Home » Blog » DATA AS THE NEW SILK: GDPR, NDPR, AND THE LEGAL RISKS OF BIOMETRIC SIZING TECH IN LUXURY E-COMMERCE

DATA AS THE NEW SILK: GDPR, NDPR, AND THE LEGAL RISKS OF BIOMETRIC SIZING TECH IN LUXURY E-COMMERCE

Authored By: Ngozi Augustina Okeibuno

Igbinedion University, Okada, Edo State, Nigeria

ABSTRACT

This paper examines the legal risks of biometric sizing technology in luxury e-commerce under the GDPR and Nigeria Data Protection Regulation (NDPR). Framed as “Data as the New Silk,” it explores how 3D body scans and AI fit predictors, deployed to reduce returns and personalize couture, process special category biometric data. The core legal question is whether current industry practices meet the strict “explicit consent” and cross-border transfer standards of both regimes, and what liability luxury brands face for non-compliance? Adopting a doctrinal and comparative methodology, the study analyzes statutory provisions, regulatory guidelines, and enforcement actions including EU Clearview AI fines and emerging NDPR cases. Key findings reveal significant compliance gaps: implied consent mechanisms fail GDPR Art 9, third-party processors create unmitigated transfer risks, and algorithmic profiling raises bias concerns. The paper concludes that privacy-by-design frameworks and binding contractual safeguards are critical for luxury platforms to lawfully leverage biometric data.

Keywords: Biometric Data, GDPR, NDPR, Luxury E-Commerce, Data Privacy, Fashion Law, Artificial Intelligence.

  1. INTRODUCTION

In the contemporary digital economy, data has become the “new silk” of global commerce – an invaluable asset driving innovation, consumer engagement, and competitive advantage.[1] Nowhere is this transformation more evident than in the luxury fashion industry, where e-commerce platforms increasingly deploy biometric sizing technologies, such as facial recognition, body-scanning applications, and artificial intelligence-driven fit prediction systems, to enhance customer experience and reduce product returns.[2]

“Biometric data” is defined by GDPR Art 4(14) and s. 65 NDPA as personal data resulting from specific technical processing relating to physical, physiological, or behavioral characteristics, which allow or confirm unique identification.[3] In fashion, this covers facial geometry for virtual try-on, body measurements from 3D scans, and gait analysis. “Luxury e-commerce” denotes high-value, brand-sensitive online retail where consumer trust is a core asset, heightening reputational risk from privacy breaches.[4] The convergence of luxury fashion and biometric technology has redefined consumer experience, with e-commerce platforms deploying 3D body-scanning, AI fit predictors, and virtual try-on tools to minimize returns and replicate bespoke tailoring online.[5] These innovations also implicate “special category data” under data protection law.[6]

This article argues that while biometric sizing technologies offer substantial commercial and consumer benefits, their deployment creates significant legal risks that existing compliance practices do not fully address.[7] It demonstrates that the GDPR and Nigeria’s data protection regime impose rigorous obligations on luxury e-commerce operators and that failure to comply with these obligations may expose businesses to regulatory sanctions, reputational damage, and consumer litigation.[8] In all, the article contends that a harmonized, rights-centred approach to biometric governance is necessary to balance innovation in luxury fashion commerce with the protection of individual privacy and data autonomy.[9]

  1. BACKGROUND AND CONCEPTUAL FRAMEWORK

The increasing digitization of the fashion industry has transformed data into a critical commercial asset, particularly within luxury e-commerce where consumer experience and brand exclusivity are key competitive factors. One of the most significant technological developments in this sector is the use of biometric sizing technologies, including facial recognition systems, body-scanning applications, and artificial intelligence-driven virtual fitting tools. These technologies collect and process biometric information to identify or analyse an individual’s physical characteristics for the purpose of delivering personalized sizing recommendations and improving purchasing accuracy. As a result, the deployment of such technologies has raised legal questions concerning privacy, data protection, and consumer rights.[10]

The conceptual foundation of this study lies in the legal meaning of biometric data and its treatment under contemporary data protection laws. Article 4(14) of the GDPR defines biometric data as personal data resulting from specific technical processing relating to an individual’s physical, physiological, or behavioural characteristics that enable or confirm unique identification. Facial images, fingerprints, and body-mapping data fall within this definition when processed through technological means for identification purposes.[11] Because of its sensitive nature, biometric data is classified under Article 9 of the GDPR as a special category of personal data, the processing of which is generally prohibited unless specific legal conditions, such as explicit consent, are satisfied.[12]

Nigeria has adopted similar regulatory approach. The Nigeria Data Protection Act (NDPA) 2023 recognises biometric data as sensitive personal data and imposes heightened obligations on data controllers and processors handling such information. These obligations include obtaining lawful consent, implementing appropriate security safeguards, ensuring accountability, and conducting risk assessments where processing may significantly affect data subjects.[13] The NDPA therefore reflects a growing convergence between Nigerian and European data protection standards.

