Global Regulatory Compliance by Design
How Ping Products Meet Regulations
This chart shows how key PingOne services map to common identity and privacy regulations, so you can quickly see what’s already supported and what you can configure to meet your requirements.
Persistent
Biometric Database
United States
Executive Summary
The United States maintains a multi-layered privacy, biometric, and cybersecurity regulatory landscape, where the applicability of federal, state, and sector-specific laws may depend on the types of personal data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, or identity verification), the state(s) of the end user’s residence, and how a Ping Identity solution is configured and deployed.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
Comprehensive State Privacy Laws
Scope: Comprehensive state privacy laws in CA, CO, VA, CT, UT, TX, OR, MT, IN, IA, TN, DE, and NJ. Regulate identity-related and sensitive data (including biometrics and government IDs), establish consumer rights, and impose controller–processor contractual obligations.
Core Obligations:
- Notice at or before collection
- Disclosure of categories and purposes
- Consumer rights (access, deletion, correction, limit use of SPI)
- Service provider contractual controls
- Risk assessments
- Safeguards
- Offer opt-out rights for profiling in furtherance of decisions producing legal or similarly significant effects (in certain states)
State Biometric & Identity Data Laws
Scope: Several U.S. states have enacted laws regulating the collection and use of biometric identifiers and identity document data (e.g., Illinois BIPA and Texas CUBI).
Core Obligations: Organizations deploying identity verification services for residents of these states should assess whether their configuration involves the processing of biometric identifiers (e.g., facial geometry). Where applicable, these laws may require:
- Provide written notice prior to collection
- Obtain written or electronic informed consent before collecting biometric data (BIPA, CUBI), unless a statutory exception applies, such as BPPA’s “security purpose” exemption for fraud prevention or account protection
- Publish a publicly available biometric retention and deletion policy
- Biometric identifiers must be destroyed once the original purpose is satisfied, and no later than 3 years after the last interaction (BIPA) or not exceeding 1 year after the purpose ends under CUBI, as applicable by jurisdiction.
- Do not sell, lease, trade, or otherwise profit from biometric identifiers
- Implement reasonable security protections
Relevance to PingOne Services:
State Driver's License and ID Data Capture Laws
Scope: Many U.S. states regulate the electronic scanning, storage, and reuse of driver’s license and state ID data (e.g., CA, TX, VA, IL, OR, NH, RI, GA, HI, NE, SC, VT, OH). These laws are generally purpose-limited rather than biometric-specific laws.
Core Obligations: Many states restrict:
- Scanning without consent
- Collection of non-essential fields
- Reuse or resale of scanned data
- Retention beyond the original purpose
Relevance to PingOne Services:
PingOne Verify may process government IDs for identity verification and fraud prevention; essential fields captured by default
Other PingOne services generally do not process government IDs
United Kingdom
Executive Summary
In the UK, Ping Identity products may fall within scope of the UK GDPR, Data Protection Act 2018, and PECR when they process personal data or biometrics, or use cookies and electronic communications. Applicability depends on the data processed, enabled functionality (e.g., SSO, MFA, fraud prevention, identity verification), and deployment configuration.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
UK General Data Protection Regulation (UK GDPR)
Scope: Applies to processing of personal data of UK residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the UK
Relevance to PingOne Services:
Contractual necessity supports core authentication
Legitimate interests supports security and fraud detection
Legal obligation supports regulatory identity verification
Explicit consent or substantial public interest may support biometric processing (can be presented in-flow (e.g., via PingOne DaVinci))
Data Protection Act 2018
Scope: Supplements the UK GDPR. Sets out the ICO’s enforcement powers, added safeguards for special category and criminal offence data, and UK-specific accountability rules for high-risk processing. Applies to organizations processing personal data in the UK, including identity, authentication, fraud, and biometric data.
