Facial recognition and European law: what really changes for companies and creatives.

Gianpaolo Todisco - Partner

Facial recognition has become part of our daily lives almost without us realizing it. We unlock our smartphones with our faces, pass through biometric gates at some airports, and attend events where smart cameras analyze foot traffic and attendance. In retail and experiential marketing, facial recognition systems promise to “read” emotions, personalize content, and enhance engagement with the brand.

But when technology recognizes a face, it isn’t simply “looking”; it is processing biometric data. And in Europe, this radically changes the legal landscape.

With the adoption of the AI Act, the European Union has made a clear choice: biometrics is a high-risk area and must be strictly regulated. This is complemented by the existing General Data Protection Regulation, which classifies biometric data as “special categories” deserving of enhanced protection.

For businesses, brands, creative agencies, and cultural organizations, the issue is not merely theoretical. It is practical. And strategic.

Many companies view facial recognition as an innovative tool: automated VIP access, exclusive events, immersive retail experiences, and advanced profiling. In some cases, these solutions are integrated into security systems; in others, they serve as advanced marketing tools.

The point is that, legally speaking, we are not talking about ordinary software, but about a system that processes information capable of uniquely identifying an individual.

In fact, the GDPR classifies biometric data used for identification as “sensitive” data. This means that processing such data is prohibited, except in very limited circumstances. Consent, for example, must be genuinely free, specific, and informed. And in a public or commercial context, the freedom to give consent is often questionable.

The AI Act adds another layer: it classifies remote biometric identification systems as prohibited (in some cases) or “high-risk” (in most applications). And a high-risk system entails specific requirements: documented risk management, human oversight, strict data governance, traceability, technical controls, and CE marking.

This is no longer an IT issue. It is a matter of corporate governance.

In the creative world, the issue takes on an additional dimension.

Consider audiovisual production, photography, and global advertising campaigns. Today, there are systems that can automatically recognize faces in content, cross-reference them with databases, and analyze emotional reactions while people are watching a commercial.

Or consider the issue of datasets: images published online, artistic photographs, and editorial content that is “scraped” and used to train facial recognition systems or artificial intelligence models.

At least four layers of protection are intertwined here:

• data protection,

• image rights,

• copyright,

• contractual liability.

A photographer could find themselves facing unauthorized use of their work for biometric purposes. A brand could be involved in a dispute for using a facial recognition system during an event without adequate disclosure. A platform could be held accountable for the use of opaque biometric databases.

Technology is advancing rapidly. Legal risks are on the rise.

The penalties are substantial: the GDPR allows for fines of up to 4% of global annual revenue, while the AI Act can impose fines of up to 7% in the most serious cases. For multinational luxury or entertainment groups, the financial impact can be significant.

But in the creative sector, the damage to a brand’s reputation can be even more severe. Consumers are increasingly concerned about privacy, digital ethics, and the responsible use of AI. A brand perceived as intrusive or lacking transparency risks undermining its value proposition.

And today, brand value is, first and foremost, trust. This does not mean that facial recognition should be ruled out entirely. It means that it must be thoroughly evaluated.

What is needed is:

a preventive audit of the systems in place;

an in-depth data protection impact assessment (DPIA);

a clear division of roles and responsibilities among the data controller, data processor, and AI provider;

specific contractual clauses;

a thorough analysis of the proportionality between the objective pursued and the intrusiveness of the tool.

Above all, an informed decision is needed: is the technology consistent with the brand’s positioning? Is it necessary, or merely “suggestive”?

Europe has adopted a regulatory model that prioritizes the protection of fundamental rights over technological deregulation. This choice has a profound impact on how companies can innovate.

For companies and creatives, facial recognition is not just a technological opportunity: it is a test of their legal maturity and cultural responsibility.

In the new digital ecosystem, innovation cannot be separated from compliance. And compliance, if managed effectively, can become a competitive advantage.

Because in today's market, true innovation is innovation that adheres to the rules without compromising on vision.