Global Privacy Laws for eKYC¶
Definition¶
A comparative overview of data protection laws worldwide that impact eKYC operations — focusing on biometric data handling, consent requirements, and cross-border data transfers.
Major Privacy Laws¶
| Law | Region | Biometric Rules | Consent | Cross-Border Transfer |
|---|---|---|---|---|
| GDPR | EU/EEA | Special category — explicit consent or legal obligation | Explicit for biometrics | Adequacy/SCCs required |
| DPDP Act | India | Personal data — consent required | Free, specific, informed | Allowed except restricted countries |
| CCPA/CPRA | California | Sensitive data — opt-out right | Opt-out model | No restrictions |
| BIPA | Illinois | Biometric information — written consent | Written consent mandatory | No specific rules |
| LGPD | Brazil | Sensitive data — specific consent or legal basis | Specific consent | Adequacy or contractual safeguards |
| PDPA | Singapore | Personal data — consent or legitimate basis | Consent framework | Transfer rules via contract |
| PDPA | Thailand | Sensitive data — explicit consent | Explicit for biometrics | Adequacy required |
| POPIA | South Africa | Special personal information | Consent or legal obligation | Adequate protection required |
| PIPL | China | Sensitive data — separate consent + impact assessment | Separate consent | Security assessment for cross-border |
BIPA (Illinois) — Special Significance¶
| Aspect | Details |
|---|---|
| Why it matters | Most aggressive biometric privacy law — private right of action (individuals can sue) |
| Requirements | Written consent before collection, retention policy, purpose disclosure |
| Penalties | $1,000 per negligent violation, $5,000 per intentional violation |
| Notable cases | Meta/Facebook $1.4B settlement (2022), Google $100M settlement |
| Impact on eKYC | Any eKYC provider processing Illinois residents' biometrics must comply |
Key Takeaways¶
Summary
- Every major jurisdiction now has privacy laws affecting eKYC biometric processing
- GDPR (EU) and BIPA (Illinois) are the most restrictive for biometrics
- Consent models vary: explicit (GDPR), written (BIPA), opt-out (CCPA), informed (DPDP)
- Cross-border transfers are restricted differently — GDPR strictest, DPDP most permissive
- eKYC providers operating globally must implement jurisdiction-aware data handling