Virginia Facial Recognition Law: Police Can Now Search Your Face (2026)
On July 1, 2026, Virginia became the latest state to formally authorize police use of facial recognition technology. Local police departments can now run face searches against state databases, but with guardrails: no real-time surveillance, no live video feed databases, annual reporting requirements, and a match alone cannot establish probable cause. Sounds reasonable on paper. Meanwhile, a 50-year-old grandmother from Tennessee spent five months in a North Dakota jail after police arrested her based on a facial recognition match - for a crime in a state she'd never visited. Guardrails are only as good as the people following them. Here's what the Virginia law actually says, why wrongful arrests keep happening anyway, and what it means for your photos.

What changed on July 1
Before July 1, Virginia's approach to facial recognition was messy. A temporary moratorium had restricted most local police departments from using the technology, while state agencies and some larger departments operated under a patchwork of internal policies. Campus police at Virginia's public universities had their own parallel statute. The result was confusion about who could use what, and when.
The new law cleans that up by explicitly authorizing facial recognition for local law enforcement - with conditions. Any police department in Virginia can now run facial recognition searches, but they have to follow a specific set of rules first. Campus police at state universities are covered under a parallel statute with similar requirements.
The short version: facial recognition in Virginia went from "mostly banned with exceptions" to "explicitly allowed with guardrails." Whether those guardrails actually protect people is a different question.
How police facial recognition actually works
Most people picture some kind of sci-fi real-time scanning system. The reality is more mundane - and in some ways more concerning.
Here's the typical process: police have a photo of a suspect, usually pulled from surveillance footage or a crime scene camera. They upload that photo to a facial recognition system, which compares it against a database of known faces. The system returns a ranked list of possible matches, each with a similarity score.
The database part is what should get your attention. In most states, the comparison database is built from government-issued photo IDs. Your driver's license photo. Your passport photo. Your state ID. You never consented to having your face run through a criminal identification system - you just needed to drive to work. But your photo is sitting in a database that police can query whenever they have an unidentified suspect.
The system doesn't say "this is your person." It says "here are 20 people who look similar, ranked by probability." What happens next depends entirely on the officers running the investigation. In theory, they treat the match as a lead and do additional detective work. In practice, as we'll see, that doesn't always happen.
The guardrails Virginia put in place
Virginia's law isn't a blank check. The legislature built in several restrictions that, on paper, address the most common criticisms of police facial recognition.
- Published policy requirement. Every agency using facial recognition must publish a written policy describing how it uses the technology. This has to be publicly available - not buried in an internal handbook.
- Annual reporting. Agencies must report every facial recognition search to a state oversight body once a year, including demographic data on the people searched. This creates a paper trail - in theory, it lets legislators spot patterns of misuse or racial bias.
- No real-time surveillance. Police cannot use facial recognition for live, continuous tracking of individuals. They can run a single photo against a database, but they can't point a camera at a crowd and identify everyone in real time.
- No live video feed databases. Agencies are prohibited from building or accessing databases constructed from continuous video surveillance feeds. The database has to come from static sources like ID photos.
- Match cannot establish probable cause. A facial recognition hit, by itself, cannot be used in an affidavit to establish probable cause for arrest. It can only be used as exculpatory evidence - meaning it can help clear someone, but it can't be the basis for locking them up.
- Complete query history. Agencies must maintain a record of every query they run, including who ran it, when, and why. This creates accountability - if an officer runs searches outside of active investigations, there's a record.
- Misuse penalties. Using facial recognition outside these rules is a Class 3 misdemeanor. Not exactly a career-ender, but it's a criminal charge, not just an administrative slap.
Each of these guardrails addresses a real concern. The question is whether a Class 3 misdemeanor and an annual report are enough to change behavior when the technology itself makes shortcuts so easy.