Core Obligations:
- Accountability: Maintain ROPAs and conduct DPIAs for high-risk processing (e.g., biometrics, profiling)
- Special Category Data: Meet Article 9 condition + Schedule 1 safeguards (policy document if required)
- Criminal Data: Ensure specific lawful authority and enhanced protections
- Security: Implement appropriate safeguards and compliant processor oversight
Relevance to PingOne Services:
Privacy and Electronic Communications Regulations (PECR)
Scope: Governs electronic communications in the UK, including cookies, device access, electronic marketing, and traffic/location data. PECR applies alongside the UK GDPR and is relevant where identity services use cookies, device fingerprinting, session tracking, SMS authentication, push notifications, or email verification.
Core Obligations:
- Consent: Obtain consent before using non-essential cookies or similar tracking tools; provide clear notice.
- Data Handling: Keep communications data secure and confidential.
- Messaging: Separate service messages (e.g., auth codes) from marketing.
- Security: Apply appropriate safeguards to authentication and identity networks.
Relevance to PingOne Services:
European Union
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci), provide non-biometric alternative if required by law and an individual declines;
Substantial public interest applies in limited statutory circumstances
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Austria
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci), provide non-biometric alternative if required by law and an individual declines;
Substantial public interest applies in limited statutory circumstances
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Belgium
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci), provide non-biometric alternative if required by law and an individual declines;
Substantial public interest applies in limited statutory circumstances
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Denmark
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci), provide non-biometric alternative if required by law and an individual declines;
Substantial public interest applies in limited statutory circumstances
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Finland
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci), provide non-biometric alternative if required by law and an individual declines;
Substantial public interest applies in limited statutory circumstances
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
France
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci), provide non-biometric alternative if required by law and an individual declines;
Substantial public interest applies in limited statutory circumstances
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Germany
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci), provide non-biometric alternative if required by law and an individual declines;
Substantial public interest applies in limited statutory circumstances
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Hungary
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci), provide non-biometric alternative if required by law and an individual declines;
Substantial public interest applies in limited statutory circumstances
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Ireland
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci), provide non-biometric alternative if required by law and an individual declines;
Substantial public interest applies in limited statutory circumstances
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Italy
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci), provide non-biometric alternative if required by law and an individual declines;
Substantial public interest applies in limited statutory circumstances
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Netherlands
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci), provide non-biometric alternative if required by law and an individual declines;
Substantial public interest applies in limited statutory circumstances
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Spain
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci), provide non-biometric alternative if required by law and an individual declines;
Substantial public interest applies in limited statutory circumstances
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Sweden
Executive Summary
Within the European Union, PingOne services may fall within the scope of the GDPR and the EU AI Act when they process personal data, including biometric data. Applicability depends on the specific data processed, the functionality enabled (e.g., SSO, MFA, fraud prevention, identity verification), and the customer’s deployment configuration and use case.
Regulations Applicable to PingOne Services Deployments
This matrix illustrates how selected regulatory regimes may be triggered by different Ping Identity product deployments, depending on the functionality enabled, the categories of data processed, and the customer’s configuration choices.
EU General Data Protection Regulation (GDPR)
Scope: Applies to processing of personal data of EU residents, including collection, authentication, identity verification, authorization, and fraud detection. Biometric data used to uniquely identify a person is treated as special category data and requires heightened protection.
Core Obligations:
- Lawful basis: Establish an Article 6 basis; if using biometrics, document an Article 9 condition
- Transparency: Clearly explain data collected, purposes, retention, and any automated decisions
- Minimization & retention: Limit to necessary data; keep it only as long as needed
- Security: Apply appropriate safeguards
- Data Protection Impact Assessment: where processing is likely to result in high risk
- Transfers: Use valid mechanisms for data transferred outside the EU
Relevance to PingOne Services:
Contractual necessity supports core authentication;
Legitimate interests supports security and fraud detection;
Legal obligation supports regulatory identity verification;
Explicit consent may justify biometric processing (e.g., captured in-flow via PingOne DaVinci), provide non-biometric alternative if required by law and an individual declines;
Substantial public interest applies in limited statutory circumstances
EU AI Act
Scope: Establishes a risk-based framework for the development, marketing, and use of AI systems in the EU. Classifies systems as prohibited, high-risk, limited-risk, or minimal-risk, with obligations tied to risk level. Certain biometric systems, including identity verification and facial recognition, may fall within scope depending on functionality and deployment, particularly when used for access to essential services, employment, financial services, or other regulated activities.
