.
Circadify is building governance documentation for biometric underwriting data alongside the data itself, so accelerated programs can show consent provenance, retention controls, and model accountability under 2026 expectations. Chief underwriting officers and compliance partners can review the whitepapers and actuarial data at circadify.com/industries/payers-insurance.