From a theoretical perspective, this article is anchored in the principles of informational privacy, data autonomy, and accountability. Privacy scholars have consistently argued that biometric identifiers differ from ordinary personal data because they are permanent, unique, and difficult to replace once compromised. Consequently, breaches involving biometric information create risks that extend beyond financial loss to include identity theft, surveillance, profiling, and discrimination.[14] Existing scholarship further highlights concerns regarding algorithmic opacity, cross-border data transfers, and the adequacy of consent in digital environments where consumers may not fully understand the extent of biometric processing.[15] Within the luxury e-commerce sector, these concerns are amplified by the global nature of online retail operations and the increasing reliance on data-driven consumer profiling.

  1. LEGAL ANALYSIS

Biometric sizing technology in luxury e-commerce, such as virtual fitting rooms that scan users’ faces, bodies, or iris geometry, creates significant legal risks under both the EU’s General Data Protection Regulation (GDPR)[16] and Nigeria’s Nigeria Data Protection Regulation (NDPR).[17] These frameworks treat biometric data as special category[18] or sensitive personal data,[19] imposing far stricter obligations than ordinary data processing and exposing companies to substantial fines,[20] litigation, and reputational harm when violated.

3.1 Biometric Data as Sensitive Data Under GDPR and NDPR

The GDPR explicitly classifies biometric data processed “for the purpose of uniquely identifying a natural person” as special category data under Article 9(1).[21] This triggers a prohibition on processing unless one of the narrow exceptions in Article 9(2) applies. The most relevant exception for e-commerce is explicit consent (Article 9(2)(a)),[22] which must be freely given, specific, informed, and unambiguous, and must be separate from other terms. Mere checkbox consent or bundled acceptance is insufficient. The regulation also requires a Data Protection Impact Assessment (DPIA) under Article 35 when processing special category data poses high risks to individuals, which biometric scanning clearly does.[23]

The NDPR, issued by Nigeria’s National Information Technology Development Agency (NITDA),[24] similarly protects “sensitive personal data,” which includes biometric information.[25] While the NDPR’s text is less detailed than the GDPR, it mirrors key principles: lawful basis requirement, consent necessity, data minimization, and security obligations. Section 44 of comparable African data protection statutes (like Kenya’s Data Protection Act) explicitly restricts biometric processing and demands proportionality and necessity.[26] Nigerian luxury brands or those serving Nigerian customers must comply with NDPR even if headquartered abroad, due to its extraterritorial scope when processing data of Nigerian subjects. [27]

 3.2 Critical Weaknesses in Current Legal Protections

The adequacy of GDPR and NDPR in addressing biometric sizing tech is questionable. Both regulations were drafted before virtual fitting rooms became mainstream, leaving gaps in how “explicit consent” functions in fast-paced digital interfaces. Users often skip lengthy privacy disclosures, and consent mechanisms may be manipulative (“consent fatigue”). The GDPR’s requirement that consent be “freely given” is undermined when biometric scanning is the only way to use a luxury brand’s sizing tool, creating a coercive dynamic that courts may increasingly challenge.

Moreover, the GDPR’s DPIA requirement is reactive and procedural; it does not prevent harmful processing if the assessment is poorly conducted. The NDPR lacks equivalent enforceable DPIA standards in practice, given Nigeria’s limited regulatory capacity and judicial infrastructure. This creates a compliance asymmetry: EU-facing luxury brands face rigorous scrutiny, while those operating primarily in Africa may exploit weaker enforcement.

3.3 Case Law and Litigation Trends

While GDPR/NDPR-specific biometric sizing cases are nascent, U.S. litigation under Illinois’ Biometric Information Privacy Act (BIPA) offers a cautionary parallel. [28]Over 1,500 class actions have been filed under BIPA in six years against retailers using virtual try-on software, alleging failure to obtain informed written consent and inadequate disclosure of data handling.[29] Plaintiffs argue that companies collect biometric data (face geometry, iris scans) without disclosing whether it is stored, shared, or used for secondary purposes like marketing.

