Biometric Privacy 2026: The Investigator's Split

Spain just handed a digital identity company a €950,000 fine, and the reasoning behind it should make every investigator using facial comparison technology stop and read the full decision. This wasn't a rogue data broker getting caught selling faces on the open market. It was a company that thought "authentication" was a safe word — a magic qualifier that kept their biometric processing out of the high-risk category. The regulator disagreed. Loudly. With a seven-figure penalty.

Biometric Update reports that Spain's data protection authority, the AEPD, fined Yoti — a British digital identity firm — over violations covering excessive data retention, flawed consent architecture, and unlawful processing of biometric templates. The core issue: Yoti's position that its selfie-based verification was "authentication," not "identification," was flatly rejected. Under GDPR, if your technology creates a biometric template capable of uniquely identifying a natural person, you're in special category data territory. Full stop. The authentication label doesn't save you.

That distinction — authentication versus identification — has been the comfort blanket for a lot of facial comparison workflows. It's about to be pulled off.

The Fine Print That Will Sink Investigators Who Aren't Paying Attention

The AEPD's findings against Yoti weren't vague. The regulator found specific, auditable failures: biometric templates retained for potential future account recovery when that future use might never materialize; geolocation data kept for five years to determine age restrictions; video recordings from liveness detection held for thirty days beyond any defensible purpose. According to PPC Land, the AEPD also found that Yoti collected facial biometric templates without properly acknowledging this constituted special category processing — and that pre-ticked consent boxes for research and development data use don't satisfy GDPR's requirement for a clear, affirmative act. This article is part of a series — start with Stress Test Facial Comparison Method Against Deepf.

Read that last part again. Pre-ticked boxes fail the affirmative consent standard. Now ask yourself: how many investigators have ever gotten written, case-specific consent before running a facial comparison? How many have a documented retention policy stating exactly when comparison data gets deleted? Most haven't needed one — until now.

That jump from three to ten million-euro-plus fines in a single year isn't noise. It's a policy signal. Spanish regulators — and by extension the broader EU enforcement apparatus — have decided that biometric processing is high-risk by default, and they're calibrating penalties to match. The European Data Protection Board's Statement 1/2025 went further, establishing that age verification systems (a close cousin to investigative facial comparison) must use the least intrusive method available and implement the shortest possible retention periods. The direction of travel is unmistakable.

Illinois Already Ran This Playbook — And It Worked

If the EU enforcement arc feels distant, consider what's been happening in the American Midwest for the past five years. Illinois' Biometric Information Privacy Act has extracted settlements from some of the biggest names in tech. Google settled an Illinois student biometric privacy case for $8.75 million, according to Top Class Actions. The ACLU of Illinois secured a landmark settlement that forced a major facial recognition company to comply with BIPA nationwide — not just in Illinois — demonstrating how a single state's privacy law becomes a de facto national standard the moment companies operate across state lines, as the ACLU of Illinois detailed in its reporting on the case.

"Illinois law forced a New York-based startup to curb its practices nationwide and compensate people across the country, emphasizing how state privacy laws can become de facto national standards when companies operate across borders." — ACLU of Illinois, In re Clearview AI litigation

The interesting wrinkle: new BIPA class action filings in 2025 dropped to levels not seen in eight years, and settlement volumes pulled back from 2024 peaks, according to The National Law Review. Some read this as biometric privacy litigation cooling off. That's the wrong interpretation. What it actually reflects is companies internalizing compliance as a baseline — the litigation wave worked. The standard is now baked into risk models. The same trajectory is coming for investigators and forensic professionals, just on a slight time delay. Previously in this series: Biometric Privacy Crackdowns Small Investigators.

Here's the math that should focus minds: if an investigator uses a facial comparison tool and any subject is an Illinois resident, BIPA exposure exists. Multiply that across twenty-plus U.S. states now considering their own biometric privacy bills, add EU GDPR exposure for any matter touching European nationals, and "just comparing photos" starts looking a lot more like a liability portfolio than a workflow.

The Split Is Coming — And It Actually Advantages Disciplined Investigators

The EU's proposed Digital Omnibus package, covered by Inside Privacy and Kennedys Law LLP, is attempting something genuinely complicated: ease some of the procedural friction in GDPR for smaller operators while simultaneously tightening AI-specific rules. What that means in practice is a more permissive framework for low-risk data processing running alongside a harder regulatory line for anything involving biometric identification. The two-track outcome is almost certain. Broad, opaque biometric harvesting becomes legally radioactive. Narrow, documented, case-specific comparison on files you already lawfully hold? That survives — and arguably gets cleaner legal footing.

This is where investigators running disciplined, case-file-based workflows have a genuine structural advantage. Think about what a well-documented facial comparison practice actually looks like: you have a specific case, you have images obtained through lawful means, you run a targeted comparison, you document the process, you purge the data when the matter closes. That's data minimization by design. That's the opposite of a biometric database. Regulators aren't building enforcement frameworks to catch that. They're building them to catch bulk scraping, indefinite retention, and model training on faces collected without consent — the behaviors the Yoti fine explicitly targeted.

Understanding the key privacy concerns in facial recognition workflows isn't just academic risk management — it's the foundation of building a process that holds up when a court or regulator starts asking questions. And they will start asking. Up next: Biometric Privacy Law Splits Investigative Tools C.

Look, nobody's saying this transition is painless. Building written policies, documenting legal bases, implementing actual data deletion schedules — that's real operational work, not just a checkbox exercise. But the investigators and forensic firms that do it in the next eighteen months are buying something valuable: courtroom credibility. When opposing counsel challenges how a facial comparison was conducted, the answer "here is our documented workflow, here is the consent record, here is our retention policy, here is the deletion confirmation" is not just a legal defense. It's an argument for the reliability of the evidence itself.

The Yoti fine wasn't the opening shot. It's closer to the end of the warning period. Spain's AEPD issued it after auditing a company that genuinely believed it had the right framing — "authentication, not identification" — and found that framing legally worthless when the underlying technology could uniquely identify a person. The same audit logic, applied to an investigator who's been running facial comparisons for years without a written policy, won't produce a fine. It'll produce suppressed evidence and a disciplinary referral.

So here's the only question that actually matters right now: if a judge asked you tomorrow to produce — in a single document — your consent records, your legal basis for processing, and your data retention policy for every facial comparison you've run in the last two years, how long would it take you to find out you don't have one?