TL;DR:
- Spain's data protection authority (AEPD) fined Yoti €950,000 for three separate GDPR violations in its Digital ID app
- €500,000 for unlawful biometric processing: The regulator rejected Yoti's claim that facial scans were "just for authentication"
- €200,000 for invalid consent: Users could click past the privacy policy without reading it. Consent for "research and development" was pre-checked.
- €250,000 for excessive data retention: Geolocation data stored for five years. Video recordings kept for 30 days. Fraudulent IDs retained for software training.
- Yoti is appealing to Spain's High Court, calling the decision "disproportionate"
- Investigation started December 2023 but Yoti claims they were "never notified" they were under investigation
The Fine Breakdown
Spain's Agencia Española de Protección de Datos (AEPD) published its decision on March 10, 2026, after a two-year investigation. The total: €950,000 (about $1.1 million).
Here's what each violation cost:
- Article 9 (unlawful biometric processing): €500,000
- Article 5.1(e) (excessive data retention): €250,000
- Article 7 (invalid consent): €200,000
The AEPD gave Yoti six months to prove its biometric data handling complies with GDPR. The clock is ticking.
The Biometric Problem
Yoti's defense was simple: when users upload ID documents and take selfies for verification, the biometric data only serves "authentication purposes." The AEPD disagreed.
Under GDPR, biometric data processed for identification is "special category data" requiring explicit consent and legitimate justification. The regulator determined Yoti's processing went beyond mere authentication: it "uniquely identifies" users.
The distinction matters. Authentication says "is this the same person?" Identification says "who is this person?" Yoti wanted the former classification. The regulator gave them the latter, and the harsher rules that come with it.
Skip the Privacy Policy, Give Consent Anyway
Yoti's app let users click through the privacy policy screen without actually opening the policy. You could consent without reading what you consented to.
Worse: the app defaulted to "consent" for using biometric data in research and development activities. No affirmative opt-in required. Just a pre-checked box.
Under GDPR, consent must be "freely given, specific, informed and unambiguous." A pre-checked box isn't unambiguous. A skippable privacy policy isn't informed.
Five Years of Your Location
The data retention findings were damning:
- Geolocation data: Kept for five years. Yoti uses location to determine which country's age restrictions apply. But five years? That's a decade longer than most jurisdictions require.
- Video recordings from liveness detection: Stored for 30 days. When you blink or turn your head to prove you're not a photo, Yoti keeps that recording.
- Fraudulent ID documents: Retained indefinitely to "train software." Every fake ID submitted becomes training data.
- Biometric templates for account recovery: The AEPD deemed this "disproportionate" given the risks.
None of this data was necessary for verifying ages. But they kept it anyway.
Yoti's Response: We'll See You in Court
Yoti isn't backing down. In a blog post, the company "rejects in the strongest possible terms the decision of the AEPD" and announced an appeal to Spain's High Court.
The company emphasized that "no personal data of any app user has been breached or compromised." True, but beside the point. The violations were about lawful collection and processing, not security.
Yoti also claims it was "never notified" of the investigation despite "fully cooperating with information requests." The AEPD opened the investigation in December 2023, two years before the decision.
The findings apply only to Yoti's Digital ID app, not its broader age estimation or verification services used by companies like TikTok and Entain.
The Bigger Picture
Age verification companies occupy a strange space. Governments mandate their use while barely regulating how they handle the data they collect.
The UK's Online Safety Act pushes platforms toward age verification. The US has 25 states considering or implementing similar requirements. Every mandate means more faces, more IDs, more biometrics flowing to companies like Yoti.
Spain's fine signals that GDPR applies to these companies, even when they're doing what governments tell them to. The €950,000 is a rounding error for Yoti's investors, but the precedent matters. The AEPD rejected the "we're just verifying ages" defense.
Other regulators may follow. The UK's ICO has been investigating age verification practices. France's CNIL has expressed concerns about biometric processing. This fine won't be the last.
What This Means for You
If you've used Yoti's Digital ID app:
- Under GDPR, you can request data deletion. File a subject access request demanding they delete your biometric data and verification records.
- Check what data they hold. Request a copy of your data to see exactly what they've retained.
- Consider alternatives. If you need age verification, research what data different providers retain.
The broader lesson: every age verification request is a surveillance decision. Your face, your ID, your location: it all goes somewhere. Sometimes it stays for five years.
Sources
- Biometric Update - Spain's AEPD fines Yoti $1.1M for biometric data handling violations
- PPC Land - Spain fines Yoti €950,000 over biometric data and consent failures
- Yoti Blog - Yoti's response to AEPD sanctions and fine
- ID Tech - Spain's AEPD Fines Yoti €950,000 for GDPR Violations
- Reclaim The Net - Spain Fines ID Tool Yoti for Privacy Violations
Published: March 18, 2026