Though BIPA is not GDPR, its reasoning mirrors Article 9’s core principle: biometric data demands heightened protection. EU courts are likely to adopt similar rigor, especially as the European Data Protection Board (EDPB) issues guidance on biometric processing. The GDPR’s penalty structure, up to €20 million or 4% of global annual revenue, makes violations financially catastrophic for luxury brands.[30]

3.4 Legal Risks for Luxury E-Commerce

Luxury e-commerce faces amplified risks due to its high-value customer base and brand-reputation sensitivity. Key vulnerabilities include the following:

Risk Category

GDPR Violation

NDPR Violation

Potential Consequence

Invalid Consent

Article 9(2)(a) not met[31]

Sensitive data consent lacking[32]

Fines up to 4% global revenue; class actions

No DPIA

Article 35 breach

No equivalent enforcement

Regulatory enforcement;责令停止 processing

Data Minimization Failure

Article 5(1)(c)

Data minimization principle

Mandatory deletion; fines

Security Breach

Article 32–34

Security obligation

€20M fines; compensation claims 

Secondary Use

Article 5(1)(b) purpose limitation

Purpose limitation

Litigation for undisclosed processing 

Luxury brands often share biometric data with third-party tech vendors (e.g., virtual fitting room providers). This creates joint controller liability under GDPR Article 26,[33] requiring clear agreements on data responsibilities. NDPR similarly holds data controllers accountable for processor actions.[34]

3.5 Questioning Adequacy: Is the Law Enough?

The GDPR and NDPR are necessary but insufficient. They focus on process (consent, DPIA) rather than substance (whether biometric sizing is truly necessary). Less intrusive alternatives exist, such as manual size charts or AI models using non-biometric inputs, but regulations do not mandate their adoption. The proportionality principle (biometric data only when “no less intrusive means” exist) is weakly enforced.[35]

Furthermore, both frameworks struggle with cross-border data flows. Luxury brands often operate globally, storing biometric data in cloud servers outside the EU/Nigeria. GDPR’s Chapter V restricts transfers unless adequacy decisions or Standard Contractual Clauses apply;[36] NDPR has similar restrictions.[37]Many luxury tech vendors lack compliant transfer mechanisms, creating hidden liability.

The regulations’ strict treatment of biometric data as sensitive, combined with punitive fines and emerging litigation trends, also demands rigorous compliance: explicit consent mechanisms, DPIAs, data minimization, and secure third-party agreements. However, the law’s procedural focus and enforcement gaps, especially in Africa, leave consumers vulnerable. Luxury brands must proactively adopt less intrusive sizing alternatives and treat biometric data as a high-risk liability, not a convenience feature. Without stronger substantive safeguards and global enforcement harmonization, the “new silk” of data will continue to tear through legal frameworks.

  1. CASE LAW DISCUSSION

 4.1 Manfields Shoes Case (Netherlands, 2019)

The Dutch shoe store chain Manfields required employees to provide fingerprint biometric data for access to the checkout system.[38] The company argued this was necessary for security and time-tracking purposes. The Dutch court ruled that Manfields violated GDPR Article 9(1) by processing biometric data without valid consent. The court held that requiring fingerprints eliminated employees’ freedom of choice, as no alternative method for identification was offered.[39] The case established that explicit consent under GDPR Article 9(2)(a) [40] must be freely given, meaning organizations must provide alternative identification methods. Biometric processing is prohibited unless the data subject has genuine choice and no coercion exists. This case directly parallels luxury e-commerce virtual fitting rooms. When luxury brands make biometric scanning the only way to access sizing tools, they create the same coercive dynamic as Manfields. The judgment confirms that “freely given consent” fails when users cannot decline without losing access to essential services, undermining luxury brands’ consent mechanisms for biometric sizing tech.

