Global Regulatory Compliance by Design
How Ping Products Meet Regulations
This chart shows how key PingOne services map to common identity and privacy regulations, so you can quickly see what’s already supported and what you can configure to meet your requirements.
Persistent
Biometric Database
United States
Executive Summary
The United States maintains a multi-layered privacy, biometric, and cybersecurity regulatory landscape, where the applicability of federal, state, and sector-specific laws may depend on the types of personal data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, or identity verification), the state(s) of the end user’s residence, and how a Ping Identity solution is configured and deployed.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
Comprehensive State Privacy Laws
Scope: Comprehensive state privacy laws in a growing number of U.S. states (e.g., CA, CO, VA, CT, UT, TX, OR, MT, IN, IA, TN, DE, and NJ) regulate identity-related and sensitive data (including biometrics and government IDs), establish consumer rights, and impose controller–processor contractual obligations.
Core Obligations:
- Notice at or before collection
- Disclosure of categories and purposes
- Consumer rights (access, deletion, correction, limit use of SPI)
- Service provider contractual controls
- Risk assessments
- Safeguards
- Offer opt-out rights for profiling in furtherance of decisions producing legal or similarly significant effects (in certain states)
Gramm-Leach-Bliley Act (GLBA)
Scope: Applies to financial institutions (e.g., banks, lenders, fintechs) that collect, process, or share nonpublic personal information (NPI) about consumers in connection with financial products or services. GLBA obligations may apply in parallel with state privacy, biometric, and cybersecurity laws depending on the organization’s business model, regulated status, and use of PingOne services.
Core Obligations:
- Privacy Rule:
- Provide initial and annual privacy notices
- Describe data collection, use, and sharing practices
- Safeguards Rule:
- Implement a comprehensive information security program
- Conduct risk assessments and monitor service providers
- Data sharing limitations:
- Restrict disclosure of NPI to non-affiliated third parties
- Pretexting protections:
- Prevent unauthorized access to financial information
Relevance to PingOne Services:
Health Insurance Portability and Accountability Act (HIPAA)
Scope: Applies to covered entities (health plans, providers, clearinghouses) and their business associates that create, receive, maintain, or transmit protected health information (PHI). HIPAA may be applicable where PingOne Services are used in healthcare authentication or patient access scenarios. HIPAA obligations may apply alongside state privacy, biometric, and cybersecurity laws depending on the organization’s role, the involvement of PHI, and the use of PingOne services.
Core Obligations:
- Privacy Rule:
- Limit use and disclosure of PHI to permitted purposes
- Provide notice of privacy practices
- Security Rule:
- Implement administrative, physical, and technical safeguards
- Ensure access controls, authentication, and audit capabilities
- Breach Notification Rule:
- Notify affected individuals and regulators of breaches involving PHI
- Business Associate Requirements:
- Execute Business Associate Agreements (BAAs) with service providers
Relevance to PingOne Services:
State Biometric & Identity Data Laws
Scope: Several U.S. states have enacted laws regulating the collection and use of biometric identifiers and identity document data (e.g., Illinois BIPA and Texas CUBI).
Core Obligations: Organizations deploying identity verification services for residents of these states should assess whether their configuration involves the processing of biometric identifiers (e.g., facial geometry). Where applicable, these laws may require:
- Provide written notice prior to collection
- Obtain written or electronic informed consent before collecting biometric data (BIPA, CUBI), unless a statutory exception applies, such as BPPA’s “security purpose” exemption for fraud prevention or account protection
- Publish a publicly available biometric retention and deletion policy
- Biometric identifiers must be destroyed once the original purpose is satisfied, and no later than 3 years after the last interaction (BIPA) or not exceeding 1 year after the purpose ends under CUBI, as applicable by jurisdiction.
