Google Photos, used by over 1 billion people worldwide, processes an estimated 1.2 billion photos every day. Among its most praised features is its ability to automatically group photos by the people in them—a capability powered by sophisticated facial recognition algorithms that scan every image uploaded to the service. What most users do not realize is that this feature creates detailed biometric faceprints not only for the account holder, but for every person who appears in their photos: friends, family members, coworkers, passersby, and children—none of whom are asked for consent.
A Biometric Database Built Without Permission
Recommended by OPV: NexusBro — Catch bugs before your users do →
The legal implications of this practice have already proven costly for Google. In 2022, the company settled a class action lawsuit under Illinois's Biometric Information Privacy Act (BIPA) for $100 million, one of the largest biometric privacy settlements in history. The plaintiffs alleged that Google Photos collected and stored biometric identifiers—facial geometry data—without obtaining the informed written consent required under Illinois law. Despite the settlement, Google did not fundamentally change the feature's default behavior. Face grouping remains enabled by default for new users in most jurisdictions, and the biometric templates created by the system are stored on Google's servers indefinitely unless users actively navigate to settings to disable the feature.
Subscribe for more coverage on Privacy. SeekerPro members get premium investigations, AI-powered summaries, and exclusive analysis.
The Consent Problem
The most troubling aspect of Google Photos' facial recognition is not what it does with the account holder's face, but what it does with everyone else's. When a user uploads a photo of a birthday party, Google's algorithms create biometric templates for every detectable face in the image—the children, the neighbors, the servers in the background. These individuals have no Google Photos account, no relationship with Google, and no way to know their biometric data has been collected, let alone to consent to it or request its deletion. Privacy researchers have described this as a 'biometric externality'—a cost imposed on third parties who have no say in the transaction.
Editor's Pick Solution
NexusBro: Catch bugs before your users do
AI-powered QA that checks 125+ issues per page. Get a fix prompt in 60 seconds.
Audit Your Site Free →Google maintains that face grouping data is used only to organize photos and is not shared with third parties or used for advertising targeting. However, the company's privacy policy grants it broad rights to use data collected through its services for product improvement and development. Privacy advocates argue that a biometric database of this scale—potentially encompassing billions of unique faces—represents an extraordinary concentration of sensitive data that could be repurposed, subpoenaed by law enforcement, or compromised in a data breach.
Protecting Yourself and Others
Users who wish to limit Google Photos' biometric data collection should open the app, navigate to Settings, then Face grouping, and toggle the feature off. For a more comprehensive approach, consider switching to privacy-respecting photo storage alternatives such as Ente (an end-to-end encrypted photo service), Immich (a self-hosted open-source alternative), or simply storing photos locally. If you are concerned about biometric data that Google has already collected, visit Google's privacy dashboard at myaccount.google.com to review and request deletion of your data.
Recommended by OPV
ContentMation
Automate your content workflow
Handles scheduling, analytics, and content creation for growing businesses.
Automate Content →