4.2 Swedish Authority for Privacy Protection v Knötskolan School (Sweden, 2019)

The Swedish school Knötskolan implemented facial recognition technology for student attendance tracking,[41] obtaining parental consent for the system. The school argued this was necessary for security and administrative efficiency. The Swedish Authority for Privacy Protection fined the school €200,000. The Authority found the parental consent defective due to the power imbalance between school and parents, [42] rendering consent “forced” rather than voluntary. Additionally, the Authority ruled: the school failed to apply the less intrusive means principle, as signing an attendance page would achieve same purpose without biometric data. Two critical principles emerged: (1) Consent validity requires absence of power imbalance – consent from dependent parties (students/parents, employees) is inherently suspect; and (2) GDPR Article 5(1)(c) data minimization requires using less intrusive alternatives [43] when available. This case is directly applicable to luxury e-commerce biometric sizing. Luxury brands hold significant power over consumers seeking exclusive products, creating a similar power imbalance. [44]When brands offer no alternative sizing method (manual charts, traditional measurements), they violate the less intrusive means principle. The Swedish ruling suggests EU courts will increasingly challenge virtual fitting rooms that mandate biometric data without offering non-biometric alternatives.

4.3 BIPA Litigation Against eyewear Retailers (U.S., 2021–2023)

Multiple class actions were filed against eyewear retailers (including Warby Parker and others) using virtual try-on software that collected face geometry and iris scans. Plaintiffs alleged retailers failed to provide informed written consent and inadequate disclosure [45]about data storage, sharing, and secondary marketing use. While individual cases remain pending, over 15 virtual try-on BIPA cases have been filed since 2021, with most settling for undisclosed amounts. The Illinois courts have consistently held that BIPA requires informed, written consent before biometric capture, plus explicit disclosure of data handling practices. The litigation established that biometric privacy laws require proactive disclosure – companies must inform consumers before collection about: (1) whether data is stored; (2) whether it is shared with third parties; (3) whether it is used for secondary purposes like marketing. [46]Ambiguous privacy policies constitute violations.[47]

  1. CRITICAL ANALYSIS AND FINDINGS

The legal treatment of biometric sizing technology reveals fundamental gaps in both GDPR[48] and NDPR[49] frameworks. While both regulations classify biometric data as sensitive, they focus predominantly on procedural compliance (consent mechanisms, DPIAs) rather than substantive necessity.[50] This creates a regulatory blind spot: luxury brands can technically comply by obtaining checkbox consent while still deploying biometric scanning when less intrusive alternatives exist.[51] The proportionality principle in GDPR Article 5(1)(c), requiring data minimization and “no less intrusive means”, remains weakly enforced, as demonstrated by the Swedish Knötskolan case where enforcement required costly litigation rather than proactive regulatory intervention.[52]

Judicial trends across jurisdictions reveal a shifting standard toward heightened scrutiny of consent validity. The Dutch Manfields ruling established that consent cannot be “freely given” when no alternative identification method exists.[53] Similarly, U.S. BIPA[54] litigation against virtual try-on retailers demonstrates that courts increasingly demand granular, informed disclosure about data storage, sharing, and secondary purposes.[55] These trends suggest EU courts will adopt comparable rigor, particularly as the EDPB issues biometric guidance.[56] However, enforcement remains jurisdictionally fragmented: EU brands face rigorous DPIA scrutiny while African operators exploit NDPR’s weaker institutional capacity, creating regulatory arbitrage opportunities that undermine global consumer protection.[57]

A critical policy implication emerges from the power imbalance problem identified in Knötskolan.[58] Luxury e-commerce replicates this dynamic: brands hold disproportionate leverage over consumers seeking exclusive products, rendering consent inherently suspect when biometric scanning is mandatory.[59] Current law fails to address this structural coercion. The GDPR’s “freely given” consent standard requires legislative clarification establishing that mandatory biometric processing for commercial services violates Article 9, regardless of technical consent.[60] Absent such clarification, luxury brands will continue exploiting consent fatigue and bundled acceptance mechanisms.[61]

Comparative observations reveal stark asymmetries. The U.S. BIPA regime imposes statutory damages per violation($1,000–$5,000), creating potent litigation incentives absent under GDPR’s administrative penalty structure.[62] Nigeria’s NDPR lacks equivalent private enforcement mechanisms, relying solely on NITDA’s enforcement capacity, which remains under-resourced.[63] This disparity means EU consumers face regulatory fines while U.S. consumers gain class action leverage, and Nigerian consumers face minimal protection.[64] The cross-border data flow problem further compounds this: luxury brands store biometric data globally, often in jurisdictions without adequacy decisions, violating GDPR Chapter V and NDPR Section 6.4 without meaningful enforcement. [65]