- Do not sell, lease, trade, or otherwise profit from biometric identifiers
- Implement reasonable security protections
Relevance to PingOne Services:
State Driver's License and ID Data Capture Laws
Scope: Many U.S. states regulate the electronic scanning, storage, and reuse of driver’s license and state ID data (e.g., CA, TX, VA, IL, OR, NH, RI, GA, HI, NE, SC, VT, OH). These laws are generally purpose-limited rather than biometric-specific laws.
Core Obligations: Many states restrict:
- Scanning without consent
- Collection of non-essential fields
- Reuse or resale of scanned data
- Retention beyond the original purpose
Relevance to PingOne Services:
PingOne Verify may process government IDs for identity verification and fraud prevention; essential fields captured by default
Other PingOne services generally do not process government IDs
United Kingdom
Executive Summary
In the UK, Ping Identity products may fall within scope of the UK GDPR, Data Protection Act 2018, and PECR when they process personal data or biometrics, or use cookies and electronic communications. Applicability depends on the data processed, enabled functionality (e.g., SSO, MFA, fraud prevention, identity verification), and deployment configuration.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
UK General Data Protection Regulation (UK GDPR)
Scope: Applies to processing of personal data of UK residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the UK
Relevance to PingOne Services:
Contractual necessity supports core authentication
Legitimate interests supports security and fraud detection
Legal obligation supports regulatory identity verification
Explicit consent or substantial public interest may support biometric processing (can be presented in-flow (e.g., via PingOne DaVinci))
Data Protection Act 2018
Scope: Supplements the UK GDPR. Sets out the ICO’s enforcement powers, added safeguards for special category and criminal offence data, and UK-specific accountability rules for high-risk processing. Applies to organizations processing personal data in the UK, including identity, authentication, fraud, and biometric data.
Core Obligations:
- Accountability: Maintain ROPAs and conduct DPIAs for high-risk processing (e.g., biometrics, profiling)
- Special Category Data: Meet Article 9 condition + Schedule 1 safeguards (policy document if required)
- Criminal Data: Ensure specific lawful authority and enhanced protections
- Security: Implement appropriate safeguards and compliant processor oversight
Relevance to PingOne Services:
Privacy and Electronic Communications Regulations (PECR)
Scope: Governs electronic communications in the UK, including cookies, device access, electronic marketing, and traffic/location data. PECR applies alongside the UK GDPR and is relevant where identity services use cookies, device fingerprinting, session tracking, SMS authentication, push notifications, or email verification.
Core Obligations:
- Consent: Obtain consent before using non-essential cookies or similar tracking tools; provide clear notice.
- Data Handling: Keep communications data secure and confidential.
- Messaging: Separate service messages (e.g., auth codes) from marketing.
- Security: Apply appropriate safeguards to authentication and identity networks.
Relevance to PingOne Services:
European Union
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
This section provides the core obligations under the GDPR and EU AI Act. Local implementing laws and regulator guidance may add country-specific rules (including biometric, telecoms, and eID requirements), which organizations should review in addition to this guide.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
For most deployments, the customer acts as a data controller and Ping acts as a processor. Customers remain responsible for lawful basis, consent, and retention policies.
Ping Identity may act as an independent controller for limited internal business purposes including platform security, fraud prevention, improvement of the products, and operational processing activities.
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Substantial public interest applies in limited statutory circumstances; or
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci); provide a non-biometric alternative if required by law and an individual declines consent. Where individuals decline biometric verification or where biometric processing is not appropriate, customers may perform in-person manual identity verification.
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Australia
Executive Summary
Australia applies a principles-based privacy framework under the Privacy Act 1988 (Cth), supplemented by the Australian Privacy Principles (APPs). Biometric data and government-issued identity data are generally treated as sensitive information, requiring consent (typically express) and clear justification for collection and use.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, data categories processed, and customer configuration choices.
Privacy Act 1988 (Australian Privacy Principles)
Scope: Applies to private-sector organizations handling personal information in Australia.
