Trust by Design: Innovating Biometric Privacy Solutions
Bob Long
President, Americas
Bob is tenured veteran in the Identity and eKYC global markets. In his present role at Daon, he has operational oversight for the Americas Region as President, including a seat on the Daon Board of Directors. Operational requirements include sales, business development, customer success, marketing, and operations for the region encompassing North America, South America, and Latin America.
Bob has over 25 years of experience in financial services, payments, fraud and risk management, and technology. Prior to Daon, he’s held the positions of Interim CEO and Chief Revenue Officer at a Seattle-based payment solutions company and led one of the largest payment and technology providers to an Initial Public Offering on the NYSE (2012). He has also held several leadership roles including Senior Vice President of Financial Services at Vantiv/WorldPay and leadership roles at both First Data Corporation and US Bancorp.
Bob received his education from the University of The Pacific in Stockton, CA.
October 9, 2025
Identity security has become essential to the infrastructure of modern business. Financial institutions process millions of facial recognition transactions daily. Healthcare systems rely on fingerprint scans to protect patient data. Government agencies deploy voice biometrics for public services that once required in-person verification. Biometric technology delivers clear value to businesses and consumers alike: faster transactions, reduced fraud, and user experiences that feel almost magical or sci-fi in their simplicity.
Unfortunately, this convenience comes with a paradox that keeps IT leaders awake at night. Leading CIOs, CTOs, and technology executives agree that while biometrics enhance security, they also introduce new privacy risks. The recent surge in biometric privacy litigation—from tech giants in Texas to Illinois courtrooms to European regulators— demonstrates that implementing inadequate privacy protections can have costly consequences.
Forward-thinking organizations no longer question whether to adopt biometrics. Instead, they focus on how to deploy it responsibly and with integrity. As a global leader in identity verification, Daon stands at the forefront, demonstrating that advanced biometric security and rigorous privacy protection are not competing priorities.
Regulatory compliance is just the starting point. The real challenge (or opportunity) is engineering identity systems where privacy drives innovation instead of limiting it.
Privacy Concerns: The Trust Gap in Biometric Adoption
The numbers tell a sobering story about public confidence in biometrics. A Brookings study reveals that 70% of Americans harbor concerns about biometric misuse, while industry research from the Biometrics Institute identifies privacy worries as the primary barrier to market growth, cited by 58% of respondents. Perhaps most telling, it’s been reported that, “nearly 41% of survey respondents have little to no trust in companies’ ability to handle biometric data responsibly, citing concerns about data breaches, surveillance, and personal information misuse.”
This trust deficit isn’t abstract. It’s actively constraining business growth and innovation. Organizations that might otherwise benefit from biometric authentication find themselves caught between technological capability, consumer skepticism, and fear of lawsuits, unsure how to bridge the gap between what’s possible and what’s acceptable.
Regulators worldwide have responded with increasingly sophisticated frameworks designed to restore balance between innovation and individual rights. Illinois’s Biometric Information Privacy Act (BIPA) set the standard with requirements for written consent and strict data retention limits. The European Union’s GDPR established comprehensive rights around consent, data portability, and deletion. California’s Consumer Privacy Act and its successor, the CPRA, expanded user access and control mechanisms. Similar frameworks have emerged across Brazil (LGPD), Singapore (PDPA), and dozens of other jurisdictions.
Enforcement behind these laws carries real consequences. Cryptocurrency platform Coinbase currently faces allegations under BIPA for “failing to obtain written consent before capturing face biometrics from people applying for new accounts,” according to BiometricUpdate. Unfortunately, the vague language in some of these regulations has also enabled opportunistic litigation, where plaintiffs pursue cases based on technical violations rather than actual privacy harm. This legal uncertainty makes bulletproof compliance even more critical. Organizations need systems that can withstand scrutiny from both legitimate privacy advocates and opportunistic litigants.
The current regulatory landscape might appear daunting to organizations considering biometric deployment. The requirements vary significantly across jurisdictions, creating complex compliance matrices for any company operating internationally. At Daon, this patchwork of rules isn’t a hindrance. It’s a blueprint for building systems that can thrive in any regulatory environment while earning genuine user trust.
Biometric Privacy as a Competitive Advantage
Most organizations approach biometric privacy regulations as obstacles to navigate rather than opportunities to seize. This defensive mindset turns compliance into a cost center that slows deployment and constrains innovation.
Daon takes the opposite approach. Navigating a maze of biometric privacy laws across Illinois, California, the EU, and beyond can be overwhelming. That’s why Daon’s platforms are built to adapt, giving our customers the confidence to scale identity systems across borders without reengineering for every new regulation.
