Securing the privacy of users

As life becomes digital, guaranteeing data privacy is a growing concern both to users and companies. Almost every country has enacted regulation to protect the personal data shared by users with their service providers. With B-FY’s biometric authentication solution all data remains always under the user’s control, thus preventing risks of data breaches.

For most companies, 83% of them according to IBM’s Cost of a data breach 2022 report, the matter is not if a data breach will occur, but when. The global average total cost of a data breach rounds 4.35 million USD, and when talking about the US, a data breach costs over twice the global average, to reach 9.44 million USD, according to the same report.

For companies, secure identification and authentication processes are essential in the enrollment of new customers and employees, as well as in the provision of services.

Thus, biometric technology identity authentication is rapidly becoming the solution of choice, although there are some fundamental questions companies must ask themselves before addressing any project involving biometric data.

For users, keeping their data private is also a major concern. About 74% of internet users in the US are more concerned with their online privacy than they’ve ever been and 79% of internet users around the world feel they have completely lost control over their personal data.

Also in the consumer front, the KPMG research Corporate data responsibility: Bridging the consumer trust gap reports that some 47% of the respondents said they’re concerned about the possibility of their data being hacked, while 51% were worried about it being sold.

Thus, as life is increasingly becoming digital, the matter of securing users’ data is not only an economic issue, but a matter of trust. That of users on how companies that collect their personal information may use or secure it.

Regulation around the world

In the last years, almost every country in the world has issued some kind of regulation to protect the privacy of data. These laws drill on how information is collected, how data subjects are informed, and what control a data subject has over their information once it is transferred.


The European Union General data Protection Regulation (GDPR), which came into force in 2016, has become an international standard regarding data protection, with many countries turning to it when dealing with data protection issues.

It is a comprehensive law on the privacy and protection of the data of natural persons that applies to

  • Companies established in the European Union (EU) or in the European Economic Area (EEA).
  • Companies that are located outside the European Union or the European Economic Area and provide services to European citizens who are in the EU or the EEA.
  • Companies that are located outside the EU or EEA and provide services to other companies that process data of EU or EEA citizens.
  • Companies whose activity consists of the observation of the behavior of the interested parties that takes place in the EU or in the EEA.

It defines personal data as any numerical, alphabetical, graphic, photographic, acoustic or any other type of information concerning identified or identifiable natural persons.

Therefore, the GDPR establishes the specific requirements on the collection, storage and management of personal data of natural persons living inside and outside the European Union and is mandatory in all 27 EU member states. Within the EU it protects around 500 million people, including EU citizens and long-term residents.

US doesn’t have a singular law that covers all matters referred to data privacy.
US doesn’t have a singular law that covers all matters referred to data privacy.


Surprisingly, the US doesn’t have a singular law that covers all matters referred to data privacy. It has a mix of laws that go by acronyms like HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA.

Nevertheless, steps are being taken and On July 20, 2022, the House Energy and Commerce Committee approved the proposed American Data Privacy and Protection Act (ADPPA). If enacted into law the bill would create national standards and protections for personal information collected by companies.

Currently, only five states in the US have different complete consumer privacy laws: California (CCPA and its amendment, CPRA), Virginia (VCDPA), and Colorado (ColoPA), Connecticut (CTDPA), Utah (UCPA),. These laws protect only to people who live in these states, regardless of where the service provider that collets the data is located.

Regarding specifically biometric data, Illinois’ Biometric Information Privacy Act (BIPA) is considered as the strictest biometrics legislation in the world, and is serving as model for other privacy regulations.

Latin America

Habeas Data, that is “the right of individuals to access, update, rectify, and delete personal data collected by third parties and stored in databases”, is considered a constitutional right in most Latin American countries.

According to an extensive article published by Data Pop Alliance on the state of data protection in Latin America, 65% of these countries have explicit provisions in their constitutions regarding personal data protection, habeas data, and privacy.


The country deserves a special mention. The legal framework for data protection is found in the Mexican Constitution on article 6 and 16. In 2009 an amendment to the Constitution recognized the protection of personal data as a fundamental right.

In 2010 the Federal Law for the Protection of Personal Data in Possession of Private Parties (the Private Data Protection Law), came into force, followed by the Regulations of the Private Data Protection Law on 22 December 2011.

The Private Data Protection Law sets the principles and minimum standards to be followed by all private parties when processing any personal data. However, it recognizes that standards for implementing data protection may vary depending on the industry.

According to Héctor E. Guzmán-Rodríguez, Data protection and privacy partner, BGBG, Mexico will follow on the steps of the EU GDPR:

 “The European data protection principles have a big influence on the Mexican data protection legal framework, and it is important to note that since October 2018 Mexico has been part of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) as a non-member of the Council of Europe”.

B-FY compliant with data protection

As we have seen the GDPR is regarded as a standard when it comes to data protection, including biometric data.

One of the pillars on which this company is based is protecting people against fraud and protecting their identity. B-FY’s identification protocol has been designed in accordance with European data privacy directives, taking the utmost care of the user’s privacy and that of the company.

By using the B-FY system to identify their users, our clients integrate our service through a library into their application. B-FY does not collect or store biometric data from the users.

To verify the user’s identity, B-FY only needs their email and phone number, so that the device is associated with a single person. The registration data (phone and email) are stored in a database, which is in a sealed network only accessible from the B-FY platform itself.

The user's biometric factor is associated with the device that the user has registered as theirs, and their data is always under their control and custody.

With the signing of a Data Processing Contract (DPA) it is established that our client is the Responsible for the Treatment of the data collected (email and telephone number of the user), and B-FY the Treatment Manager, who will use said data only for the identification process. In the same DPA it is specified that the conservation of the data is linked to the duration of the service provision contract, being eliminated at the end of this (except for legal reasons that oblige this period to be extended).

B-FY will only communicate the personal data of users, if applicable, to the competent public administrations, in the cases provided for in the Law and for the purposes defined therein, and to providers of essential services for the provision of service (for more information consult the privacy policy) And, in compliance GDPR regulations, our clients must specify in their Privacy Policy addressed to the end user that there is a transfer of data to B-FY to identify them.

In addition, in compliance with the GDPR regulations, our clients must specify in their Privacy Policy that there is a transfer of data to B-FY in order to identify them.

Do you want to know more? Ask for a free demo