US Privacy Law and Identity Documents: Compliance Guide
Privacy compliance for identity documents in the US: CCPA, state privacy laws, BIPA, collection rules, retention periods, and data protection.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokCollecting a copy of an identity document is routine for most US businesses. It is also one of the highest-risk data handling activities under the growing patchwork of federal and state privacy laws. An identity document contains sensitive personal information โ a unique number, photograph, signature, and sometimes biometric data โ whose non-compliant processing exposes the business to enforcement actions by the Federal Trade Commission (FTC), state attorneys general, and private lawsuits under statutes like Illinois' Biometric Information Privacy Act (BIPA). This guide covers the applicable US rules, regulatory guidance, and the concrete measures required to process identity documents in full compliance.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Consult a qualified professional for guidance specific to your situation.
The Legal Framework: What US Law Says About Identity Documents
The United States does not have a single, comprehensive federal privacy law equivalent to the EU's GDPR. Instead, identity document processing is governed by a layered system of federal sector-specific statutes, state consumer privacy laws, and state biometric data laws. The FTC issued over $500 million in data security and privacy penalties in 2024, with identity data mishandling among the most cited enforcement triggers (FTC Privacy and Data Security Update 2024).
Federal Laws That Apply
Several federal statutes govern specific aspects of identity document collection and processing:
The Gramm-Leach-Bliley Act (GLBA). Financial institutions โ broadly defined to include banks, insurance companies, broker-dealers, and certain non-bank lenders โ must protect the security and confidentiality of customer nonpublic personal information (NPI). The FTC Safeguards Rule, updated in 2023, requires a written information security program with administrative, technical, and physical safeguards, including encryption of customer information in transit and at rest.
The Fair Credit Reporting Act (FCRA). When identity documents are collected as part of a consumer report or background check, the FCRA imposes permissible purpose requirements, adverse action notice obligations, and dispute resolution procedures. Identity verification providers who furnish reports to third parties may be classified as consumer reporting agencies under the FCRA.
The Bank Secrecy Act (BSA). Financial institutions subject to BSA/AML obligations must collect, verify, and retain identity documents under the Customer Identification Program (CIP) and Customer Due Diligence (CDD) rules. Records must be retained for 5 years after account closure.
The Privacy Act of 1974. Applies to federal agencies โ not the private sector โ but establishes principles (purpose limitation, access rights, record accuracy) that inform state law and regulatory expectations for government-issued identity data.
State Privacy Laws: The New Compliance Frontier
As of January 2026, comprehensive consumer privacy laws are in effect in 20 states. The most significant for identity document processing are:
| State Law | Effective | Scope | Key Provisions for Identity Documents |
|---|---|---|---|
| CCPA/CPRA (California) | 2020/2023 | Businesses meeting revenue/data thresholds | Government ID numbers classified as sensitive PI; requires purpose limitation, data minimization, opt-out rights |
| Virginia CDPA | 2023 | Businesses meeting data thresholds | Consent required for sensitive data; data minimization; DPIA required for high-risk processing |
| Colorado Privacy Act | 2023 | Businesses meeting data thresholds | Consent for sensitive data; purpose limitation; universal opt-out mechanism |
| Connecticut CTDPA | 2023 | Businesses meeting data thresholds | Consent for sensitive data; data minimization; 45-day access request response |
| Texas TDPSA | 2024 | Businesses meeting data thresholds | Consent for sensitive data; DPIA for targeted advertising using sensitive data |
Critical point. Even businesses not headquartered in these states must comply if they process personal information of residents from those states. A New York-based fintech serving California customers must comply with CCPA/CPRA for those customers' identity documents.
State Biometric Data Laws
Biometric data extracted from identity documents during automated verification faces additional regulation:
Illinois BIPA is the strictest biometric privacy law in the US. It requires informed written consent before collecting biometric identifiers (facial geometry, fingerprints), prohibits sale of biometric data, mandates a publicly available retention and destruction schedule, and โ critically โ provides a private right of action with statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation. In 2024 alone, BIPA settlements exceeded $1.5 billion, including the $650 million Facebook settlement and the $228 million TikTok settlement (BIPA Litigation Tracker).
