Biometric data is information about a person's physical or behavioural characteristics that can be used to identify them — a face template, a fingerprint, an iris pattern, a voiceprint, or a distinctive gait. In a surveillance context the key example is the numeric "template" a face-recognition system creates: it is not a photo but a mathematical signature derived from a face, and because it can single out a specific individual it gets the law's heaviest protection.
Under GDPR, biometric data processed to uniquely identify someone is special-category data (defined in Article 4(14), governed by Article 9), which is prohibited unless a narrow condition such as explicit consent is met — a much higher bar than ordinary personal data. In the US, Illinois BIPA and similar state laws impose consent and, in Illinois, a private right of action. The crucial distinction is between merely detecting a person (generally not biometric) and recognising who they are from a biometric trait (squarely biometric): person and vehicle detection usually stay clear of this category, while face or gait recognition does not.
The pitfall is crossing into biometric processing without realising the legal gate has moved. Adding face recognition, gait analysis, or face-based search to an existing camera system converts ordinary personal-data processing into special-category processing, triggering Article 9 conditions, a DPIA, and in some US states statutory-damages exposure — before any technical benefit is realised. Identify whether a feature creates or matches a biometric template, and clear the legal basis first. This is engineering guidance, not legal advice — confirm specifics with qualified counsel.