Core Obligations:
- Limited-risk systems are primarily subject to transparency obligations, such as informing individuals when interacting with AI or when biometric technologies are used.
- High-risk systems are subject to additional obligations, which may include risk management, dataset governance, technical documentation, logging and traceability, human oversight, and cybersecurity testing.
- Providers of general-purpose AI must maintain technical documentation, manage risks, ensure transparency, implement safeguards, and assess systemic risks for high-impact models.
Relevance to PingOne Services:
Sample Consent Language
Sample Notice and Consent Language
For Informational Purposes Only – Not Legal Advice
This sample language is provided for informational purposes only and does not constitute legal advice. Applicability of U.S. privacy, biometric, and driver’s license laws depends on an organization’s specific use case, configuration, and jurisdiction. Organizations are responsible for determining how laws apply to their deployment and should consult qualified legal counsel regarding compliance obligations.
Identity Services Data Processing Notice & Consent (No Biometric Data)
We use identity and access management technologies to protect your account and prevent fraud. When you sign in or access this service, we collect and process personal information such as:
- Identifiers (e.g., username, email address)
- Authentication credentials
- Device and usage information (e.g., IP address, browser type, device identifiers)
- Security and risk-related information generated during authentication
We use this information to:
- Authenticate your identity
- Authorize access to your account
- Detect, prevent, and investigate fraud or suspicious activity
- Maintain the security and integrity of our services
- Comply with legal obligations
Authentication and fraud prevention may involve automated systems that analyze risk signals associated with your login or activity and may result in an access decision.
We retain personal information only as long as reasonably necessary for security, fraud prevention, legal compliance, and operational purposes, after which it is securely deleted or de-identified.
Depending on your location, you may have rights regarding your personal information, including rights to access, correction, deletion, and restriction of certain processing activities. For more information about how we handle personal information and your applicable privacy rights, please review our Privacy Notice.
By selecting “Continue,” you acknowledge that you have read this notice and consent to the collection and processing of your personal information for these purposes.
[Continue] [Cancel]
Identity Services Data Processing Notice & Consent (Including Biometric Data)
We use identity and access management technologies to protect your account, prevent fraud, and maintain the security of our services. When you sign in or access this service, we collect and process personal information such as:
- Identifiers (e.g., name, username, email address, phone number)
- Device information (e.g., IP address, browser type, device identifiers)
- Government-issued identification documents, including information extracted from your ID (e.g., photo, name, date of birth, ID number, expiration date)
- Biometric data (e.g., facial geometry)
We use this information to:
- Authenticate and/or verify your identity
- Authorize access to your account
- Detect, prevent, and investigate fraud or suspicious activity
- Perform facial comparison or liveness detection to confirm that you are the authorized account holder
- Maintain the security and integrity of our services
- Comply with legal obligations
We do not use biometric information for marketing, advertising, profiling for unrelated purposes, or sale.
Authentication and fraud prevention may involve automated systems that analyze risk signals associated with your login or activity and may result in an access decision. Where biometric verification is enabled, automated facial comparison technologies may be used as part of that process.
We retain personal information, including biometric information where applicable, only as long as reasonably necessary for security, fraud prevention, legal compliance, and operational purposes, after which it is securely deleted or de-identified in accordance with our retention policies.
Depending on your location, you may have rights regarding your personal information, including rights to access, correction, deletion, and restriction of certain processing activities. For more information about how we handle personal information and your applicable privacy rights, please review our Privacy Notice.
By selecting “Continue,” you acknowledge that you have read this notice and consent, where required by applicable law, to the collection and processing of your personal information, including biometric information, for the purposes stated herein.