Texas CUBI and Washington's biometric identifier law impose similar consent requirements but lack a private right of action, relying instead on enforcement by the state attorney general.
The Core Principles That Apply to Identity Documents
Five principles drawn from the aggregate of US federal and state privacy laws apply directly to identity document collection and processing:
Lawfulness and permissible purpose. Collecting an identity document must rest on a recognized legal basis or permissible purpose. Depending on the context, this may be a legal obligation (BSA/AML KYC, employment I-9 verification), contractual necessity (lease agreement, insurance underwriting), or a disclosed business purpose under applicable state law. Under CCPA/CPRA, businesses must disclose the categories of personal information collected and the purposes for collection at or before the point of collection.
Data minimization. Collect only the information strictly necessary for the stated purpose. This principle appears in CCPA/CPRA, Virginia CDPA, Colorado Privacy Act, and virtually every state comprehensive privacy law. Its practical implications for identity documents are significant and detailed below.
Storage limitation. Identity documents cannot be retained indefinitely. The retention period must be defined in advance and justified by the processing purpose. Multiple state laws require public disclosure of retention policies, and BIPA specifically requires a written retention schedule for biometric data.
Security safeguards. Identity documents must be protected against unauthorized access, loss, destruction, or alteration through appropriate technical and organizational measures. The FTC Safeguards Rule and state data breach notification laws (all 50 states plus DC have them) create affirmative security obligations.
Transparency and notice. The individual whose identity is being verified must be informed clearly and completely: who collects their data, why, for how long, and what their rights are. CCPA/CPRA requires a "notice at collection," and state biometric laws require specific written disclosures.
Data Minimization Applied to Identity Documents
Data minimization is the most frequently overlooked principle in identity document processing. Regulators and courts have provided increasingly precise guidance.
Redaction of unnecessary data. When a document copy is required, data not relevant to the stated purpose must be redacted. For example, when verifying a tenant's identity for a lease application, the Social Security Number is unnecessary unless a credit check is being run (which has its own FCRA consent requirements).
Prohibition on collecting certain data. The FTC has taken enforcement action against companies that collected and retained biometric data (facial geometry from ID photos) without adequate disclosure or consent. For purely administrative verification, the photo should be redacted from stored copies.
Data to redact by purpose:
| Purpose | Necessary Data | Data to Redact |
|---|---|---|
| Property rental (identity only) | Name, date of birth, validity | Photo, SSN, document number, signature |
| Bank account opening (BSA/KYC) | All document data | None (legal obligation under CIP Rule) |
| Employment (I-9 verification) | Name, photo, document number, work authorization, expiry | SSN (collected separately on I-9) |
| Age verification | Date of birth | Everything else |
| Insurance underwriting | Name, date of birth, address, validity | Photo (unless for biometric verification), SSN (unless for credit check) |
Retention Periods
US law imposes varying retention periods depending on the purpose and legal basis:
| Context | Retention Period | Legal Basis |
|---|---|---|
| Banking/insurance KYC (see KYC 2026 requirements) | 5 years after end of business relationship | BSA/CIP Rule, FinCEN regulations |
| Employment (I-9 form and documents) | 3 years from hire date or 1 year after termination, whichever is later | 8 CFR ยง 274a.2 |
| Property rental (accepted application) | Duration of lease + applicable statute of limitations (varies by state, typically 3-6 years) | State landlord-tenant law |
| Property rental (rejected application) | 30 days maximum recommended | FTC guidance, state fair housing laws |
| One-time identity verification | Duration of the verification only, no retention | FTC data minimization expectations |
| AML/CFT compliance | 5 years after execution of the transaction | BSA record-keeping requirements |
| Biometric data (BIPA states) | Must be destroyed when initial purpose is satisfied or within 3 years of last interaction | Illinois BIPA, 740 ILCS 14/15(a) |
Common mistake. Retaining identity documents of rejected rental applicants indefinitely is a violation of data minimization principles and has attracted FTC enforcement interest. Multiple property management companies have been subject to state AG investigations on this exact point.