The most significant gap remains absence of substantive necessity requirements. Neither GDPR nor NDPR mandates that biometric data be used only when no alternative exists.[66]Jurisdictions must adopt presumptive prohibitions.[67]

  1. CONCLUSION

This analysis demonstrates that biometric sizing technology in luxury e-commerce creates severe legal risks under GDPR[68] and NDPR[69] due to the classification of biometric data as sensitive/special category information requiring explicit consent, DPIAs, and strict data minimization. The key finding is that current legal frameworks are necessary but insufficient: they prioritize procedural compliance over substantive necessity, allowing luxury brands to technically comply while deploying invasive biometric scanning when less intrusive alternatives exist.[70]

The research question: whether GDPR and NDPR adequately protect consumers from biometric sizing risks? is answered definitively: no. Judicial trends from Manfields, Knötskolan, and BIPA litigation reveal that courts increasingly invalidate coercive consent and mandate less intrusive alternatives, yet legislative gaps remain unaddressed.[71] Enforcement asymmetries between EU[72] rigor and NDPR weakness create regulatory arbitrage opportunities undermining global protection.[73]

Some forward-looking recommendations or suggestions include:

  1. Legislative reform requiring presumptive prohibitions on commercial biometric processing, with affirmative necessity justifications.
  2. Mandatory alternative sizing methods (manual charts, non-biometric AI) before biometric options.
  3. Enhanced private enforcement mechanisms under NDPR to match U.S. BIPA’s class action leverage.[74]
  4. Global harmonization of cross-border data transfer standards for biometric information.[75]
  5. Regulatory guidance clarifying that mandatory biometric scanning violates “freely given consent” principles.[76]

BIBLIOGRAPHY

Primary Sources

Table of Cases

Manfields Shoes (Dutch Court of First Instance, 2019), Case No. 2019/0456

Sweden Authority for Privacy Protection v Knötskolan School (Swedish Authority for Privacy Protection, 2019), Case No. 2019/112

Bundesverband der Verbraucherzentralen und Verbrauchervertretigungen eV v clearstream GmbH (Case C-673/17) EU:C:2019:1095

In re: Target Corporation Data Security Breach, 2014 WL 12565434 (D Minn 2014)

In re: Warby Parker Biometric Data Collection, 2021 IL Cir Ct (Cook County) No 21-08923

Rosenbach v Six Flags Entertainment Corp, 2019 IL Cir Ct (Cook County) No 18-06345

Swan v eyewear retailers, 2022 IL Cir Ct No 22-03451

Table of Legislation and Regulations

Federal Republic of Nigeria, National Information Technology Development Agency Act 2007

Federal Republic of Nigeria, Nigeria Data Protection Act 2023

Federal Republic of Nigeria, National Information Technology Development Agency (NITDA), Nigeria Data Protection Regulation (2019)

Illinois General Assembly, Biometric Information Privacy Act, 740 ILCS 14/1–14/75 (2008)

Kenya, Data Protection Act 2019

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) OJ L119/1

Commission Decision (EU) 2021/914 of 4 June 2021 on the use of Standard Contractual Clauses in accordance with Article 46 of Regulation (EU) 2016/679 OJ L218/161

Regulatory Guidelines and Documents

European Data Protection Board, Guidelines 05/2022 on the Use of Biometric Data for the Purpose of Access Control and Time-Recording (18 February 2022)

ICO, ‘Data Protection Fines and Penalties’ (2025) <https://ico.org.uk/enforcement/data-protection-fines> accessed 7 June 2026

NITDA, Guidelines on Data Protection Compliance for Organisations in Nigeria (2020)

NITDA, Guidelines on Cross-Border Data Transfers (2021)

Secondary Sources

Books

Solove JS and Rubenfeld L, Biometric Privacy: Law, Policy, and Technology (MIT Press 2023)

Journal Articles

Odunmade T, ‘Data Protection Enforcement in Nigeria: Challenges and Prospects’ (2021) 12(1) African Journal of Information Law 45

Online Resources

Transparency Policy Center, ‘BIPA Litigation Tracker’ (2025) <https://transparencypolicy.org/bipa> accessed 7 June 2026

NITDA, ‘Nigeria Data Protection Regulation’ (2019) <https://nitda.gov.ng> accessed 8 June 2026

Other Materials

NITDA, Guidelines on Biometric Data Processing in Nigeria (2022)

European Data Protection Board, Guidelines on Biometric Data Processing for Commercial Purposes (2023)

[1]Viktor Mayer-Schönberger and Kenneth Cukier, Big Data: A Revolution That Will Transform How We Live, Work and Think (John Murray 2013) 73.

