Yoti has been fined 950,000 euros (roughly US$1.1 million) by Spanish data protection regulator AEPD for the handling of biometrics and other data within its digital identity app. The regulator has ruled Yoti violated three clauses of the EU’s General Data Protection Rule (GDPR).
The ruling in part reflects a tension between how biometrics are often used in practice and the definition of biometrics as “special category data” under GDPR. If a person has downloaded the Yoti app and uploaded an ID document, a subsequent biometric match is still considered “uniquely identifying.”
At issue are the consent flow used, Yoti’s claim to immediately delete the facial image used immediately after it has been processed and most importantly of all, whether it has lawful grounds to process biometric data at all.
The judgement cites March, 2025 revenue figures for Yoti showing it has made just over €15 million since its inception.
The AEPD says it was made aware that Yoti’s practices “could constitute a possible infringement” and tasked the Deputy Directorate for Data Inspection to investigate the claims in December, 2023.
Biometrics “for the purpose of uniquely identifying a natural person” are considered “special category data” under GDPR, and can therefore only be processed in specific situations. This complaint applies not to the company’s facial age estimation, but rather to account setup processes, in which selfie biometrics are compared to a stored template. Yoti’s position is that the biometric data is used only to authenticate the individual, rather than to uniquely identify them, but was rejected by the AEPD.
The statement notes that no information is available regarding how the data of minors as young as 13 is processed differently from that of adults. The biometric data is processed by virtue of the user having checked a declaration that they are of legal age.
Yoti app users “consent by default” to the use of their biometric data in research and development, AEPD says.
The Yoti app also allows people to click through its privacy policy permission without having clicked on and accessed the policy, the regulator says.
This appears to be the most easily addressed complaint, satisfied by minor changes in design and the default settings of the app.
The storage of the biometrics provided during account opening for future use in account recovery is disproportionate, the AEPD argues, because it might not be used.
How account recovery can work without any information stored for that purpose is a question implicitly raised by the AEPD, but never acknowledged, let alone answered.
Geolocation data used to determine which age restrictions apply to the user is retained for five years, which the AEPD found excessive. The regulator also objects to Yoti’s retention of fraudulent ID documents to train its software as beyond the purpose it was collected for, and the retention of video recordings used in liveness detection for 30 days.
The AEPD concludes that Yoti has violated GDPR articles 5.1 e) (excessive data retention), 7 (valid consent) and 9 (unlawful processing), and has levied fines for €250,000, €200,000 and €500,000, for a total of €950,000. Yoti is also asked to show within 6 months how its handling of biometric data complies with GDPR, that the data processing based on the subject’s consent is compliant and that the personal data processed is retained only for the length of time necessary for its stated purpose.
Yoti responds
“Yoti is extremely disappointed to confirm that we have recently been sanctioned by the Spanish Data Protection Agency (AEPD) for infringements of data protection law relating to the Yoti Digital ID app. Yoti rejects in the strongest possible terms the decision of the AEPD and has begun the appeal process to the Spanish High Court,” the company told Biometric Update in an emailed statement.
“Importantly, we can reassure our Digital ID app users and clients that no personal data of any app user has been breached or compromised in any way — the Yoti Digital ID app remains secure. We also want to make clear that the findings relate to the Digital ID app only.
“Yoti takes data protection very seriously and has the utmost respect for the critical work undertaken by data protection regulators globally, many of which we positively engage and collaborate with on a regular basis.
“We fully cooperated with the AEPD’s information requests, but we were never notified that we were under investigation.”
Yoti has up to a month to appeal the decision.
How the ruling will affect Spain’s comprehensive online age check law remains to be seen.
Article Topics
AEPD | biometric age estimation | biometric data | biometrics | data protection | facial age estimation (FAE) | GDPR | Spain | Yoti