Explore further
Discover our practical guides and resources to master document compliance.
Explore our guidesTechnical Measures to Protect Identity Documents
Identity documents carry a high risk of identity theft in the event of a data breach. The FTC Safeguards Rule, state data breach notification laws, and industry best practices require technical measures commensurate with that risk.
The FTC Safeguards Rule (updated June 2023) requires encryption of customer information in transit and at rest, access controls based on need-to-know, continuous monitoring of security controls, and an incident response plan โ with mandatory notification to the FTC within 30 days of discovering a breach affecting 500+ customers (FTC Safeguards Rule).
Mandatory Measures per Federal and State Requirements
Encryption at rest and in transit. Digital copies of identity documents must be encrypted with a recognized algorithm (AES-256 minimum as recommended by NIST SP 800-175B). Transmissions must use TLS 1.2 or higher.
Strict access controls. Access to identity documents must be limited to individuals with a justified operational need. Access rights must be reviewed at least quarterly. Every access must be logged in an audit trail. The principle of least privilege applies.
Secure hosting. Identity documents must be hosted on infrastructure with SOC 2 Type II certification at minimum. For financial institutions, the OCC and FDIC examination guidelines require that third-party service providers meet security standards equivalent to the institution's own obligations. Our security page details the standards we meet.
Secure deletion. At the end of the retention period, documents must be deleted irreversibly using methods consistent with NIST SP 800-88 Guidelines for Media Sanitization โ cryptographic erasure or physical destruction of the storage medium. Moving a file to the recycle bin does not constitute compliant deletion.
Recommended Measures for High-Volume Processing
For businesses processing more than 1,000 identity documents per month, regulators and industry standards recommend additional measures:
- Data Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA). Required under Virginia CDPA and Colorado Privacy Act for high-risk processing of sensitive data. Recommended by the FTC for large-scale processing of identity documents.
- Pseudonymization of extracted data. Data extracted from documents (name, number) should be pseudonymized in production databases. The link to the source document should be accessible only in a dedicated secure environment.
- Environment segregation. Production, testing, and development environments must be strictly separated. No real identity documents should be present in test environments.
Consumer Rights Under US Privacy Laws
State comprehensive privacy laws and federal sector-specific statutes grant consumers rights applicable to identity documents. Businesses that fail to honor these requests face enforcement action from the FTC, state AGs, and in some cases, private lawsuits.
Rights Summary Table
| Right | Response Deadline | Applicable Law | Specifics |
|---|---|---|---|
| Access / Know | 45 days (CCPA) | CCPA/CPRA, Virginia CDPA, Colorado | Business must disclose what identity data is held, categories, and purposes |
| Deletion | 45 days (CCPA) | CCPA/CPRA, Virginia CDPA, Colorado | Delete unless retention required by law (BSA/KYC) |
| Correction | 45 days (CCPA) | CCPA/CPRA, Virginia CDPA | In case of identity change (marriage, legal name change) |
| Opt-out of sale/sharing | Immediate | CCPA/CPRA | Must honor "Do Not Sell" signal; identity data rarely sold but may be "shared" for verification |
| Data portability | 45 days | CCPA/CPRA, Virginia CDPA | Machine-readable format for data provided by the consumer |
| Appeal | Varies | Virginia CDPA, Colorado, Connecticut | Consumer can appeal denied rights request |
Deletion Requests: Practical Scenarios
The right to deletion is the most frequent and most delicate request to handle for identity documents. Three typical situations:
Scenario 1: A customer requests deletion of their driver's license copy after closing their bank account. The bank can decline if the BSA 5-year record-keeping period has not elapsed. However, it must inform the customer of the legal basis justifying continued retention and the scheduled deletion date.
Scenario 2: A rejected rental applicant requests deletion of their documents. The property management company must delete all documents promptly. Extended retention of rejected applicant documents invites regulatory scrutiny.
