Consent is one of the lawful grounds for processing personal data, and for biometrics it is often the only realistic one. Under GDPR consent must be freely given, specific, informed, and unambiguous (Article 4(11) and Article 7) — a genuine, documented choice, not a pre-ticked box or a condition buried in fine print. For special-category biometric data under Article 9 it must be explicit; under Illinois BIPA, capturing a biometric identifier requires informed written consent before capture.
In surveillance, consent's usefulness depends heavily on the setting. In a controlled space — employees enrolling in a face-based access system, a venue where entry is conditioned on opt-in — consent can be obtained and recorded properly. In open public CCTV it usually cannot: you cannot get freely-given, specific consent from everyone who walks past a camera, which is precisely why ordinary CCTV relies on legitimate interest or a public-task basis instead, and why face recognition on the public is so legally fraught.
The pitfalls are assuming a sign equals consent and ignoring withdrawal. A posted notice provides transparency but is not the same as consent — treating "by entering you consent" as a valid basis for biometric capture is a common and serious error, especially under BIPA's written-consent requirement. Consent must also be as easy to withdraw as to give, and withdrawal must actually stop the processing and trigger deletion. Use consent where it can be genuinely obtained (controlled, opt-in settings), and use a different lawful basis where it cannot. This is engineering guidance, not legal advice — confirm specifics with qualified counsel.
