A practical step-by-step guide to requesting deletion of your biometric data from identity verification providers, covering GDPR, CCPA, and BIPA rights with provider-specific instructions and response times.
Identity verification has become a routine part of opening a bank account, signing up for a fintech app, renting an apartment, or starting a new job. Each time you complete a verification, you typically submit a government-issued ID photo and a live selfie or video. The biometric data extracted from these submissions, including facial geometry, liveness signatures, and in some cases iris or fingerprint templates, is processed and often stored by the identity verification provider.
Many consumers do not realize they have the legal right to request deletion of this biometric data after verification is complete. This guide explains the five most effective methods for requesting biometric data removal, the legal frameworks that support your request, and how to navigate the process with specific providers.
Before requesting deletion, it helps to understand which legal frameworks apply to your situation, as the framework determines the strength of your request and the provider's obligations.
The General Data Protection Regulation (GDPR) applies to anyone whose data is processed by organizations operating in the European Economic Area, or to anyone in the EEA regardless of where the processor is based. Article 17 establishes the right to erasure, commonly called the right to be forgotten. Once the purpose for which biometric data was collected has been fulfilled, and no overriding legal retention obligation exists, you have the right to demand permanent deletion.
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants California residents the right to request deletion of personal information, including biometric data. The law defines biometric information explicitly as a category of sensitive personal information subject to heightened protections.
The Illinois Biometric Information Privacy Act (BIPA) is the strongest biometric-specific privacy law in the United States. BIPA requires organizations to obtain informed written consent before collecting biometric data, to publish a publicly available data retention policy, and to destroy biometric data when the purpose for collection has been fulfilled or within three years of the individual's last interaction with the organization, whichever comes first. BIPA provides a private right of action, meaning individuals can sue directly for violations without waiting for a government enforcement action.
Texas, Washington, Colorado, Virginia, and several other states have enacted their own biometric or comprehensive privacy laws with varying deletion rights. The trend across all jurisdictions is toward stronger consumer control over biometric data.
| Provider | Data Retention Policy | Deletion Method | Typical Response Time |
|---|---|---|---|
| deepidv | Biometric data deleted after verification unless client requires retention; configurable retention periods | Admin console self-serve deletion or email privacy@deepidv.com | Within 24 hours for self-serve, 5 business days for email requests |
| Jumio | Retained per client configuration, default retention varies | Email privacy@jumio.com or submit DSAR via website | 30 calendar days |
| Sumsub | Configurable by client, default 1-3 years | Email dpo@sumsub.com or submit request via dashboard | 30 calendar days |
| Veriff | Default retention 1 year for session data, 3 years for verification data | Email privacy@veriff.com or use online DSAR form | 30 calendar days |
| Onfido (Entrust) | Retained per client agreement, typically 30 days to 7 years | Email privacy@onfido.com or submit subject access request | 30 calendar days |
| Persona | Client-configurable retention | Email privacy@withpersona.com | 30 calendar days |
| iProov | Biometric templates deleted after verification by default | Email dpo@iproov.com | 30 calendar days |
| Au10tix | Announced shift to immediate deletion after verification | Email privacy@au10tix.com | 30 calendar days |
The fastest and most reliable way to delete your biometric data is through the provider's own administrative tools, if available. deepidv offers a self-serve data deletion function directly within the admin console. Clients who verified your identity through deepidv can process your deletion request through their dashboard, and the biometric data is permanently purged within 24 hours. If you verified your identity through a company that uses deepidv, you can also email privacy@deepidv.com directly with your full name, the approximate date of verification, and the name of the company you were verifying with. The deepidv privacy team processes these requests within five business days.
Most other providers do not offer self-serve deletion tools to end users. When self-serve is not available, you will need to use one of the following methods.
Under GDPR, CCPA, and most state privacy laws, you have the right to submit a formal request for data deletion. This is called a Data Subject Access Request (DSAR) under GDPR or a Consumer Deletion Request under CCPA. A proper DSAR should include your full legal name, any email addresses or phone numbers associated with the verification, the approximate date of the verification, a clear statement that you are requesting deletion of all biometric data including facial geometry templates, liveness check data, and any stored selfie or video images, and a reference to the specific legal basis for your request (GDPR Article 17, CCPA Section 1798.105, or your applicable state law).
Send this request to the provider's designated privacy email address listed in the table above. Under GDPR, the provider must respond within 30 calendar days. Under CCPA, the deadline is 45 business days with a possible 45-day extension. Keep a copy of your request and any confirmation you receive. If the provider fails to respond within the statutory deadline, you have grounds for a regulatory complaint.
If you are an Illinois resident, BIPA gives you the strongest available protections. BIPA requires that the organization collecting your biometric data must have obtained your informed written consent before collection, must have a publicly available retention and destruction policy, and must destroy the data when the initial purpose has been fulfilled or within three years. If a provider collected your biometric data without informed written consent, or has retained it beyond the permitted period, you can send a BIPA-specific deletion demand referencing 740 ILCS 14/15. If the provider does not comply, BIPA's private right of action allows you to pursue statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation.
In many cases, you did not interact with the identity verification provider directly. You verified your identity through a fintech app, a bank, an employer, or a landlord that uses a third-party verification provider behind the scenes. You may not even know which provider processed your biometric data. In this situation, contact the company that asked you to verify your identity and request that they delete your biometric data from their verification provider. Under GDPR, the company that collected your data (the data controller) is obligated to ensure their processors (the verification provider) also delete the data. Under CCPA, businesses must pass your deletion request to their service providers.
If the company is uncooperative, ask them to identify which verification provider they use. Once you know the provider, submit a direct DSAR using Method 2. Companies using deepidv's identity verification can process deletion requests directly through their admin console, making this process significantly faster than providers that require manual email-based requests.
If a provider fails to respond to your deletion request within the statutory deadline, or refuses to delete your data without a valid legal basis for retention, you can escalate to the relevant regulatory authority. Under GDPR, file a complaint with your national data protection authority (the ICO in the UK, CNIL in France, BfDI in Germany, or the relevant supervisory authority in your EU member state). Under CCPA, file a complaint with the California Attorney General's office. Under BIPA, consult with an attorney about filing a private action, as BIPA does not rely on government enforcement.
Regulatory complaints are a last resort, but they are effective. Data protection authorities have fined organizations millions of euros for failing to honor deletion requests, and the threat of regulatory scrutiny alone often motivates rapid compliance.
When completing identity verification in the future, ask the requesting company which verification provider they use and what the data retention policy is before you submit your biometric data. Look for providers like deepidv that offer configurable retention periods and self-serve deletion, as these give you the most control over your personal information. Bookmark the privacy email addresses of providers you have verified with, so you can submit deletion requests efficiently once the verification purpose has been fulfilled.
Your biometric data is uniquely personal and, unlike a password, cannot be changed if compromised. Taking proactive steps to minimize its retention across third-party systems is one of the most impactful privacy practices available. Learn more about how deepidv handles biometric data or explore the platform.
Go live in minutes. No sandbox required, no hidden fees.
AI agents are making financial decisions, signing contracts, and moving money — but no one can verify who deployed them. The UAIIP protocol creates the first human-to-agent identity trust chain.
An architecture-first buyer's guide to reusable digital identity in 2026: W3C VCs, DIDs, mDL, EUDIW, and the relying-party readiness gap. A three-tier evaluation framework for vendors entering the wallet era.
As remote and hybrid learning become permanent fixtures, educational institutions face a growing challenge: how do you verify that students are who they say they are?