Core Obligations:
- Lawful and fair collection: Only collect information reasonably necessary for functions
- Consent for sensitive data: Biometric data generally requires express consent
- Purpose limitation: Use and disclose data only for the primary purpose (or closely related purposes)
- Data minimization: Avoid excessive collection
- Transparency: Provide clear privacy notices
- Security safeguards: Protect personal information from misuse, loss, or unauthorized access
- Cross-border transfers: Allowed with accountability obligations
Relevance to PingOne Services:
Austria
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Substantial public interest applies in limited statutory circumstances; or
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci); provide a non-biometric alternative if required by law and an individual declines consent. Where individuals decline biometric verification or where biometric processing is not appropriate, customers may perform in-person manual identity verification.
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Belgium
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Substantial public interest applies in limited statutory circumstances; or
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci); provide a non-biometric alternative if required by law and an individual declines consent. Where individuals decline biometric verification or where biometric processing is not appropriate, customers may perform in-person manual identity verification.
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Brazil
Executive Summary
Brazil regulates personal data under the Lei Geral de Proteção de Dados (LGPD), a comprehensive privacy law similar in structure to GDPR. Legal basis is required for all processing, especially sensitive data, including biometrics.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, data categories processed, and customer configuration choices.
LGPD (Lei Geral de Proteção de Dados)
Scope: Applies to processing of personal data in Brazil.
Core Obligations:
- Lawful basis required (e.g., consent, legitimate interest)
- Sensitive data restrictions: biometrics require stricter conditions
- Transparency and notice requirements
- Data subject rights (access, deletion, portability)
- Data minimization and purpose limitation
- Security and breach notification obligations
Relevance to PingOne Services:
Canada
Executive Summary
Canada applies a principles-based privacy framework, where applicability may depend on the types of personal data processed (including biometric and identity document data), the functionality enabled (e.g., identity verification, fraud prevention, authentication), the province of the end user (e.g., Québec vs. other provinces), and how a Ping Identity solution is configured and deployed.
Canada’s federal law (PIPEDA), alongside provincial regimes (notably Québec Law 25), places strong emphasis on meaningful consent, data minimization, and accountability, particularly for sensitive data such as biometrics.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected Canadian regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, data categories processed, and customer configuration choices.
PIPEDA (Federal Privacy Law)
Scope: Applies to private-sector organizations engaged in commercial activities across Canada, including interprovincial and international data transfers. Governs the collection, use, and disclosure of personal information, including identity and biometric data.
Core Obligations:
- Obtain meaningful consent (often express for sensitive data such as biometrics)
- Provide clear notice of purposes and data use
- Limit collection to what is necessary and proportionate
- Enable individual rights (access and correction)
- Implement appropriate safeguards
- Maintain accountability for third-party processing and cross-border transfers
Relevance to PingOne Services:
Denmark
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Substantial public interest applies in limited statutory circumstances; or
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci); provide a non-biometric alternative if required by law and an individual declines consent. Where individuals decline biometric verification or where biometric processing is not appropriate, customers may perform in-person manual identity verification.
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Finland
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Substantial public interest applies in limited statutory circumstances; or
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci); provide a non-biometric alternative if required by law and an individual declines consent. Where individuals decline biometric verification or where biometric processing is not appropriate, customers may perform in-person manual identity verification.
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
France
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Substantial public interest applies in limited statutory circumstances; or
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci); provide a non-biometric alternative if required by law and an individual declines consent. Where individuals decline biometric verification or where biometric processing is not appropriate, customers may perform in-person manual identity verification.
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Germany
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Substantial public interest applies in limited statutory circumstances; or
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci); provide a non-biometric alternative if required by law and an individual declines consent. Where individuals decline biometric verification or where biometric processing is not appropriate, customers may perform in-person manual identity verification.
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Hungary
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Substantial public interest applies in limited statutory circumstances; or
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci); provide a non-biometric alternative if required by law and an individual declines consent. Where individuals decline biometric verification or where biometric processing is not appropriate, customers may perform in-person manual identity verification.
