Biometric data sits at the intersection of the strictest data protection rules in every major jurisdiction. One miscalculation — storing an embedding longer than necessary, processing without a valid legal basis, or failing to honour a deletion request — can trigger regulatory action that dwarfs the cost of building the system correctly from the start. This is a working reference for legal, privacy, and engineering teams.
Why biometric data gets special treatment
Every major privacy regulation treats biometric data as a special category requiring heightened safeguards. The underlying rationale is consistent: biometric identifiers are immutable. You can change a password, cancel a credit card, and replace an email address. You cannot change your face. A biometric data breach is therefore permanent in a way that most other data breaches are not. This immutability drives the regulatory response across all jurisdictions.
GDPR Article 9: the framework in detail
Under GDPR you need both a general lawful basis (Article 6) and a specific Article 9 exception to process biometric data. For KYC use cases, the most commonly applicable combinations are:
- Contractual necessity + substantial public interest — when onboarding a customer to a financial product, Article 6(1)(b) covers the lawful basis; substantial public interest (Article 9(2)(g)) — specifically AML/CTF obligations — covers the Article 9 exception in most EU member states
- Explicit consent — the cleaner approach for consumer flows where a statutory AML obligation isn't the primary driver; consent must be freely given, specific, informed, unambiguous, and withdrawable; withdrawal must trigger deletion of the biometric data
GDPR Article 5 requires data be kept only as long as necessary. For biometric KYC: store embeddings not images where possible (embeddings cannot be reverse-engineered into recognisable faces with current techniques); define specific retention periods explicitly; implement deletion workflows before launch — systems that treat deletion as a special case will fail at scale.
When is a DPIA required?
A DPIA is mandatory under Article 35 before any "large-scale processing of special categories of data." Face verification in an onboarding flow almost certainly qualifies. The DPIA must describe the processing and its purposes, assess necessity and proportionality, identify and assess risks to data subjects, and define mitigation measures. Common risks and their mitigations:
- Data breach exposing biometric data — encrypt at rest and in transit; minimise retention; store embeddings not images
- Model bias causing discriminatory outcomes — require disaggregated benchmark reports; monitor approval rates by demographic
- Third-party vendor data misuse — DPAs with all sub-processors; deletion SLAs in contracts
Illinois BIPA: the highest-risk US statute
BIPA is the most aggressive US biometric statute, with statutory damages of $1,000–$5,000 per violation, no cap, and a private right of action. Class actions under BIPA have produced the largest privacy settlements in US history — Facebook paid $650M and TikTok paid $92M in BIPA class actions. BIPA covers any organisation processing Illinois residents' biometric data, regardless of where the company is incorporated. Key requirements:
- Written policy — publish a retention schedule and guidelines for permanent destruction of biometric identifiers
- Informed consent — obtain a written release before collecting biometric data, informing the subject of the specific purpose and duration
- No sale or profit — cannot sell, lease, trade, or profit from biometric data
- Retention and destruction — cannot retain biometric data longer than the specified purpose, or 3 years after last interaction, whichever comes first
BIPA consent and notice should be treated as a hard engineering requirement. Class actions covering millions of users have resulted in settlements exceeding $650M (Facebook) and $228M (TikTok). If your product is used by Illinois residents, assume BIPA applies even if your company is not Illinois-based.
CCPA and CPRA: California's framework
The California Consumer Privacy Rights Act creates specific rights for sensitive personal information, which includes biometric information. Consumers can opt out of sale or sharing, limit use to what is necessary to perform services, and request deletion. For most KYC use cases the "necessary to perform services" carve-out covers the processing — but your privacy notice must disclose that biometric information is collected, its purpose, and its retention period, and your vendor contracts must specify data may only be used for the specified purpose.
EU AI Act: high-risk system requirements
The EU AI Act entered into force on 1 August 2024. Its provisions apply in phases, with high-risk AI system obligations under Annex III — which includes biometric identification systems for remote identity verification in high-risk sectors — applying from 2 August 2026. These systems must: These must: undergo conformity assessment before market placement; implement a quality management system; maintain technical documentation and logs for 10 years; register in the EU AI database; allow effective human oversight. Your face verification vendor should be able to provide the technical documentation required to support your AI Act compliance. If they cannot, you inherit the documentation gap.
Compliance architecture checklist
EU / EEA deployments:
- Article 6 and Article 9(2) lawful basis documented
- DPIA completed and filed
- Data Processing Agreement with all biometric data processors
- Privacy notice updated to reference biometric processing
- Deletion workflows implemented and tested end-to-end
- AI Act high-risk system documentation prepared (from Aug 2026)
US deployments (with Illinois users):
- BIPA written policy published
- BIPA written consent obtained before biometric capture
- Retention schedule documented and enforced in code
- No biometric data sale to third parties
Organisations that build biometric compliance correctly from the start find it accelerates enterprise deals — Fortune 1000 procurement teams now routinely include biometric data handling questionnaires in vendor security reviews. Speak with our team to get a compliance documentation package for your jurisdiction.