Sample Privacy Notice Language
Sample Biometric Policy Language
For Informational Purposes Only – Not Legal Advice
This sample language is provided for informational purposes only and does not constitute legal advice. The applicability of other privacy, biometric, or identity document laws depends on an organization’s specific use case, configuration, jurisdiction, and role. Organizations are responsible for determining how laws apply to their deployment and should consult qualified legal counsel regarding compliance obligations.
Biometric Data Privacy Policy
Effective Date: [Insert Date]
Last Updated: [Insert Date]
This Biometric Data Privacy Policy (“Policy”) describes how [Company Name] (“Company,” “we,” “us,” or “our”) collects, uses, stores, safeguards, and deletes biometric identifiers and biometric information in connection with identity verification and fraud prevention activities. This Policy applies to individuals whose biometric data is collected through our identity verification processes.
- Purpose
This Policy is intended to address applicable biometric privacy laws, including U.S. state biometric privacy laws, U.S. comprehensive privacy laws, EU General Data Protection Regulation (GDPR), and the UK GDPR, and other applicable global privacy frameworks. Biometric data may be considered “special category” personal data under GDPR/UK GDPR and “sensitive personal information” under certain U.S. state laws.
We collect and process biometric identifiers solely for legitimate business purposes, including:
- Identity verification, including during onboarding or account access
- Document authentication
- Fraud prevention and detection
- Protecting accounts and systems
- Compliance with legal and regulatory obligations
Biometric data is not sold, leased, traded, or otherwise profited from.
- Categories of Biometric Data Collected
Depending on the services being used and configuration settings, we may collect and process the following biometric data:
- Facial geometry data extracted from a selfie and/or government-issued ID photo
- Biometric templates generated from facial images
- Facial similarity or match scores generated during 1:1 face comparison
- Liveness detection results to confirm a live human presence
- Confidence scores associated with biometric verification results
“Biometric information” means information based on a biometric identifier used to identify an individual. We do not use biometric data for surveillance, marketing, behavioral profiling unrelated to identity verification, or 1:many biometric identification searches across unrelated individuals.
- Legal Basis and Consent
Where required by applicable law, we:
- Provide advance notice that biometric identifiers will be collected
- Process biometric data only where a valid lawful basis for special category data applies. Depending on the context, this may include explicit consent of the individual; substantial public interest (where applicable under law); establishment, exercise, or defense of legal claims; or compliance with legal obligations.
- Offer individuals the opportunity to decline biometric processing (where feasible and legally required)
Consent records are maintained in accordance with applicable legal requirements.
- Retention Schedule
We retain biometric identifiers and biometric information only for as long as necessary to fulfill the purpose for which they were collected. Biometric images and derived templates are deleted promptly after completion of the identity verification process. In certain implementations, biometric data may be cached for a short operational period (e.g., up to 30 minutes) to complete processing. If retention is required for fraud investigation, legal compliance, audit, or dispute resolution purposes, biometric data may be retained for a defined period consistent with applicable law and business necessity.
Biometric identifiers will be permanently deleted when the original purpose for collection has been satisfied; or within the time period required by applicable law (e.g., no later than three years after the individual’s last interaction with the Company, where required by statute), whichever occurs first.
- Safeguards and Security Measures
We implement reasonable administrative, technical, and physical safeguards designed to protect biometric data from unauthorized access, acquisition, disclosure, alteration, or destruction. Administrative safeguards may include role-based access controls, confidentiality obligations for personnel, vendor due diligence and contractual data protection obligations, and incident response and breach notification procedures.
Technical safeguards may include encryption in transit and at rest, secure API communications, network segmentation, access logging and monitoring, automated deletion workflows, and secure key management practices. Physical safeguards may include secure data center environments and access-controlled facilities. Biometric data is treated as sensitive data and subject to heightened protection controls.
- Disclosure of Biometric Data
We do not disclose biometric identifiers except to service providers acting on our behalf under written agreements requiring confidentiality and data protection; as required by law, subpoena, court order, or other valid legal process; to detect, investigate, or prevent fraud or security incidents; or with the individual’s consent. We do not sell biometric data.