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
India
Executive Summary
India regulates personal data under the Digital Personal Data Protection Act, 2023 (DPDP Act). The framework is consent-driven with evolving interpretation. Identity and biometric data may trigger heightened compliance considerations depending on the deployment context, applicable sectoral requirements, and the types of verification workflows implemented (e.g., financial services, telecom, or digital onboarding).
India maintains a highly regulated digital identity ecosystem, particularly in financial services and telecom onboarding contexts. Applicability of sector-specific obligations may vary depending on whether deployments interact with regulated onboarding, KYC, financial services, telecom, or digital identity frameworks.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, data categories processed, and customer configuration choices.
Digital Personal Data Protection Act (DPDP)
Scope: Applies to processing of digital personal data in India. The DPDP Act’s implementation remains subject to evolving subordinate rules, regulatory guidance, and enforcement practices.
Core Obligations:
- Consent-based processing
- Purpose limitation
- Data minimization
- Data fiduciary obligations
- Individual rights (access, correction, erasure)
- Security safeguards
Relevance to PingOne Services:
Ireland
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Substantial public interest applies in limited statutory circumstances; or
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci); provide a non-biometric alternative if required by law and an individual declines consent. Where individuals decline biometric verification or where biometric processing is not appropriate, customers may perform in-person manual identity verification.
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Italy
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Substantial public interest applies in limited statutory circumstances; or
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci); provide a non-biometric alternative if required by law and an individual declines consent. Where individuals decline biometric verification or where biometric processing is not appropriate, customers may perform in-person manual identity verification.
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Netherlands
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Substantial public interest applies in limited statutory circumstances; or
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci); provide a non-biometric alternative if required by law and an individual declines consent. Where individuals decline biometric verification or where biometric processing is not appropriate, customers may perform in-person manual identity verification.
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
New Zealand
Executive Summary
New Zealand regulates personal information under the Privacy Act 2020, supported by Information Privacy Principles (IPPs). The framework emphasizes transparency, purpose limitation, proportionality, and reasonable safeguards when processing personal information.
The Office of the Privacy Commissioner (OPC) oversees enforcement and guidance under the Privacy Act 2020, including expectations relating to transparency, proportionality, safeguards, and cross-border disclosures.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, data categories processed, and customer configuration choices.
Privacy Act 2020
Scope: Applies to agencies handling personal information in New Zealand.
Core Obligations:
- Purpose specification: Collect data for lawful purposes
- Data minimization: Avoid excessive collection
- Transparency: Provide clear privacy notices
- Access and correction rights
- Security safeguards: Protect personal information from misuse, loss, or unauthorized access
- Cross-border transfers: Require comparable safeguards
Relevance to PingOne Services:
Singapore
Executive Summary
Singapore regulates personal data under the Personal Data Protection Act (PDPA), which emphasizes consent, purpose limitation, retention controls, and accountability. Identity and biometric data are generally treated as sensitive in practice, requiring careful handling and justification.
Applicability depends on how PingOne Services are deployed.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, data categories processed, and customer configuration choices.
Personal Data Protection Act (PDPA)
Scope: Applies to organizations collecting, using, or disclosing personal data in Singapore.
Core Obligations:
- Consent: Required for collection and use
- Purpose limitation: Use only for notified purposes
- Notification: Inform individuals of purposes
- Data minimization: Collect only necessary data
- Accuracy and protection obligations
- Retention limitation and controls
- Cross-border transfer restrictions
- Data Protection Officer (DPO) mandatory
Relevance to PingOne Services:
Spain
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Substantial public interest applies in limited statutory circumstances; or
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci); provide a non-biometric alternative if required by law and an individual declines consent. Where individuals decline biometric verification or where biometric processing is not appropriate, customers may perform in-person manual identity verification.
