← Blog
· 12 min read

Is Facial Recognition Legal?

In most places, yes — but with strings attached. Here's what the law actually says about scanning your face, who can do it, when consent is required, and what rights you can exercise to push back.

TL;DR

Facial recognition is legal in most countries but tightly regulated when used to identify individuals. In the EU (including Finland), the UK, and Brazil, your face is "special category" biometric data — companies generally need explicit consent to scan it. In most of the US there's no federal law, but Illinois (BIPA), Texas, and Washington have strong state-level rules. You almost always have the right to demand deletion. The hard part is knowing how.

The Short Answer

"Is facial recognition legal?" doesn't have one answer — it has dozens, depending on:

  • Where you are. EU rules are stricter than US federal rules.
  • Who's scanning. A government doing border control plays by different rules than a retail store doing "loss prevention."
  • What they're doing with it. Real-time identification is treated more strictly than face verification (matching you to your own ID).
  • Whether you consented. Most laws hinge on whether you gave informed permission.

The pattern almost everywhere: scanning your face is technically legal, but storing it, identifying you, and selling that data without consent is heavily restricted.

What Counts as Biometric Data Legally?

Most modern privacy laws define biometric data the same way:

Biometric data: Information derived from a person's physical, physiological, or behavioral characteristics that allows or confirms their unique identification.

In practice, that means:

Counts as biometric ✓

  • Your face after a system extracts a "faceprint" or embedding
  • Fingerprints, iris scans, palm prints
  • Voice recognition templates
  • Gait analysis (how you walk)
  • DNA samples

Doesn't count (in most places) ✗

  • A regular photo of you (until processed for identification)
  • Security footage that isn't run through face matching
  • A handwritten signature
  • Your name or ID number alone

The key word is processing. A photo of you is just a photo. The moment a system extracts your facial geometry into a mathematical template that can be matched against future photos, it becomes biometric data — and the strict laws kick in.

Is Facial Recognition Legal in Finland?

Finland follows EU law. Specifically, GDPR Article 9 classifies biometric data — including faceprints used for identification — as "special category" personal data. Processing it is prohibited by default unless one of a narrow list of exceptions applies, the most common being explicit consent.

On top of GDPR, Finland has:

  • The Finnish Data Protection Act (Tietosuojalaki, 1050/2018) — implements GDPR with national specifics
  • Tietosuojavaltuutettu (Office of the Data Protection Ombudsman) — the supervisory authority you can complain to if your rights are violated
  • The Police Act — restricts how Finnish law enforcement can use facial recognition; live identification in public is heavily restricted

What this means in practice: A Finnish supermarket can't quietly run face recognition on every customer. A school can't use facial attendance without specific legal grounds. An app can't enroll your face in a recognition system without explicit consent — and that consent must be informed, freely given, and revocable.

But that's the law on paper. In reality, your face is likely already in databases run by foreign companies (PimEyes, Clearview AI, Precheck.ai) that scrape the public web. They argue they don't need consent because the data is "publicly available." European regulators disagree and have been issuing fines, but enforcement is slow.

Filing a complaint in Finland: If a company refuses to delete your facial data, you can file a complaint with the Office of the Data Protection Ombudsman. They have authority to investigate and issue fines under GDPR.

EU and GDPR — The Strictest Framework

The EU's GDPR is the most restrictive major framework for facial recognition. Key points:

Article 9 — Special Category Data

Biometric data used for "uniquely identifying a natural person" is in a special category. Processing is prohibited unless one of these applies:

  • You give explicit consent (must be specific, informed, freely given, revocable)
  • It's necessary for employment law, social security, or vital interests
  • You've already manifestly made it public yourself (this is the loophole face-search engines try to use)
  • Substantial public interest with appropriate safeguards

Article 17 — Right to Erasure ("Right to be Forgotten")

You can demand any company delete biometric data they hold on you. They have 30 days to comply (extendable to 60 days for complex cases).

