It’s not enough to get consent. You have to get consent that is rigorous enough. And not just in Illinois, but also in Mexico.
“Mexico’s anti‑corruption regulator has hit the Mexican Football Federation (FMF) with one of one of the country’s largest-ever privacy penalties. The FMF has been fined 42.8 million Mexican pesos (US$2.14 million) for violations linked to its Fan ID system….
“Mexico’s Ministry of Anti‑Corruption and Good Governance (SABG) said FMF failed to tell fans that the photographs collected for Fan IDs were sensitive biometric data and did not obtain the express written consent required under Mexican law.
“Instead, FMF relied on a simple website checkbox without any mechanism to prove the user providing consent was the actual data subject.”
But if your mobile application’s workflow begins with consent before identity verification, how can you change the order and perform facial recognition to positively identify the person giving consent? After all, the person hasn’t given consent to perform facial recognition to confirm the consenting person “was the actual data subject.”
Unless you resort to a manual consent method.