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Sweden
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Substantial public interest applies in limited statutory circumstances; or
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci); provide a non-biometric alternative if required by law and an individual declines consent. Where individuals decline biometric verification or where biometric processing is not appropriate, customers may perform in-person manual identity verification.
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Sample Consent Language
Sample Notice and Consent Language
For Informational Purposes Only – Not Legal Advice
This sample language is provided for informational purposes only and does not constitute legal advice. Applicability of U.S. privacy, biometric, and driver’s license laws depends on an organization’s specific use case, configuration, and jurisdiction. Organizations are responsible for determining how laws apply to their deployment and should consult qualified legal counsel regarding compliance obligations.
Identity Services Data Processing Notice & Consent (No Biometric Data)
We use identity and access management technologies to protect your account and prevent fraud. When you sign in or access this service, we collect and process personal information such as:
- Identifiers (e.g., username, email address)
- Authentication credentials
- Device and usage information (e.g., IP address, browser type, device identifiers)
- Security and risk-related information generated during authentication
We use this information to:
- Authenticate your identity
- Authorize access to your account
- Detect, prevent, and investigate fraud or suspicious activity
- Maintain the security and integrity of our services
- Comply with legal obligations
Authentication and fraud prevention may involve automated systems that analyze risk signals associated with your login or activity and may result in an access decision.
We retain personal information only as long as reasonably necessary for security, fraud prevention, legal compliance, and operational purposes, after which it is securely deleted or de-identified.
Depending on your location, you may have rights regarding your personal information, including rights to access, correction, deletion, and restriction of certain processing activities. For more information about how we handle personal information and your applicable privacy rights, please review our Privacy Notice.
By selecting “Continue,” you acknowledge that you have read this notice and consent to the collection and processing of your personal information for these purposes.
[Continue] [Cancel]
Identity Services Data Processing Notice & Consent (Including Biometric Data)
We use identity and access management technologies to protect your account, prevent fraud, and maintain the security of our services. When you sign in or access this service, we collect and process personal information such as:
- Identifiers (e.g., name, username, email address, phone number)
- Device information (e.g., IP address, browser type, device identifiers)
- Government-issued identification documents, including information extracted from your ID (e.g., photo, name, date of birth, ID number, expiration date)
- Biometric data (e.g., facial geometry)
We use this information to:
- Authenticate and/or verify your identity
- Authorize access to your account
- Detect, prevent, and investigate fraud or suspicious activity
- Perform facial comparison or liveness detection to confirm that you are the authorized account holder
- Maintain the security and integrity of our services
- Comply with legal obligations
We do not use biometric information for marketing, advertising, profiling for unrelated purposes, or sale.
Authentication and fraud prevention may involve automated systems that analyze risk signals associated with your login or activity and may result in an access decision. Where biometric verification is enabled, automated facial comparison technologies may be used as part of that process.
We retain personal information, including biometric information where applicable, only as long as reasonably necessary for security, fraud prevention, legal compliance, and operational purposes, after which it is securely deleted or de-identified in accordance with our retention policies.
Depending on your location, you may have rights regarding your personal information, including rights to access, correction, deletion, and restriction of certain processing activities. For more information about how we handle personal information and your applicable privacy rights, please review our Privacy Notice.
By selecting “Continue,” you acknowledge that you have read this notice and consent, where required by applicable law, to the collection and processing of your personal information, including biometric information, for the purposes stated herein.
Sample Privacy Notice Language
Sample Biometric Policy Language
For Informational Purposes Only – Not Legal Advice
This sample language is provided for informational purposes only and does not constitute legal advice. This sample is only a starting point; organizations should tailor it to the specific jurisdictions and statutory definitions (e.g., BIPA, CUBI, Québec Law 25) that apply to their deployment. The applicability of other privacy, biometric, or identity document laws depends on an organization’s specific use case, configuration, jurisdiction, and role. Organizations are responsible for determining how laws apply to their deployment and should consult qualified legal counsel regarding compliance obligations.