Scenario 3: A former employee requests deletion of their I-9 documents 4 years after termination. The company must verify whether the retention period under 8 CFR ยง 274a.2 has elapsed (3 years from hire or 1 year after termination, whichever is later). If the period has passed, deletion must proceed.
US Privacy Law and Automated Document Verification
Using automated document validation solutions raises specific privacy questions, particularly regarding automated decision-making, biometric data handling, and vendor management.
Automated Decision-Making
Unlike the GDPR's explicit Article 22 on automated decisions, US law addresses automated decision-making through a patchwork of sector-specific rules. The FCRA prohibits adverse actions based solely on consumer reports without providing notice and an opportunity to dispute. The CFPB has issued guidance requiring that consumers receive specific reasons when denied credit, even when the denial is based on AI/ML models. Colorado's Privacy Act requires disclosures when profiling is used for decisions that produce legal or similarly significant effects.
To remain compliant, the business must:
- Inform the individual that automated processing may be used
- Guarantee the ability for human review of adverse decisions
- Explain the logic behind any rejection (reason for rejection, unmet criterion)
Well-designed AI solutions build these requirements in natively by providing a structured reason for each rejection and routing borderline cases to a human operator.
Vendor Management and Data Processing Agreements
When a business uses an external provider for document verification, the relationship must be governed by appropriate contractual safeguards. Under CCPA/CPRA, the provider may be classified as a "service provider" (processing data on behalf of the business) and the contract must include:
- The nature and purpose of the processing
- Prohibition on using data for any purpose other than the contracted service
- Prohibition on selling or sharing the personal information received
- Compliance with applicable security standards
- Provisions for audit and inspection by the business
- Terms for data return and deletion at contract end
Under the GLBA Safeguards Rule, financial institutions must ensure that service providers maintain adequate safeguards and must contractually require them to do so.
Cross-Border Data Transfer Considerations
For US businesses with international operations, the choice of document verification provider must factor in cross-border transfer implications. The EU GDPR restricts transfers of personal data to countries that do not provide an adequate level of data protection. The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides a mechanism for compliant transfers, but only for organizations that self-certify under the framework. Businesses processing identity documents of EU residents must either use a DPF-certified provider or implement Standard Contractual Clauses.
US Privacy Compliance Checklist for Identity Documents
Here are the actions to verify to ensure your identity document processing is compliant.
Before Collection
- Verify that collecting the identity document is justified by an identified legal basis or permissible purpose
- Confirm that the required verification level matches the stated purpose (presentation only vs. full copy)
- Draft or update the privacy notice including: identity of the collector, purpose, retention period, and consumer rights
- Obtain specific written consent if biometric data will be collected (BIPA, Texas CUBI)
- Conduct a PIA/DPIA if processing is large-scale or involves sensitive data (required in Virginia, Colorado)
During Processing
- Apply data minimization: redact data not necessary for the stated purpose
- Encrypt collected documents (at rest and in transit per NIST guidelines)
- Restrict access to authorized personnel only, with access logging
- If using an external KYC compliance provider, verify the existence of a service provider agreement and confirm security certifications (SOC 2 Type II minimum)
- If automated decisions are made, guarantee the right to human review and decision explanation
After Processing
- Schedule automatic deletion of documents at the end of the retention period per NIST 800-88 guidelines
- Implement a process for responding to consumer rights requests (access, deletion, correction) within 45 days (CCPA) or applicable deadline
- Document the processing in internal records
- Conduct an annual audit of retention compliance and access controls
- Maintain a data breach response plan compliant with all applicable state notification laws
Enforcement Actions Related to Identity Documents
The FTC, state attorneys general, and private plaintiffs have increasingly targeted identity document mishandling. The following cases illustrate the most common enforcement patterns.
| Year | Enforcer | Sanctioned Entity | Violation | Penalty |
|---|---|---|---|---|
| 2023 | Illinois AG | Property management company | Collecting facial biometrics from ID photos without BIPA consent | $2.5 million settlement |
| 2024 | FTC | Fintech company | Failure to encrypt stored identity documents, inadequate Safeguards Rule compliance | $3.2 million |
| 2024 | California AG | Rental platform | Excessive collection and indefinite retention of applicant identity data | $1.8 million |
| 2024 | Private (BIPA) | Identity verification vendor | Processing facial geometry without informed consent | $12 million class settlement |
| 2025 | FTC | Banking institution | Failure to implement data disposal procedures for expired KYC records | $5.5 million |
These enforcement actions illustrate the increasing vigilance of US regulators on identity document handling and the real financial consequences of non-compliance.