The EU AI Act (2024–2026)

The EU AI Act adds another layer specifically for AI systems:

  • Real-time biometric identification in public spaces by law enforcement is banned, with narrow exceptions (terrorism, serious crime suspects)
  • Emotion recognition in workplaces and schools is banned
  • Untargeted scraping of facial images from the internet or CCTV to build recognition databases is banned (this directly targets Clearview AI's business model)
  • High-risk biometric AI systems require registration, transparency, and human oversight
What this means for you: If you live in any EU country (Finland, Germany, France, Spain, Netherlands, etc.) or even just visit the EU, GDPR protects your facial data. You have the right to know what data is held, demand deletion, and complain to a supervisory authority. See the EU country page →

United States — A Patchwork

The US has no federal facial recognition law. Instead, you get a patchwork of state and local rules.

Illinois — BIPA

The Biometric Information Privacy Act is the strongest US state law. Requires written consent before collection, allows private lawsuits with statutory damages ($1,000 per violation, $5,000 if willful). Facebook paid $650M, Google paid $100M, Snapchat paid $35M for BIPA violations.

Texas & Washington

Both have biometric laws requiring informed consent. Less aggressive enforcement than Illinois (no private right of action), but still binding on companies.

California — CCPA / CPRA

Treats biometric data as "sensitive personal information." Right to know, delete, correct, and limit use. Applies to most consumer-facing companies.

Most other states

Limited or no specific biometric laws. Companies operating in these states have far fewer obligations.

If you're in the US, your protections depend heavily on where you live. See the US country page → for more detail.

Your Rights Under Modern Privacy Laws

Across most major frameworks (GDPR, CCPA, BIPA, LGPD, PIPEDA, APPI), you have these rights when it comes to facial data:

1

Right to Know

Demand a company tell you what biometric data they hold about you, where they got it, and what they're doing with it.

2

Right to Delete

Demand they delete it. Under GDPR they have 30 days to comply. Under CCPA they have 45 days.

3

Right to Object

Demand they stop processing your data even if they don't delete it (e.g., excluding you from active matching).

4

Right to Withdraw Consent

If you previously consented, you can withdraw it. They must stop processing going forward.

5

Right to Complain

If they ignore you, you can file a complaint with your country's data protection authority. They can investigate and issue fines.

6

Right to Compensation

In jurisdictions like Illinois (BIPA), you can sue directly and collect statutory damages even without proving harm.

Country-by-Country Quick Reference

We maintain detailed pages for each major jurisdiction with specific laws, contact info for regulators, and what counts as biometric data locally.

European Union (incl. Finland) GDPR + AI Act United States BIPA, CCPA, state laws United Kingdom UK GDPR, DPA 2018 Canada PIPEDA + provincial Australia Privacy Act 1988 Japan APPI South Korea PIPA India DPDPA 2023 China PIPL Brazil LGPD

See all countries →

Bottom Line: Legal but Hard to Enforce

The law is mostly on your side. In Finland, the EU, the UK, Canada, Brazil, and many US states, you have real, enforceable rights to demand your facial data be deleted from databases that hold it.

The catch is the practical gap between having a right and exercising it. Filing a GDPR erasure request requires knowing:

  • Which companies actually hold your facial data (most are invisible to you)
  • The right legal language to make them comply
  • Where to escalate when they ignore you
  • How to track which databases you've already filed against
  • How to re-file when they re-add you (which they often do)

That's the entire reason Face Privacy exists.

Exercise your rights without the paperwork

We submit and re-submit GDPR / CCPA / BIPA removal requests on your behalf to the major facial recognition databases. The legal frameworks already protect you. We just do the filing.

Get Started →

Use code PRECHECK for 15% off your first month.

Keep Reading

Your Face Is a Search Term — And Stalkers Know It How to Remove Your Face from PimEyes 47+ Facial Recognition Databases Your Face Is Probably In