Spice Route Legal
Businesses Using FRT must Comply with Data Protection Regulations
Facial recognition technology (FRT) identifies and verifies individuals through image processing and biometric analysis. Businesses are using FRT for a wide range of purposes, such as employee and visitor authentication, attendance tracking, payment authorisation, targeted advertising and fraud prevention. As per industry forecasts, the global facial recognition market is expected to reach a whopping USD12.67 billion by 2028 due to widespread adoption.
FRT processes involve the collection and use of personal data, including sensitive biometric information. However, the rapid adoption of FRT has significant data protection implications. With the Digital Personal Data Protection Act, 2023 (DPDPA), and its supporting rules set to come into force, organisations using FRT must reassess and strengthen their data protection and consent mechanisms to ensure compliance. Businesses implementing FRT must be aware of its risks and undertake appropriate measures to mitigate such risks.
In most cases, consent will serve as the primary legal grounds for processing personal data collected through FRT. However, the DPDPA does allow limited exceptions for certain legitimate uses. For example, employers may rely on this exception when processing biometric data of employees through FRT, where it is necessary to protect the organisation from loss or legal liability. Similarly , when FRT is used to process the personal data of visitors or other external individuals, organisations will have to obtain consent or, in a limited number of instances, rely on the grounds of voluntary provision of data, which falls under certain legitimate uses. Businesses should consider embedding consent mechanisms within FRT platforms, such as digital prompts or on-screen notices, and must maintain robust consent logs. These logs should contain details such as the identity of the data principal, the timestamp of consent, the method of collection and associated device identifiers. These methods will allow businesses to demonstrate compliance in case of audits or complaints.
This website is owned and operated by Spice Route Legal, and is exclusively meant to be a source of information on the firm, it’s practice areas, and its members.
It is not intended and should not be construed as any form of advertisement, solicitation, invitation or inducement of any sort from the firm or its members.
Spice Route Legal does not warrant that any information provided on the website is accurate, complete or updated, and further denies liability for any and all loss or damage caused to the user as a result of their reliance on the content provided.
The information made available on this site must in no way be relied upon, or construed, as legal advice. If you need legal assistance, we recommend you seek help from competent counsel licensed to practice and advise in the relevant jurisdiction.