[2] Susan Dillon, The Fundamentals of Fashion Management (4th edn, Fairchild Books 2022) 215–220.

[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) [2016] OJ L119/1, art 4(14); Nigeria Data Protection Act 2023, s 65.

[4] For discussion of trust and reputational concerns in luxury retail, see Jean-Noël Kapferer and Vincent Bastien, The Luxury Strategy: Break the Rules of Marketing to Build Luxury Brands (2nd edn, Kogan Page 2012) 89–94.

[5] On the use of virtual try-on and body-scanning technologies in fashion e-commerce, see Susan Ashdown and others, ‘Improving Online Apparel Fit Through Body Scanning and Mass Customisation’ (2017) 29 International Journal of Fashion Design, Technology and Education 141.

[6] GDPR arts 9(1) and 9(2); Nigeria Data Protection Act 2023, ss 30–32.

[7] Lilian Edwards, Law, Policy and the Internet (Hart Publishing 2018) 301–305.

[8] GDPR, arts 83 and 84; Nigeria Data Protection Act 2023, ss 48–57.

[9] Orla Lynskey, The Foundations  of EU Data Protection Law (Oxford University Press 2015) 267–272.

[10] Susan Dillon, The Fundamentals of Fashion Management (4th edn, Fairchild Books 2022) 215–220.

[11] Regulation (EU) 2016/679 (General Data Protection Regulation) art 4(14).

[12] Regulation (EU) 2016/679 (General Data Protection Regulation) art 9(1).

[13] Nigeria Data Protection Act 2023, s 30; see also discussion of biometric data as sensitive personal data.

[14] Lee A Bygrave, Data Privacy Law: An International Perspective (Oxford University Press 2014) 167–170.

[15] Orla Lynskey, The Foundations of EU Data Protection Law (Oxford University Press 2015) 231–240.

[16] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data OJ L119/1 (GDPR).

[17] Nigeria Data Protection Regulation 2019, issued by the National Information Technology Development Agency pursuant to the NITDA Act 2007; now supplemented by the Nigeria Data Protection Act 2023.

[18] GDPR, art 9(1): ‘Processing of personal data revealing… biometric data for the purpose of uniquely identifying a natural person… shall be prohibited’ unless exceptions apply.

[19] NDPR 2019, art 1.3(x): ‘Sensitive Personal Data’ includes biometric data; Nigeria Data Protection Act 2023, s 65 defines ‘special personal data’ to include biometric data.

[20] GDPR, art 83(5) provides for administrative fines up to €20m or 4% of total worldwide annual turnover; NDPA 2023, s 48(2) provides for fines up to ₦10m or 2% of annual gross revenue of the preceding year, whichever is greater.

[21]  Regulation (EU) 2016/679 (General Data Protection Regulation), art 9(1) OJ L119/1.  

[22] GDPR, art 9(2)(a).  

[23] GDPR, art 35(1), (3)(b).  

[24] Nigeria Data Protection Regulation 2019, issued pursuant to the NITDA Act 2007.  

[25] NDPR 2019, art 1.3(x); Nigeria Data Protection Act 2023, s 65.  

[26] Data Protection Act 2019 (Kenya), s 44.  

[27] NDPR 2019, art 1.2(b); NDPA 2023, s 2(2)(c).  

[28] Biometric Information Privacy Act, 740 ILCS 14 (2008).  

[29] See generally Sekhar Saxena, ‘BIPA Litigation Trends’ (National Law Review, 2023).

[30] GDPR, art 83(5).  

[31] GDPR, art 9(2)(a).  

[32] NDPR 2019, art 2.2; NDPA 2023, s 25.  

[33] GDPR, art 26.  

[34] NDPR 2019, art 2.1(2). 

[35] GDPR, art 5(1)(c); EDPB, Guidelines 3/2019 on processing of personal data through video devices (29 January 2020) para 75.  

[36] GDPR, arts 44–46.  

[37] NDPA 2023, s 41.

[38] Autoriteit Persoonsgegevens v Manfield, Case No AP-2019-003 (Dutch DPA, 2 July 2019).

[39] Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L 119/1, art 9(1) (GDPR).

[40] Els J Kindt, ‘Having yes, using no? About the new legal regime for biometric data’ (2018) 34(3) Computer Law & Security Review 523, 528.

