Biometric Consent & GDPR: What Counts as Valid Consent in 2026
Biometric data is special-category data under GDPR. Consent must be explicit, informed, and freely given — but most flows get it wrong.
Biometric data is classified as special-category personal data under GDPR Article 9 and equivalent regimes worldwide. That means you need an Article 9 lawful basis, and explicit consent is the most common one for KYC.
What explicit consent requires
- Clear explanation of what biometric data is collected
- Specific purpose: identity verification, not marketing or surveillance
- Retention period and deletion policy
- No pre-ticked boxes or bundled terms
- Easy withdrawal mechanism, though KYC withdrawal may mean account closure
The AI Act overlay
The EU AI Act classifies remote biometric identification as high-risk. Identity verification using face match is generally permitted with adequate safeguards, but 1:N identification in public spaces is heavily restricted.
How our flows handle consent
Our biometric liveness and document verification products include a clear consent step with granular purpose, retention, and deletion language before any biometric capture occurs.
Need this verification done for you?
Order any of our analyst-reviewed verification services. Pay with crypto, Skrill or Wise — confirmation on WhatsApp or Telegram.
Related products
Biometric Liveness Check
Stop deepfakes, masks and replay attacks with analyst-reviewed liveness.
Order Biometric Liveness CheckDocument Verification
Forensic-grade document verification for 200+ document types across 150 countries.
Order Document VerificationAML & PEP Screening
Sanctions, PEP, watchlist and adverse media screening with analyst adjudication.
Order AML & PEP Screening