What biometric uses does the EU AI Act prohibit?

Among the prohibited practices are real-time remote biometric identification in publicly accessible spaces for law enforcement (with narrow exceptions), untargeted scraping of facial images to build recognition databases, and emotion recognition in workplaces and educational settings, except for safety or medical reasons.

Is all facial recognition banned?

No. Many uses — such as one-to-one verification to unlock your own device, or biometric verification with consent — are permitted but may be classified as high-risk, triggering obligations like risk management, data governance, logging, transparency, and human oversight.

What is the difference between identification and verification?

Verification (one-to-one) confirms you are who you claim to be against a single stored template. Identification (one-to-many) searches a database to find who you are. Remote, one-to-many identification in public spaces attracts the strictest rules; consent-based one-to-one verification is generally lower risk.

Does emotion recognition have special rules?

Yes. The EU AI Act prohibits emotion-recognition systems in the workplace and in education, except where used for medical or safety reasons. Where emotion recognition is permitted elsewhere, transparency obligations require informing the people exposed to it.

Is this policy legal advice?

No. It is a structured starting point reflecting common EU AI Act and data-protection requirements. Biometric data is special-category data with serious legal exposure; have the policy reviewed by qualified counsel before adoption.

Facial Recognition & Biometric AI Policy Generator

Facial recognition & biometric AI policy

Biometric AI — facial recognition, fingerprint matching, emotion detection — is among the most heavily regulated AI under the EU AI Act. Some uses are outright prohibited; many others are high-risk and carry strict obligations. This generator drafts a governance policy that names what the Act prohibits, defines your permitted use cases, sets storage and retention limits for biometric data, and lays out the transparency duties you owe the people the system is used on.

How it works

You describe the system — what it does, where it is deployed, and the jurisdiction — and choose whether it performs verification (one-to-one), identification (one-to-many), or emotion recognition. The tool flags prohibited and high-risk patterns (such as real-time remote identification in public spaces, or emotion recognition at work), then assembles a policy with a prohibited-use section, a permitted-use section, data-minimisation and retention rules, a transparency-and-notice section, and a human-oversight clause. Everything is generated locally.

Tips and notes

Check the prohibition flags first. If your use case is prohibited, no policy makes it compliant — redesign it.
Treat biometric data as special-category. Minimise collection, store templates not raw images where possible, and set a hard retention limit.
Notice is not optional. People must generally be told a biometric system is in use; build that into the deployment.
Have counsel review. Biometric exposure is severe — this is a starting point, not legal advice.