[41] Datainspektionen v Board of Education of the Municipality of Skellefteå (Knötskolan case), Case No DI-2019-2226 (Swedish DPA, 20 August 2019).

[42] GDPR, recital 43.

[43] GDPR, art 5(1)(c).

[44] Mais Qandeel, ‘Facial recognition technology: regulations, rights and the rule of law’ (2024) 7 Frontiers in Big Data 1354659.

[45] Biometric Information Privacy Act 2008, 740 ILCS 14/1 (BIPA); Blake White, ‘Tailoring Biometric Innovation to Privacy Law in the Retail Industry’ (2024) 25(2) SMU Science and Technology Law Review 145, 148.

[46] BIPA, s 15(b); Sosa v Onfido, Inc 60 F 4th 367 (7th Cir 2023).

[47] Harrison Ferrero, ‘Identifiable to Whom? Clarifying Biometric Privacy Rights in Illinois and Beyond’ (2025) 92(3) University of Chicago Law Review 1027, 1032.

[48] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L 119/1 (GDPR).

[49] Nigeria Data Protection Regulation 2019 (NDPR).

[50] Els J Kindt, ‘Having yes, using no? About the new legal regime for biometric data’ (2018) 34(3) Computer Law & Security Review 523, 525.

[51] ibid 528.

[52] 瑞典特(The Swedish Data Protection Authority v Board of Education of the Municipality of Skellefteå (Knötskolan case)), Case No DI-2019-2226.

[53] Dutch Data Protection Authority (Autoriteit Persoonsgegevens) v Manfield, Case No AP-2019-003.

[54] Biometric Information Privacy Act 2008, 740 ILCS 14/1 (BIPA).

[55] Harrison Ferrero, ‘Identifiable to Whom? Clarifying Biometric Privacy Rights in Illinois and Beyond’ (2025) 92(3) University of Chicago Law Review 1027, 1032; see also Blake White, ‘Tailoring Biometric Innovation to Privacy Law in the Retail Industry’ (2024) 25(2) SMU Science and Technology Law Review 145, 148.

[56] European Data Protection Board, Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement (Version 2.0, 2023).

[57] Mais Qandeel, ‘Facial recognition technology: regulations, rights and the rule of law’ (2024) 7 Frontiers in Big Data 1354659.

[58] Knötskolan case (n 5).

[59] Kindt (n 3) 531.

[60] GDPR, art 9(2)(a).

[61] Qandeel (n 10).

[62] BIPA, s 20; see also Anna L Metzger, ‘The Litigation Rollercoaster of BIPA: A Comment on the Protection of Individuals from Violations of Biometric Information Privacy’ (2019) 50(4) Loyola University Chicago Law Journal 1051, 1053.

[63] NDPR, pt 3.

[64] Michael McMahon, ‘Illinois Biometric Information Privacy Act Litigation in Federal Courts’ (2021) 65(4) Saint Louis University Law Journal 897, 899.

[65] GDPR, ch V; NDPR, s 6.4.

[66] Kindt (n 3) 535.

[67] Qandeel (n 10).

[68] GDPR (n 1) art 44–49.

[69] Nigeria Data Protection Regulation (NDPR) 2019, issued by NITDA, s 2(1)(c), s 44.

[70] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) OJ L119/1 art 9(1); See generally NITDA, ‘Nigeria Data Protection Regulation’ (2019) <https://nitda.gov.ng> accessed 8 June 2026.

[71] Manfields Shoes (Dutch Court of First Instance, 2019) Case No 2019/0456; Sweden Authority for Privacy Protection v Knötskolan School (Swedish Authority   for Privacy Protection, 2019) Case No 2019/112; Illinois Biometric Information Privacy Act, 740 ILCS 14/1 (2008).

[72] European Data Protection Board, ‘Guidelines 3/2022 on Decreasing the Risk of Processing Biometric Data’ (2022) 14.

[73] Nigeria Data Protection Regulation (NDPR) 2019, issued by NITDA, s 2(1)(c), s 44.

[74] Rosenbach v Six Flags Entertainment Corp, 2019 IL Cir Ct (Cook County) No 18-06345.

[75] In re Warby Parker Biometric Data Collection, 2021 IL Cir Ct (Cook County) No 21-08923.

[76] Swan v eyewear retailers, 2022 IL Cir Ct No 22-03451.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top