- International Data Transfers
Where biometric data is transferred outside the country of collection (including transfers from the EU/UK to the United States or other jurisdictions), we implement appropriate safeguards as required by applicable law, which may include Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or other approved transfer mechanisms. Individuals may request additional information regarding applicable transfer safeguards.
- Individual Rights
Subject to applicable law, individuals may have the right to:
- Request access to personal information we maintain
- Request deletion of biometric data
- Withdraw consent (where consent is the legal basis for processing)
- Receive information about our data handling practices
Requests may be submitted to: [Insert Privacy Contact Email or Portal]
- Updates to This Policy
We may update this Biometric Privacy Policy from time to time to reflect changes in technology, law, or business operations. Updates will be posted with a revised effective date. Where required by applicable law, material changes will be communicated in advance.
This guide is provided for informational purposes only and does not constitute legal advice. While Ping Identity provides features and configurations intended to support compliance with global privacy laws, the regulatory landscape is complex and varies by jurisdiction, specific use cases, configurations, and operational context. Customers are responsible for ensuring their specific configuration and data processing activities comply with all applicable laws.
(function privacyGuideQuizResponsesRefactor() {
const REVEAL_DELAY_MS = 2000;
const TOC_OBSERVER_TIMEOUT_MS = 3000;
const COUNTRY_QUESTION = "Next, Let's Get Specific.";
const ALWAYS_VISIBLE_SECTIONS = [
"global-regulatory-compliance-by-design",
"sample-consent-language",
"sample-privacy-notice-language"
];
let revealTimer = null;
let tocObserver = null;
let tocObserverTimer = null;
let isRevealed = false;
const normalizeText = (value) => (value || '').trim().toLowerCase();
function clearAsyncHandles() {
if (revealTimer) { window.clearTimeout(revealTimer); revealTimer = null; }
if (tocObserver) { tocObserver.disconnect(); tocObserver = null; }
if (tocObserverTimer) { window.clearTimeout(tocObserverTimer); tocObserverTimer = null; }
}
function reveal() {
if (isRevealed) return;
isRevealed = true;
clearAsyncHandles();
document.body.classList.add('appear');
}
function decodeQuizResponses(rawValue) {
if (!rawValue) return null;
const decodedUri = decodeURIComponent(rawValue);
const base64Normalized = decodedUri.replace(/-/g, '+').replace(/_/g, '/');
const paddingLength = (4 - (base64Normalized.length % 4)) % 4;
const base64Padded = `${base64Normalized}${'='.repeat(paddingLength)}`;
try {
return JSON.parse(window.atob(base64Padded));
} catch (error) {
try { return JSON.parse(decodedUri); } catch (parseError) { return null; }
}
}
function getSelectedCountries(payload) {
if (!payload || !Array.isArray(payload.responses)) return [];
const countryEntry = payload.responses.find((entry) => entry.question === COUNTRY_QUESTION);
const answers = Array.isArray(countryEntry?.answers) ? countryEntry.answers : [];
return answers.map(normalizeText).filter(Boolean);
}
function buildSections(article) {
const wrappers = Array.from(article.children);
const sections = [];
let activeSection = null;
wrappers.forEach((wrapper, index) => {
const h2 = wrapper.querySelector(':scope > h2');
if (h2) {
activeSection = {
heading: h2.textContent.trim(),
id: h2.id || '',
start: index,
end: index,
};
sections.push(activeSection);
return;
}
if (activeSection) {
activeSection.end = index;
}
});
return { wrappers, sections };
}
function collectSubheadings(wrappers, start, end) {
const headings = [];
wrappers.slice(start, end + 1).forEach((wrapper) => {
wrapper.querySelectorAll('h3, h4, h5, h6').forEach((heading) => {
headings.push(heading.textContent.trim());