This philosophy converts privacy regulations from compliance burdens into growth opportunities. When privacy protections become architectural features rather than legal afterthoughts, organizations can deploy faster, scale more confidently, and differentiate themselves in markets where trust has become a scarce commodity.
Our approach centers on three core principles that make compliance automatic rather than cumbersome. Data minimization ensures systems collect only the information necessary for authentication, reducing both privacy risks and storage costs. Advanced encryption protects stored biometric templates, rendering any stolen data useless to attackers. Omnipresent and revocable consent puts users in control of their data, requiring permission for all data capture and allowing them to withdraw permission and delete their information at any time.
These capabilities translate directly into business advantages. Using Daon’s platforms, organizations can pursue global expansion without hiring armies of compliance specialists for each jurisdiction. Time-to-market accelerates because privacy protections are built in rather than bolted on. Partnership and contract negotiations proceed from positions of strength, with concrete privacy safeguards rather than vague promises about good intentions.
In markets where 41% of consumers distrust biometric data handlers, privacy-first design becomes a powerful differentiator. Companies can market their services based on user control and transparency in addition to functionality and convenience.
For Daon’s clients, this system translates into shorter deployment cycles, fewer legal roadblocks, and scalable trust across diverse markets. Compliance with privacy regulations becomes a growth accelerator rather than a growth impediment, enabling organizations to capture the full business value of biometric authentication while building sustainable customer relationships.
Translating Trust
The most intricate privacy architecture means nothing if users can’t understand or control it. Whether you’re a financial institution in Chicago or a telco in Spain, customers today want the same thing before consenting to biometric security: to know how their biometric data is used, who can access it, and how they can opt out.
Traditional approaches to privacy communication often hide behind legal jargon and technical complexity. Users encounter dense privacy policies filled with terms like “legitimate interest” and “data processing activities” that obscure rather than clarify how their information gets used. This strategy reduces user consent to a checkbox exercise where people agree to terms they don’t understand, creating the illusion of consent without the substance of informed choice.
Daon takes a fundamentally different tack, translating complex technical safeguards into clear, actionable information and then designing user interfaces that make privacy controls visible and accessible. Instead of burying data management options in settings menus, the system presents clear choices at the point of enrollment. Users see exactly what biometric information gets collected, how it will be used for authentication, and who within the organization can access it. Granular permissions allow individuals to approve specific uses while declining others, giving them genuine control over their digital identity.
The system maintains clear audit trails that users can access and understand. Rather than technical logs filled with system codes, customers receive plain-language summaries of when their biometric data was used, for what purpose, and by which applications. If someone accesses their account using facial recognition on Tuesday morning, they can see that activity described in clear, easy-to-understand terms.
This transparency extends beyond individual transactions to broader data governance. Users can view how long their biometric templates will be stored, what happens to their data if they close their account, and how the organization handles requests from law enforcement or other third parties. They receive clear explanations of their rights under applicable privacy laws, presented as actionable options rather than abstract legal concepts.
The messaging deliberately avoids compliance-speak that emphasizes organizational obligations. Instead of saying “we follow GDPR,” Daon’s approach communicates to users that, “you own your identity, no matter where you live.” This reframing puts users at the center of the privacy equation, positioning data protection as a service benefit rather than a regulatory requirement.
This human-centered approach reassures both ends of the relationship chain. Enterprises gain customer trust and reduce support burden because users understand how their systems work. Customers feel confident engaging with biometric services because they maintain meaningful control over their personal information. The result is sustainable adoption through informed consent, not users simply giving up on privacy protection for the sake of authentication.
Building Privacy Architecture for Biometrics
Successfully deployed biometric authentication requires addressing a simple but profound reality: you can’t change your face like a password. This permanence creates legitimate concerns about what happens if biometric data falls into the wrong hands—fears that are often amplified by misconceptions about how quality biometric systems actually work.
The common fear is that any biometric breach equals permanent compromise across all future systems. However, this concern primarily applies to inadequate implementations that store actual biometric images or use weak security measures. Enterprise-grade systems take a fundamentally different approach, converting biological characteristics into encrypted mathematical representations that become meaningless if stolen.
Understanding this distinction is crucial: while legitimate privacy concerns exist around low-quality biometric providers or “lazy biometrics”, well-engineered systems like Daon’s are specifically designed to make biometric theft ineffective through multiple layers of technical and architectural safeguards.
At Daon, this challenge is addressed through multilayered technical controls that transform raw biometric data into unusable fragments for anyone except our authorized authentication systems. The process begins with advanced tokenization that converts facial scans, fingerprints, or voice patterns into mathematical representations that bear no resemblance to the original biometric characteristics. These templates contain just enough data points to enable reliable matching when combined with live biometric input, but they cannot be reverse-engineered to recreate images or recordings of actual people.
