Biometric data is personal data under virtually every major privacy law in the world. In the European Union, it goes a step further: biometric data used to identify someone is classified as “sensitive” personal data, which triggers stricter protections than ordinary personal information like a name or email address. The United States lacks a single federal biometric privacy law, but a growing patchwork of state laws and federal enforcement actions treat biometric data the same way.
Why Biometric Data Qualifies as Personal Data
Personal data, broadly defined, is any information that can identify a specific person or be linked back to them. Biometric data fits that definition by nature. A fingerprint, a facial geometry scan, an iris pattern, or a voiceprint is not just data about a person. It is, in a real sense, the person. Unlike a password or an address, you cannot change your fingerprints if they are compromised.
This permanence is exactly why lawmakers treat biometric data differently from other personal information. If a company leaks your email address, you can create a new one. If it leaks your facial geometry, there is no reset button. That asymmetry between the value of the data and the impossibility of replacing it is the core reason biometric information receives heightened legal protection.
How the GDPR Classifies Biometric Data
The EU’s General Data Protection Regulation places biometric data in a special category alongside genetic data, health records, information about racial or ethnic origin, political opinions, and sexual orientation. Under Article 9, processing this type of data is prohibited by default unless one of a narrow set of exceptions applies, such as the individual giving explicit consent or the processing being necessary for substantial public interest.
The key phrase in the GDPR is “biometric data processed solely to identify a human being.” That distinction matters. A company storing a photo of your face for a staff directory is handling personal data, but it only crosses into the special category when that image is run through facial recognition software to identify you. The act of using biometric characteristics for identification is what triggers the highest tier of protection.
US State Laws and Enforcement
The United States has no comprehensive federal biometric privacy statute, but several states have filled the gap with their own laws. Illinois was the first, and its Biometric Information Privacy Act (BIPA) remains the most aggressive. Under BIPA, any private company that collects biometric identifiers or biometric information must do three things before collection: inform the person in writing that biometric data is being collected, explain the specific purpose and how long the data will be stored, and obtain a written release from the individual. Companies must also publish a retention policy and permanently destroy biometric data either when its original purpose has been fulfilled or within three years of the person’s last interaction with the company, whichever comes first.
California’s Consumer Privacy Act, as amended by the CPRA, takes a different approach. It classifies biometric information processed to identify a consumer as “sensitive personal information,” a subset of personal information that gives consumers additional rights, including the ability to limit how businesses use and share it. Texas, Washington, and Colorado have their own biometric privacy provisions as well, each with different thresholds for consent and enforcement.
Federal Enforcement Without a Federal Law
Even without a dedicated statute, the Federal Trade Commission has made biometric data a priority. The FTC issued a policy statement outlining the practices it considers deceptive or unfair under Section 5 of the FTC Act. The list is specific: collecting biometric information without assessing foreseeable harms to consumers, engaging in surreptitious or unexpected collection, failing to evaluate the practices of third parties who receive biometric data, and making false or misleading claims about how biometric information is used. Companies that fail to train employees handling biometric data or fail to monitor biometric technologies for ongoing accuracy and fairness also risk enforcement action. In practice, this means the FTC can pursue companies over biometric data misuse even in states that lack their own biometric privacy laws.
What Counts as Biometric Data
Most people think of fingerprints and facial recognition, but the category is broader than that. Biometric data falls into two groups: physical and behavioral.
- Physical biometrics include fingerprints, facial geometry, iris and retina patterns, vein patterns, and voiceprints. These are relatively stable over a person’s lifetime and are the most commonly regulated type.
- Behavioral biometrics include typing speed and rhythm, mouse movement patterns, touchscreen gestures, the angle at which you hold your phone (measured by the device’s gyroscope), your walking gait, and even your typical login location and IP address. These patterns are often collected passively as you interact with an app or website, sometimes without your awareness.
Behavioral biometrics sit in a grayer legal area. A company tracking your keystroke dynamics to detect fraud may argue this data is not being used “to identify” you in the way facial recognition does. But if those patterns can be linked back to a specific individual, and they almost always can, the data meets the functional definition of personal data under most privacy frameworks. The European Union has even tested gait recognition technology at border crossings, treating a person’s walking pattern as an identifier on par with a passport photo.
What This Means in Practice
If you have used your fingerprint to unlock a phone, scanned your face at an airport gate, or let an app verify your identity through a selfie, your biometric data has been collected and processed. In many cases, it has also been stored. The legal classification of that data as personal (and often sensitive) information gives you concrete rights depending on where you live.
Under the GDPR, you can request access to any biometric data a company holds about you, ask for it to be deleted, and withdraw consent for its processing. Under California law, you can direct businesses to limit how they use your sensitive personal information. Under Illinois BIPA, companies cannot collect your biometric data at all without your prior written consent, and violations carry statutory damages that have led to multimillion-dollar settlements.
The practical gap to watch is between what the law requires and what companies actually do. Behavioral biometric data in particular is often gathered in the background, with disclosure buried in privacy policies that few people read. The FTC has flagged this kind of collection as potentially unfair when it happens without the consumer’s knowledge. International standards like ISO/IEC 24760-1 now emphasize privacy-by-design principles, pushing organizations to minimize unnecessary biometric data collection and define clear purposes before any data is gathered.
Why the “Personal Data” Label Matters
Classifying biometric data as personal data is not just a legal technicality. It determines whether a company needs your consent before scanning your face, how long it can keep your fingerprint on file, who it can share that data with, and what happens if there is a breach. Without that classification, biometric data could be collected, sold, and stored indefinitely with no obligation to tell you. The legal consensus across the EU, a growing number of US states, and federal regulators is clear: biometric data is personal data, and in most contexts, it is among the most sensitive personal data a company can hold.