Balancing Privacy Compliance and Operational Efficiency
Privacy compliance and operational efficiency are not contradictory. The most advanced automated document verification solutions build privacy requirements in natively: automatic data minimization, end-to-end encryption, scheduled deletion, full audit trails, and the right to human intervention for adverse decisions.
CheckFile designed its document validation platform with native privacy compliance. Documents are encrypted end-to-end, automatically deleted at the expiration of the retention period you define, and every processing action is logged and auditable. Our platform processes over 180,000 documents per month with a 94.8% fraud detection rate and an average verification time of 4.2 seconds. Explore our pricing to find the plan that fits your document volume, or contact our team for a demo and a compliance audit of your current document workflows.
For a comprehensive overview, see our document compliance complete guide.
Frequently Asked Questions
When can a US business legally collect a copy of an identity document?
Collecting a full copy of an identity document is justified when required by law (BSA/AML KYC, employment I-9 verification), by contractual necessity (lease agreement requiring identity confirmation), or for a disclosed business purpose under applicable state privacy law. Many businesses systematically collect full document copies when a lower level of verification would suffice, which violates data minimization principles under CCPA/CPRA and other state privacy laws. The FTC has taken enforcement action against companies that collected identity data beyond what was necessary for the stated purpose.
What data must be redacted from an identity document copy when it is collected?
The data that must be redacted depends on the purpose of collection. For property rental identity verification, only the name, date of birth, and document validity period are necessary โ the photo, Social Security Number, document number, and signature should be obscured. For age verification, only the date of birth is required and everything else must be redacted. Banking KYC under BSA regulations is one of the few contexts where all data fields on the document may legitimately be retained. If biometric data (facial geometry from the photo) will be extracted for automated comparison, separate informed written consent is required under Illinois BIPA and similar state laws.
How long can a US business retain identity document copies?
Retention periods depend on the legal basis. Banking and insurance KYC documents must be retained for 5 years after the end of the business relationship under BSA regulations. Employment I-9 documents must be retained for 3 years from hire date or 1 year after termination, whichever is later. For accepted rental applications, documents may be retained for the lease duration plus the applicable statute of limitations. For rejected rental applications, documents should be deleted within 30 days. Biometric data in BIPA jurisdictions must be destroyed when the initial purpose is satisfied or within 3 years of last interaction.
What technical measures are required to protect stored identity documents?
The FTC Safeguards Rule and NIST guidelines require AES-256 encryption at rest and TLS 1.2 or higher for transmissions. Access to identity documents must be restricted to individuals with a justified operational need, access rights must be reviewed quarterly, and every access must be logged. Deletion must be irreversible at the end of the retention period, consistent with NIST SP 800-88 media sanitization guidelines. SOC 2 Type II certification is the minimum standard for vendors handling identity documents in regulated industries.
What are the obligations when using an automated document verification system in the US?
Three specific compliance questions arise. First, if the system extracts biometric data (facial geometry for comparison), informed written consent is required under Illinois BIPA and similar state laws. Second, if the system makes automated decisions with legal or significant effects (such as denying a loan application), the FCRA and CFPB guidance require that the consumer receive specific adverse action reasons and an opportunity for human review. Third, the verification provider is a service provider under CCPA/CPRA (or equivalent under other state laws), and a compliant service provider agreement must be in place before any documents are shared, specifying data use restrictions, security standards, and deletion terms.
Related reading: For the broader AML framework driving KYC document retention obligations in the US, see our AML compliance guide. Law firms face unique challenges balancing privacy with attorney-client privilege โ our guide on law firms automating KYC addresses this directly.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.