By Cheryl Winokur Munk
There's a cool factor to the whole concept of biometrics, of buying some product with your palm or face. But privacy professionals warn you may be giving up more than you're getting.
Many people have become accustomed to using their phones at checkout, authenticating themselves with a fingerprint or their face. But some companies now offer the ability to pay for purchases without your phone, by providing your biometrics, which are stored by the company or a third party.
While palm, face or iris payment and authentication aren't widespread in the U.S., more commercial trials are popping up, and this type of biometric technology has the potential to proliferate over the next few years. The conventional wisdom is that it's safer than a password and more secure than credit cards. But that doesn't mean it's impregnable, and consumers need to understand the potential dangers of handing their biometrics over to a company.
"People like convenience, they like speed. That's why people are choosing biometrics. If I'm
going to stand in a line for an hour, the shorter line using biometrics sounds enticing," says Jodi Daniels, founder and chief executive of Red Clover Advisors, a privacy consulting firm in Atlanta. "But you always have to think about the worst-case scenario: What could happen here?"
One thing that could happen is that your biometric data is stolen and used by hackers to impersonate you. When you set up biometric authentication to confirm your identity when paying for purchases, a digital translation of your face or palm, say, is created and stored by the merchant or a third party. That data -- like any other personal data you've given out -- is vulnerable to hackers, who may be able to use it for identity theft.
Here are five considerations before taking the biometrics plunge:
You can't replace your biometrics
If your credit-card number is stolen, you get a new credit card. No such luck if your biometric data is stolen.
"The fundamental difference between a biometric or a government ID or a credit-card number is that the latter two can, in some cases, be changed or altered," says Ashkan Soltani, an independent researcher and technologist in the San Francisco Bay Area specializing in privacy, security and technology policy. "But you're stuck with your facial geometry and your fingerprint for life unless you take drastic measures like burning your fingerprints off," he says.
Because biometrics are intrinsic to an individual, swindlers can't easily steal this kind of identifying information if you keep tight control over it. But if they do gain access to your biometric data, by hacking a site where it's stored, for example, you have no recourse.
How companies can use your data
Companies generally have a lot of leeway in deciding to keep or sell personal data and how long to retain it -- and the longer they keep it, the greater the likelihood it could be misused or stolen.
There's no all-encompassing federal law regulating the use of biometrics, and many state laws also fall short, says Adam Schwartz, privacy litigation director at the Electronic Frontier Foundation, a nonprofit that focuses on privacy rights. Illinois has what security professionals consider the most comprehensive law to protect individuals' biometric data. It prohibits private companies from collecting biometric data unless they inform the person in writing of what data is being collected or stored, its specific purpose and for how long the data will be collected, stored and used. Companies also have to obtain written consent from the individual. The law also bans companies from selling or profiting from consumers' biometric information in other ways.
A few other states, including California, have consumer-data privacy statutes that apply to biometrics. However, most states don't have guardrails to limit how long biometric data is retained, what it's used for and who businesses can disclose it to.
The Federal Trade Commission requires companies that collect data to have privacy policies. However, these policies tend to be full of jargon, and consumers may not be able to understand all the legalese, says Jeramie D. Scott, senior counsel at the Electronic Privacy Information Center, a public-interest research center in Washington, D.C., that focuses on privacy protection.
Companies may tell you, for example, that they encrypt biometric data, but they may not tell you the details, so there's no way to tell how strong their safeguards are.
What if the data is stolen?
The answer is you never know. While companies say they protect your data, any information that's collected has the potential to be stolen or misused by an employee or third party, Schwartz says.
He points to several incidents in which biometrics have been stolen, including a 2015 hack
of the federal Office of Personnel Management, which included more than five million fingerprints. Systems are imperfect and mistakes happen, meaning "there is an intrinsic risk" that a thief will steal your sensitive data, Schwartz says.
The safest biometrics
Broadly speaking, palm-vein technology, which identifies people based on the unique pattern of their veins, is considered less susceptible to identity theft because vein patterns are difficult to copy.
Even so, security professionals advise against giving this or any other kind of biometric data to companies because of the unknown risks, especially as AI advances and biometrics become more widely collected. "The more the technology gets used and grows, the more likely it becomes a target for criminals," Scott says.
If you want out
Consumers who want their data deleted should contact the company through official channels, usually listed in its privacy policy, and follow the procedures the company sets out. Be specific about your request and keep records.
It's far easier, however, not to give up the data to begin with, says Debbie Reynolds, founder, CEO and chief data-privacy officer of Debbie Reynolds Consulting in Chicago.
"I tell consumers they have to weigh the pros and cons of giving their biometrics," she says. Is the risk worth a $10 coupon or a $50 voucher a company might give participants in a biometrics trial? People have to consider "not only right now, but the long term," she says.
Write to reports@wsj.com.
(END) Dow Jones Newswires
March 20, 2026 11:00 ET (15:00 GMT)
Copyright (c) 2026 Dow Jones & Company, Inc.