});
});
return headings;
}
function applySectionVisibility(article, selectedCountries) {
const { wrappers, sections } = buildSections(article);
if (!sections.length) return null;
const selectedSet = new Set(selectedCountries);
const visibleHeadings = new Set();
const staticWhitelist = ALWAYS_VISIBLE_SECTIONS.map(normalizeText);
sections.forEach((section) => {
const sectionText = normalizeText(section.heading);
const sectionId = normalizeText(section.id);
const isStatic = staticWhitelist.includes(sectionId) || staticWhitelist.includes(sectionText);
const isSelected = selectedSet.has(sectionText) || selectedSet.has(sectionId);
const shouldShow = isStatic || isSelected;
for (let index = section.start; index <= section.end; index += 1) {
wrappers[index].hidden = !shouldShow;
}
if (shouldShow) {
visibleHeadings.add(section.heading);
collectSubheadings(wrappers, section.start, section.end)
.forEach((heading) => visibleHeadings.add(heading));
}
});
return visibleHeadings;
}
function filterAccordionToc(tocNav, visibleHeadings) {
const accordionItems = tocNav.querySelectorAll('.toc-item.accordion-item');
if (!accordionItems.length) return false;
const normalizedVisible = new Set(Array.from(visibleHeadings).map(normalizeText));
const whitelistIds = ALWAYS_VISIBLE_SECTIONS.map(normalizeText);
accordionItems.forEach((item) => {
const link = item.querySelector('a.toc-link') || item.querySelector('a');
if (!link) return;
const linkText = normalizeText(link.textContent);
const linkHref = normalizeText(link.getAttribute('href')?.replace('#', ''));
const shouldShow = normalizedVisible.has(linkText) || whitelistIds.includes(linkHref);
item.hidden = !shouldShow;
if (!shouldShow) return;
item.querySelectorAll('.accordion-body a').forEach((subLink) => {
const row = subLink.closest('.toc-item-row') || subLink.closest('li') || subLink;
const subText = normalizeText(subLink.textContent);
const subHref = normalizeText(subLink.getAttribute('href')?.replace('#', ''));
row.hidden = !(normalizedVisible.has(subText) || whitelistIds.includes(subHref));
});
});
return true;
}
function filterFlatToc(tocNav, visibleHeadings) {
const links = tocNav.querySelectorAll('a');
if (!links.length) return false;
const normalizedVisible = new Set(Array.from(visibleHeadings).map(normalizeText));
const whitelistIds = ALWAYS_VISIBLE_SECTIONS.map(normalizeText);
links.forEach((link) => {
const row = link.closest('li') || link.closest('.toc-item-row') || link.closest('.toc-item') || link;
const linkText = normalizeText(link.textContent);
const linkHref = normalizeText(link.getAttribute('href')?.replace('#', ''));
row.hidden = !(normalizedVisible.has(linkText) || whitelistIds.includes(linkHref));
});
return true;
}
function filterToc(visibleHeadings) {
const tocNav = document.querySelector('nav[aria-label="Table of contents"]');
if (!tocNav) return false;
return filterAccordionToc(tocNav, visibleHeadings) || filterFlatToc(tocNav, visibleHeadings);
}
function startTocObserver(visibleHeadings) {
tocObserver = new MutationObserver(() => {
if (filterToc(visibleHeadings)) reveal();
});
tocObserver.observe(document.body, { childList: true, subtree: true });
tocObserverTimer = window.setTimeout(reveal, TOC_OBSERVER_TIMEOUT_MS);
}
revealTimer = window.setTimeout(reveal, REVEAL_DELAY_MS);
const rawParam = new URLSearchParams(window.location.search).get('quizResponses');
if (!rawParam) { reveal(); return; }
const payload = decodeQuizResponses(rawParam);
const selectedCountries = getSelectedCountries(payload);
if (!selectedCountries.length) { reveal(); return; }
document.documentElement.dataset.quizFilter = 'active';
const article = document.querySelector('main article');
if (!article) { reveal(); return; }
const visibleHeadings = applySectionVisibility(article, selectedCountries);
if (!visibleHeadings) { reveal(); return; }
if (filterToc(visibleHeadings)) { reveal(); return; }
startTocObserver(visibleHeadings);
}());