Robust encryption adds additional protection layers, ensuring that even if someone gains access to biometric templates, they acquire essentially meaningless mathematical sequences rather than usable identity data. Advanced encryption protects these templates both in storage and transit, using cryptographic methods that would require decades of computing power to break. This methodology treats biometric data with the same security rigor typically reserved for an organization’s most valuable intellectual property.
The system architecture deliberately avoids creating centralized honeypots that could become attractive targets for fraudsters. Instead of storing all biometric templates in individual databases, Daon explores decentralized storage models that distribute encrypted fragments across multiple secure locations. Biometric data is stored separately from customers’ personally identifiable information, preventing attackers from connecting biometric templates to specific individuals even if they gain access to stored data. Even a successful breach of one storage node would yield only partial, unusable data fragments with no way to identify whose biometrics they represent.
The rise of artificial intelligence presents new authentication challenges. Deepfake technology can now generate convincing facial images and voice recordings, while AI agents increasingly interact with systems originally designed for humans. Daon’s liveness detection technology specifically addresses these threats, using behavioral analysis and multiple verification factors to distinguish authentic human presence from synthetic reproductions or automated systems.
Perhaps most importantly, Daon’s privacy architecture embraces “no phone home” principles that prevent biometric systems from tracking user behavior or reporting authentication events back to central monitoring systems. This approach addresses growing surveillance concerns while maintaining the security benefits of biometric authentication. Users can authenticate themselves without creating digital breadcrumbs that could be aggregated into comprehensive behavioral profiles, preserving both security and privacy in a heavily monitored digital environment.
Scaling Biometric Privacy, Accelerating Growth
Daon’s privacy-first architecture delivers measurable business advantages that transcend regulatory compliance. The platform’s built-in support for diverse privacy frameworks—from GDPR’s consent and data portability requirements in the EU to BIPA’s written notice and strict retention mandates in Illinois, plus CCPA/CPRA user access controls in California and similar protections under Brazil’s LGPD and Singapore’s PDPA—eliminates the need for costly reengineering as organizations expand across jurisdictions.
Consider a scenario where a major European telecommunications provider is launching biometric customer authentication across multiple EU markets. By leveraging Daon’s GDPR-ready features, such an organization could achieve rapid deployment without hiring additional compliance specialists or modifying core system architecture for each country. The unified privacy framework would enable consistent user experiences while meeting diverse national implementations of European data protection law.
Similarly, imagine a U.S. financial institution expanding operations from its California base into other states. With Daon’s embedded BIPA compliance, the institution could avoid the complex legal engineering that typically accompanies cross-state biometric deployments. Instead of building separate authentication systems for different regulatory environments, the institution could deploy a single platform that automatically adapts to local privacy requirements.
These hypothetical use cases demonstrate how privacy-by-design translates into strategic benefits. Organizations achieve faster time-to-market because compliance verification becomes automatic rather than iterative. They avoid the legal roadblocks that often derail biometric projects when privacy considerations emerge late in development cycles. Above all, they build genuine customer trust by demonstrating concrete privacy protections rather than making abstract promises about data security.
The result is scalable growth that strengthens privacy commitments, allowing organizations to capture the full business value of biometric authentication while building sustainable relationships with privacy-conscious customers.
Biometric Privacy is the Foundation, Not the Fine Print
Biometric authentication offers organizations an unprecedented opportunity to deliver stronger security and superior user experiences if they can earn the trust required to make adoption sustainable. The technology’s potential to streamline user experiences and enhance security systems can only be realized when organizations treat privacy as an architectural foundation rather than a compliance afterthought.
The trust challenges biometric adoption faces stem directly from implementations that prioritize cost or convenience over user control. Organizations viewing privacy regulations as obstacles miss the fundamental shift occurring in digital identity markets, where transparency and user agency determine competitive edge.
Establishing a privacy-first innovation model demonstrates that advanced security and rigorous privacy protection aren’t competing priorities but complementary requirements for sustainable biometric deployment. By embedding data minimization, encryption, and user control into core system architecture, organizations can earn both regulatory confidence and genuine user trust while capturing the full business value of biometric authentication.
Moving beyond surface-level compliance requires a fundamental commitment to user sovereignty over personal data, implemented through systems that make privacy controls accessible and meaningful rather than buried in legal documentation. Responsible implementation remains a choice. Your identity belongs to you. Daon makes sure it stays that way, transforming privacy from a constraint into a market advantage that enables innovation.