Biometric Data Privacy Policy
Effective Date: [Insert Date]
Last Updated: [Insert Date]
This Biometric Data Privacy Policy (“Policy”) describes how [Company Name] (“Company,” “we,” “us,” or “our”) collects, uses, stores, safeguards, and deletes biometric identifiers and biometric information in connection with identity verification and fraud prevention activities. This Policy applies to individuals whose biometric data is collected through our identity verification processes.
- Purpose
This Policy is intended to address applicable biometric privacy laws, including U.S. state biometric privacy laws, U.S. comprehensive privacy laws, EU General Data Protection Regulation (GDPR), and the UK GDPR, and other applicable global privacy frameworks. Biometric data may be considered “special category” personal data under GDPR/UK GDPR and “sensitive personal information” under certain U.S. state laws.
We collect and process biometric identifiers solely for legitimate business purposes, including:
- Identity verification, including during onboarding or account access
- Document authentication
- Fraud prevention and detection
- Protecting accounts and systems
- Compliance with legal and regulatory obligations
Biometric data is not sold, leased, traded, or otherwise profited from.
- Categories of Biometric Data Collected
Depending on the services being used and configuration settings, we may collect and process the following biometric data:
- Facial geometry data extracted from a selfie and/or government-issued ID photo
- Biometric templates generated from facial images
- Facial similarity or match scores generated during 1:1 face comparison
- Liveness detection results to confirm a live human presence
- Confidence scores associated with biometric verification results
“Biometric information” means information based on a biometric identifier used to identify an individual. We do not use biometric data for surveillance, marketing, behavioral profiling unrelated to identity verification, or 1:many biometric identification searches across unrelated individuals.
- Legal Basis and Consent
Where required by applicable law, we:
- Provide advance notice that biometric identifiers will be collected
- Process biometric data only where a valid lawful basis for special category data applies. Depending on the context, this may include explicit consent of the individual; substantial public interest (where applicable under law); establishment, exercise, or defense of legal claims; or compliance with legal obligations.
- Offer individuals the opportunity to decline biometric processing (where feasible and legally required)
Consent records are maintained in accordance with applicable legal requirements.
- Retention Schedule
We retain biometric identifiers and biometric information only for as long as necessary to fulfill the purpose for which they were collected. Biometric images and derived templates are deleted promptly after completion of the identity verification process. In certain implementations, biometric data may be cached for a short operational period (e.g., up to 30 minutes) to complete processing. If retention is required for fraud investigation, legal compliance, audit, or dispute resolution purposes, biometric data may be retained for a defined period consistent with applicable law and business necessity.
Biometric identifiers will be permanently deleted when the original purpose for collection has been satisfied; or within the time period required by applicable law (e.g., no later than three years after the individual’s last interaction with the Company, where required by statute), whichever occurs first.
- Safeguards and Security Measures
We implement reasonable administrative, technical, and physical safeguards designed to protect biometric data from unauthorized access, acquisition, disclosure, alteration, or destruction. Administrative safeguards may include role-based access controls, confidentiality obligations for personnel, vendor due diligence and contractual data protection obligations, and incident response and breach notification procedures.
Technical safeguards may include encryption in transit and at rest, secure API communications, network segmentation, access logging and monitoring, automated deletion workflows, and secure key management practices. Physical safeguards may include secure data center environments and access-controlled facilities. Biometric data is treated as sensitive data and subject to heightened protection controls.
- Disclosure of Biometric Data
We do not disclose biometric identifiers except to service providers acting on our behalf under written agreements requiring confidentiality and data protection; as required by law, subpoena, court order, or other valid legal process; to detect, investigate, or prevent fraud or security incidents; or with the individual’s consent. We do not sell biometric data.
- International Data Transfers
Where biometric data is transferred outside the country of collection (including transfers from the EU/UK to the United States or other jurisdictions), we implement appropriate safeguards as required by applicable law, which may include Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or other approved transfer mechanisms. Individuals may request additional information regarding applicable transfer safeguards.
