The growing use of biometric data across digital platforms is quietly reshaping how individuals prove their identity online. From facial recognition during onboarding to fingerprint logins and voice authentication, what once felt futuristic is now becoming routine.
But as adoption accelerates, so do the risks.
According to Immaculate Kassait, the Data Protection Commissioner, biometric data falls under sensitive personal data as defined in the Data Protection Act 2019 Kenya. This classification reflects the uniquely permanent and high-risk nature of biometric identifiers.
Unlike passwords or phone numbers, biometric data cannot be reset. Once compromised, it is compromised for life.
The Shift From Convenience to Compliance
For many organisations, biometrics are framed as a convenience feature. Faster login. Seamless verification. Reduced fraud.
However, the regulatory reality is far more complex.
The law demands that organisations move beyond convenience and into deliberate, accountable processing.
At the core of this shift are several non-negotiables:
1. A Clear and Justifiable Legal Basis
Processing biometric data is not a default option. Organisations must establish a lawful basis, and in most cases, this means obtaining explicit consent.
2. Consent That Actually Means Something
Consent must be specific, informed, freely given, and easy to withdraw. Pre-ticked boxes or bundled consents will not meet the threshold.
3. Purpose Limitation Is Not Optional
Biometric data cannot be collected just in case. Every collection must be tied to a clear, defined, and legitimate purpose.
Why Biometrics Raise the Stakes
What makes biometric data particularly sensitive is the intersection of three factors:
- Permanence. You cannot change your fingerprint or face
- Uniqueness. It directly identifies an individual
- Technological vulnerability. Systems can be breached, spoofed, or misused
This combination elevates biometric data into one of the highest-risk categories of personal data.
As a result, organisations are expected to implement enhanced safeguards, including strong encryption, strict access controls, and secure storage environments.
Risk Management Is No Longer Optional
One of the most critical requirements is the need to conduct a Data Protection Impact Assessment (DPIA).
A DPIA is not just a compliance document. It is a risk management tool that forces organisations to ask hard questions:
- Is biometric processing necessary?
- Are there less intrusive alternatives?
- What happens if the data is breached?
In practice, this is where many organisations struggle. The decision to deploy biometrics is often made at a product or technology level, long before privacy risks are fully assessed.
The Often Overlooked Piece: Data Subject Rights
Beyond organisational obligations, the law places significant emphasis on the rights of individuals.
Users must be able to:
- Access their data
- Withdraw consent
- Object to processing
- Request deletion where applicable
For platforms, this means building systems that do not just collect biometric data, but also allow users to meaningfully exercise their rights.
Registration and Accountability
Another key requirement is regulatory visibility.
Any entity processing biometric data must register with the regulator as a data controller or processor. This extends to third parties and raises important questions about vendor risk and accountability in increasingly complex digital ecosystems.
The Bigger Question: Are We Moving Too Fast?
The rise of biometrics reflects a broader shift toward frictionless digital experiences. But frictionless for whom?
As organisations optimise for speed and security, there is a risk that user awareness and control are left behind.
The real challenge is not whether biometrics should be used. It is whether they are being used responsibly.
What Comes Next
While regulators are increasingly clear on organisational obligations, there is still a gap on the user side.
Do individuals understand what they are giving away when they scan their face or record their voice?
In the next piece, I will explore this from the data subject’s perspective, focusing on the key questions individuals should ask before sharing biometric data and the risks they should be aware of.