Why guardrails haven't prevented wrongful arrests
Angela Lipps is a 50-year-old grandmother from Tennessee. In early 2026, Fargo police in North Dakota arrested her based on a facial recognition match connecting her to a local crime. She spent five months in jail. The problem: Lipps had never been to North Dakota. Not once. Not ever.
Her case follows a pattern that the ACLU has documented across more than a dozen wrongful arrests tied to facial recognition. The technology generates a match. Officers treat the match as an identification rather than a lead. Nobody does the follow-up work to verify. Someone who looks vaguely similar to the actual suspect ends up in handcuffs.
The pattern is consistent: the victims are disproportionately Black, the matches rely on low-quality surveillance footage, and the arresting officers skip basic verification steps like checking alibis or comparing physical descriptions beyond the face. A system that's supposed to narrow the search instead becomes the entire investigation.
Virginia's law says a match can't establish probable cause on its own. But that rule only works if officers actually follow it - and if supervisors and prosecutors enforce it. In Lipps's case and others, the process failed long before anyone checked a legal checkbox. The officers simply assumed the computer was right.
Where each state stands
Virginia's law sits in the middle of a rapidly shifting landscape. Here's how the major approaches compare as of July 2026:
| Jurisdiction | Approach | Key detail |
|---|---|---|
| Virginia | Authorized with guardrails | Published policy, annual reporting, no real-time tracking, match can't establish probable cause |
| Illinois | Strongest protection (BIPA) | Written consent required before any biometric data collection. Produced $650M+ in class action settlements |
| Connecticut | Retail disclosure required | Stores must post visible signage, consumer deletion rights, database restrictions |
| New York | Study bill advancing | Senate advanced a facial recognition study bill - regulation may follow depending on findings |
| EU | Ban on live biometric ID | AI Act fully applicable August 2, 2026. Bans real-time biometric identification in public spaces |
The contrast between Virginia and the EU is stark. Virginia is saying: police can use this technology, just follow the rules. The EU is saying: this technology should not be used on the public in real time, period. Illinois falls somewhere in between - you can use it, but only with explicit written consent, which effectively blocks most mass surveillance applications.
New York's study bill is the cautious approach. Instead of regulating now, they're commissioning research first. The risk is that the technology proliferates while the study happens.
What this means for your photos
Police facial recognition databases are built from your government-issued photos. Your driver's license, your passport, your state ID. You didn't sign up for a criminal identification database. You signed up to drive. But your photo is in the system.
That's the baseline exposure - and you can't opt out of it. What you can control is what happens beyond that. Every photo you share publicly - on social media, public photo galleries, forums, anywhere indexable - adds another data point. Data brokers scrape public photos and sell them to companies like Clearview AI, which has built a database of billions of faces pulled from the open internet. The more photos of your face exist publicly, the easier it is to match you across systems.
Viallo is a private photo sharing platform that stores photos in EU data centers with end-to-end privacy. Photos shared through Viallo use password-protected links that are not indexed by search engines, not scrapeable by data brokers, and not accessible without the link. No facial recognition, no biometric processing, no AI face tagging.
This isn't about hiding. It's about the difference between sharing a photo with your family and broadcasting it to every facial recognition database on the internet.
How to protect yourself
You can't remove your driver's license photo from a state database. But you can limit how many other photos of your face are floating around in scrapeable locations.
- Audit your public-facing photos. Check your profile pictures on social media. Instagram, Facebook, LinkedIn, X - many of these default to public visibility. Clear photos of your face on public profiles are the easiest targets for scraping.
- Share through private channels. When you share family photos or personal pictures, use platforms with private sharing links instead of public galleries. A password-protected album link is invisible to scrapers.
- Strip metadata before sharing publicly. EXIF data in photos includes GPS coordinates, timestamps, and device information. When combined with facial recognition, metadata makes a match far more valuable to data brokers.
- Use data broker opt-outs. California's DELETE Request and Opt-Out Platform (DROP) lets you request deletion from all registered brokers. If you're in a state with a similar mechanism, use it.
- Watch for disclosure requirements. If you're in a state like Connecticut, stores must tell you when they're using facial recognition. Look for the signs. Exercise your deletion rights.

Frequently Asked Questions
What does the Virginia facial recognition law allow police to do?
As of July 1, 2026, Virginia local police departments can use facial recognition to compare a suspect's photo against state databases like DMV records. They must publish a usage policy, report every search annually, and maintain complete query histories. They cannot use real-time surveillance, cannot build databases from live video feeds, and a facial recognition match alone cannot establish probable cause for arrest. Campus police at Virginia's public universities are covered under a parallel statute with similar rules.
Can police arrest you based only on a facial recognition match in Virginia?
No. Under Virginia's law, a facial recognition match cannot be included in an affidavit to establish probable cause. It can only serve as exculpatory evidence - meaning it can help prove someone is not a suspect, but it cannot be the sole basis for an arrest. Officers must corroborate a match with independent investigation. In practice, however, wrongful arrests from facial recognition continue to happen in states with similar rules, because officers sometimes treat a match as an identification rather than a lead.
Is my driver's license photo in a facial recognition database?
In most US states, yes. State DMV photo databases are commonly used as comparison databases for law enforcement facial recognition searches. You did not consent to this use when you got your license - the photo was collected for identification on the card itself, but it's now queryable by police in states that authorize facial recognition. Passport photos held by the federal government serve a similar function. You cannot opt out of having your government ID photo in these databases.
How does the EU's approach to facial recognition differ from Virginia's?
The EU AI Act, fully applicable from August 2, 2026, bans real-time biometric identification in public spaces outright, with narrow exceptions for specific serious crimes. Virginia takes the opposite approach: it authorizes police use of facial recognition but imposes guardrails like reporting requirements and a ban on real-time tracking. The EU treats live facial recognition as fundamentally incompatible with civil liberties. Virginia treats it as a tool that can be managed with rules.
What is the best way to keep your photos out of facial recognition databases?
You cannot remove your government ID photos from state databases, but you can control your broader exposure. Share personal photos through private platforms like Viallo that use password-protected links not indexed by search engines. Audit your social media profile pictures for public visibility. Strip EXIF metadata from any photos you share publicly. Use data broker opt-out tools like California's DROP platform to request deletion from commercial databases. The fewer clear, public-facing photos of your face that exist online, the harder it is for scraping operations like Clearview AI to build a profile.