- Individual Rights
Subject to applicable law, individuals may have the right to:
- Request access to personal information we maintain
- Request deletion of biometric data
- Withdraw consent (where consent is the legal basis for processing)
- Receive information about our data handling practices
Requests may be submitted to: [Insert Privacy Contact Email or Portal]
- Updates to This Policy
We may update this Biometric Privacy Policy from time to time to reflect changes in technology, law, or business operations. Updates will be posted with a revised effective date. Where required by applicable law, material changes will be communicated in advance.
This guide is provided for informational purposes only and does not constitute legal advice. While Ping Identity provides features and configurations intended to support compliance with global privacy laws, the regulatory landscape is complex and varies by jurisdiction, specific use cases, configurations, and operational context. Customers are responsible for ensuring their specific configuration and data processing activities comply with all applicable laws.
(function privacyGuideQuizResponsesRefactor() {
const REVEAL_DELAY_MS = 2000;
const TOC_OBSERVER_TIMEOUT_MS = 3000;
const COUNTRY_QUESTION = "Next, Let's Get Specific.";
const ALWAYS_VISIBLE_SECTIONS = [
"global-regulatory-compliance-by-design",
"sample-consent-language",
"sample-privacy-notice-language"
];
let revealTimer = null;
let tocObserver = null;
let tocObserverTimer = null;
let isRevealed = false;
const normalizeText = (value) => (value || '').trim().toLowerCase();
function clearAsyncHandles() {
if (revealTimer) { window.clearTimeout(revealTimer); revealTimer = null; }
if (tocObserver) { tocObserver.disconnect(); tocObserver = null; }
if (tocObserverTimer) { window.clearTimeout(tocObserverTimer); tocObserverTimer = null; }
}
function reveal() {
if (isRevealed) return;
isRevealed = true;
clearAsyncHandles();
document.body.classList.add('appear');
}
function decodeQuizResponses(rawValue) {
if (!rawValue) return null;
const decodedUri = decodeURIComponent(rawValue);
const base64Normalized = decodedUri.replace(/-/g, '+').replace(/_/g, '/');
const paddingLength = (4 - (base64Normalized.length % 4)) % 4;
const base64Padded = `${base64Normalized}${'='.repeat(paddingLength)}`;
try {
return JSON.parse(window.atob(base64Padded));
} catch (error) {
try { return JSON.parse(decodedUri); } catch (parseError) { return null; }
}
}
function getSelectedCountries(payload) {
if (!payload || !Array.isArray(payload.responses)) return [];
const countryEntry = payload.responses.find((entry) => entry.question === COUNTRY_QUESTION);
const answers = Array.isArray(countryEntry?.answers) ? countryEntry.answers : [];
return answers.map(normalizeText).filter(Boolean);
}
function buildSections(article) {
const wrappers = Array.from(article.children);
const sections = [];
let activeSection = null;
wrappers.forEach((wrapper, index) => {
const h2 = wrapper.querySelector(':scope > h2');
if (h2) {
activeSection = {
heading: h2.textContent.trim(),
id: h2.id || '',
start: index,
end: index,
};
sections.push(activeSection);
return;
}
if (activeSection) {
activeSection.end = index;
}
});
return { wrappers, sections };
}
function collectSubheadings(wrappers, start, end) {
const headings = [];
wrappers.slice(start, end + 1).forEach((wrapper) => {
wrapper.querySelectorAll('h3, h4, h5, h6').forEach((heading) => {
headings.push(heading.textContent.trim());
});
});
return headings;
}
function applySectionVisibility(article, selectedCountries) {
const { wrappers, sections } = buildSections(article);
if (!sections.length) return null;
const selectedSet = new Set(selectedCountries);
