Spain Fines Identity Tool Yoti €950,000 for Keeping User Data Too Long and Skipping Real Consent
Spain's AEPD issued a €950,000 GDPR penalty against digital ID firm Yoti on March 10, 2026, for unlawful biometric processing, pre-ticked consent boxes, and retaining facial templates and location data far beyond stated purposes.
VaultTools · March 11, 2026
Photo on Unsplash
Table of Contents
- What the AEPD found
- Three violations, one fine
- Consent by default is not consent
- How long is too long to keep data
- What this means for tools that handle personal files
- Sources
What the AEPD Found
On March 10, 2026, Spain’s data protection authority, the Agencia Española de Protección de Datos (AEPD), published its resolution fining British digital identity company Yoti Ltd €950,000 for three separate GDPR violations. The investigation had opened in December 2023.
Yoti operates a Digital ID app used for age verification across more than 60% of GDPR-compliant sites in the United States and in multiple European markets. The app asks users to photograph a government ID document and take a selfie. Yoti’s system processes these to generate a facial biometric template, a reusable digital record of facial geometry stored on the company’s servers for future authentication.
The AEPD examined what Yoti did with that data after verification was complete.
Three Violations, One Fine
The €950,000 penalty breaks down across three GDPR provisions:
- €500,000 under Article 9 for unlawful processing of biometric special category data. Yoti argued that its facial templates only serve authentication and do not constitute biometric processing under GDPR. The AEPD rejected this, finding that stored templates enabling one-to-one matching during account operations satisfy all three criteria for special category status. No valid legal basis covered the processing.
- €200,000 under Article 7 for invalid consent. Yoti defaulted users into allowing their biometric data, including facial images, video recordings, and ethnicity estimates derived from the Fitzpatrick skin tone scale, to be used for internal research and algorithm improvement. Users had to actively untick a box to opt out. GDPR requires affirmative opt-in for special category data; a pre-ticked box does not meet that standard.
- €250,000 under Article 5.1(e) for retaining personal data beyond what the stated purposes require. Yoti kept geolocation data for five years despite needing it only at account creation. Fraudulent ID documents were stored for two years for software training. Liveness detection video recordings were held for 30 days. The authority found none of these retention periods were justified by the original processing purpose.
The AEPD ordered Yoti to demonstrate within six months that it processes biometric data on a valid legal basis, obtains GDPR-compliant consent, and retains data only as strictly necessary.
Yoti said it “rejects in the strongest possible terms” the decision and is appealing to the Spanish High Court.
Consent by Default Is Not Consent
The consent violation is technically straightforward but practically common. Yoti’s app allowed users to accept the privacy policy by tapping past the screen without reading it, and pre-checked a box agreeing to R&D use of biometric data.
Under GDPR Article 7, consent must be freely given, specific, informed, and unambiguous. For special category data, Article 9 adds the requirement that consent be explicit, meaning it cannot be inferred from inaction or embedded in a broader agreement. Pre-ticked boxes have been consistently rejected by European regulators since the EU Court of Justice’s 2019 Planet49 ruling. The AEPD cited EDPB Guidelines 05/2020, which state that consent obtained through pre-checked settings does not represent a genuine choice.
How Long Is Too Long to Keep Data
GDPR Article 5.1(e) requires data to be “kept in a form which permits identification of data subjects for no longer than is necessary.” Yoti’s retention practices failed this test on multiple fronts.
Geolocation data collected to determine which age-restriction rules apply to a user is relevant at the moment of verification. Keeping it for five years has no proportionate purpose. Similarly, training an AI model on fraudulent ID documents is a separate objective from verifying a user’s age. Storing those documents for two years for that purpose constitutes a new processing activity the original collection did not cover.
The case mirrors a pattern regulators across Europe have cited repeatedly: organizations collect data for a narrow purpose, then repurpose it for training, analytics, or product improvement without a fresh legal basis.
What This Means for Tools That Handle Personal Files
Yoti’s violations are structurally identical to risks that apply to any online tool that processes personal data. A tool that receives a file containing personal information, whether a government ID, a contract, a medical record, or any document with a name and face attached, can fall into the same categories under GDPR.
Retaining uploaded files beyond the session, using them for model training without explicit consent, and applying default opt-in settings for secondary data use are all practices that now have documented enforcement precedent, priced at €250,000 to €500,000 per violation.
Tools that process files entirely in the browser using WebAssembly are structurally exempt from these risks. No file reaches a server. There is no uploaded data to retain, no template to store, no training pipeline to disclose in a privacy policy, and no consent mechanism to get wrong. The Yoti fine shows the cost of getting these requirements wrong in regulatory terms. Local processing removes the question entirely.
Sources
- Spain Fines Age Verification Company Yoti €950,000 for Biometric Data Violations (State of Surveillance)
- Spain’s AEPD fines Yoti $1.1M for biometric data handling violations (Biometric Update)
- Spain fines Yoti €950,000 over biometric data and consent failures (PPC Land)
- Age verification firm fined for excessive data retention and invalid consent (AdGuard VPN Blog)
- Spain Fines ID Tool Yoti for Privacy Violations in Biometric ID App (Reclaim The Net)
- Spanish Data Protection Agency imposed a total fine of EUR 950,000 on Yoti (Digital Policy Alert)