const visibleHeadings = new Set();
const staticWhitelist = ALWAYS_VISIBLE_SECTIONS.map(normalizeText);
sections.forEach((section) => {
const sectionText = normalizeText(section.heading);
const sectionId = normalizeText(section.id);
const isStatic = staticWhitelist.includes(sectionId) || staticWhitelist.includes(sectionText);
const isSelected = selectedSet.has(sectionText) || selectedSet.has(sectionId);
const shouldShow = isStatic || isSelected;
for (let index = section.start; index <= section.end; index += 1) {
wrappers[index].hidden = !shouldShow;
}
if (shouldShow) {
visibleHeadings.add(section.heading);
collectSubheadings(wrappers, section.start, section.end)
.forEach((heading) => visibleHeadings.add(heading));
}
});
return visibleHeadings;
}
function filterAccordionToc(tocNav, visibleHeadings) {
const accordionItems = tocNav.querySelectorAll('.toc-item.accordion-item');
if (!accordionItems.length) return false;
const normalizedVisible = new Set(Array.from(visibleHeadings).map(normalizeText));
const whitelistIds = ALWAYS_VISIBLE_SECTIONS.map(normalizeText);
accordionItems.forEach((item) => {
const link = item.querySelector('a.toc-link') || item.querySelector('a');
if (!link) return;
const linkText = normalizeText(link.textContent);
const linkHref = normalizeText(link.getAttribute('href')?.replace('#', ''));
const shouldShow = normalizedVisible.has(linkText) || whitelistIds.includes(linkHref);
item.hidden = !shouldShow;
if (!shouldShow) return;
item.querySelectorAll('.accordion-body a').forEach((subLink) => {
const row = subLink.closest('.toc-item-row') || subLink.closest('li') || subLink;
const subText = normalizeText(subLink.textContent);
const subHref = normalizeText(subLink.getAttribute('href')?.replace('#', ''));
row.hidden = !(normalizedVisible.has(subText) || whitelistIds.includes(subHref));
});
});
return true;
}
function filterFlatToc(tocNav, visibleHeadings) {
const links = tocNav.querySelectorAll('a');
if (!links.length) return false;
const normalizedVisible = new Set(Array.from(visibleHeadings).map(normalizeText));
const whitelistIds = ALWAYS_VISIBLE_SECTIONS.map(normalizeText);
links.forEach((link) => {
const row = link.closest('li') || link.closest('.toc-item-row') || link.closest('.toc-item') || link;
const linkText = normalizeText(link.textContent);
const linkHref = normalizeText(link.getAttribute('href')?.replace('#', ''));
row.hidden = !(normalizedVisible.has(linkText) || whitelistIds.includes(linkHref));
});
return true;
}
function filterToc(visibleHeadings) {
const tocNav = document.querySelector('nav[aria-label="Table of contents"]');
if (!tocNav) return false;
return filterAccordionToc(tocNav, visibleHeadings) || filterFlatToc(tocNav, visibleHeadings);
}
function startTocObserver(visibleHeadings) {
tocObserver = new MutationObserver(() => {
if (filterToc(visibleHeadings)) reveal();
});
tocObserver.observe(document.body, { childList: true, subtree: true });
tocObserverTimer = window.setTimeout(reveal, TOC_OBSERVER_TIMEOUT_MS);
}
revealTimer = window.setTimeout(reveal, REVEAL_DELAY_MS);
const rawParam = new URLSearchParams(window.location.search).get('quizResponses');
if (!rawParam) { reveal(); return; }
const payload = decodeQuizResponses(rawParam);
const selectedCountries = getSelectedCountries(payload);
if (!selectedCountries.length) { reveal(); return; }
document.documentElement.dataset.quizFilter = 'active';
const article = document.querySelector('main article');
if (!article) { reveal(); return; }
const visibleHeadings = applySectionVisibility(article, selectedCountries);
if (!visibleHeadings) { reveal(); return; }
if (filterToc(visibleHeadings)) { reveal(); return; }
startTocObserver(visibleHeadings);
}());