Biometric categorisation — assigning people to categories based on their biometric data — is prohibited under Article 5(1)(g) of the EU AI Act where it infers race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation, with a narrow law enforcement dataset exception. Categorisation based on other sensitive or protected attributes is high-risk under Annex III point 1(b), and deployers must inform exposed persons under Article 50(3).
Biometric Categorisation Under the EU AI Act: Prohibition, High-Risk and Disclosure
Overview: Sorting People by Their Bodies
Biometric categorisation is the practice of using AI to assign natural persons to categories on the basis of their biometric data — inferring attributes from faces, voices, gait or other body-derived signals. The EU AI Act treats the practice with calibrated severity: the most invasive inferences are banned outright, a wider band is permitted only as high-risk, and everything that operates must disclose itself. The architecture mirrors the emotion recognition scheme, but the boundaries run along different lines — here the decisive variable is which attribute is being inferred. Getting that boundary analysis right is the entire compliance question, because the difference between an inference of sexual orientation and an inference of age bracket is the difference between a prohibited practice carrying 7 percent turnover fines and an ordinary commercial feature.
The Definition and Its Built-In Exclusion
Article 3(40) defines a biometric categorisation system as an AI system for the purpose of assigning natural persons to specific categories on the basis of their biometric data, unless it is ancillary to another commercial service and strictly necessary for objective technical reasons. The exclusion handles cases like virtual try-on filters that must locate facial features to function, or photo organisation that clusters by characteristics as a technical step in a service the user actually requested. The recitals are careful: the ancillary exclusion requires that the categorisation cannot be used independently of the principal service — it is a narrow technical carve-out, not a loophole for analytics packaged inside other products. Note also the distinction from identification: categorisation asks what kind of person this is, not who this person is; remote biometric identification has its own, separate rule set.
Layer One: The Prohibition
Article 5(1)(g) prohibits the placing on the market, putting into service or use of biometric categorisation systems that categorise individually natural persons based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation. The prohibition — applicable since February 2, 2025 — encodes a bright ethical line: these attributes belong to the inner citadel of the person, the same categories the GDPR designates as special, and inferring them from someone's body is treated as inherently abusive regardless of accuracy or intent. The provision contains one exception: it does not cover the labelling or filtering of lawfully acquired biometric datasets, such as images, based on biometric data, or the categorising of biometric data in the area of law enforcement — permitting, for instance, a forensic unit to filter a lawfully obtained image set by visible characteristics during an investigation. The exception governs dataset operations under existing legal frameworks; it does not permit live categorisation of people in the world.
Layer Two: High-Risk Categorisation
Annex III point 1(b) classifies as high-risk those AI systems intended to be used for biometric categorisation according to sensitive or protected attributes or characteristics based on the inference of those attributes or characteristics — insofar as the use is permitted under law, and subject to the prohibition's absolute priority. The practical reading: categorisation touching sensitive or protected dimensions that survive Article 5 — health-related inferences, or attributes protected under Union non-discrimination law such as age, sex, or disability, depending on the configuration — lands in the full high-risk regime from August 2, 2026: risk management, bias-examined data governance, conformity assessment (with the biometrics-specific notified body rules of Article 43 applying to this Annex III point), registration, logging and human oversight. Categorisation by genuinely non-sensitive attributes — distinguishing adults from children for a parental control feature, say — escapes Annex III point 1(b), though the GDPR's rules on biometric data processing and the Article 50(3) disclosure duty still shape the deployment.
Layer Three: Disclosure
Article 50(3) requires deployers of biometric categorisation systems — like deployers of emotion recognition — to inform the natural persons exposed to them of the operation of the system and to process personal data in accordance with applicable data protection law, with a carve-out for certain law enforcement uses subject to safeguards. Silent categorisation of customers, visitors or passers-by is therefore unlawful twice over in most configurations: once under the AI Act's transparency duty, and once under the GDPR, which requires a lawful basis — typically explicit consent — for processing biometric data at all. The cumulative effect is that commercial deployments of biometric categorisation in the Union must be visible, consented and documented, or they must not exist.
Who Must Act
- Vendors of computer vision analytics: audit every classification output in your product against the prohibited attribute list — features inferring or proxying the Article 5(1)(g) categories must be removed for the EU market, not merely disabled by default
- Retail, advertising and venue analytics deployers: inventory installed systems for demographic estimation features; verify which attributes are inferred, whether the configuration is permitted, and whether disclosure and GDPR bases exist
- Law enforcement bodies: document the legal basis for any dataset filtering under the exception, and classify investigative categorisation tools against Annex III points 1(b) and 6 in parallel
- All providers: scrutinise proxy risk — a system marketed as categorising by neutral attributes whose embeddings effectively encode prohibited ones invites both Article 5 enforcement and discrimination liability; the bias examination duty of Article 10 is where that analysis must live
Concrete Examples
Example one: a digital signage company offers cameras that estimate age bracket and presented characteristics of viewers to rotate advertisements. Inferring race would be prohibited; a configuration limited to age estimation avoids the ban, faces the high-risk analysis under point 1(b) depending on the attributes used, requires conspicuous disclosure under Article 50(3), and needs a GDPR basis that street-facing advertising rarely achieves — the data protection analysis, not the AI Act, is usually fatal here.
Example two: a research team filters a lawfully assembled image dataset by hair colour and approximate age to balance training data for a medical application. Dataset labelling, not live categorisation of individuals — outside the prohibition, governed by data protection and research ethics frameworks.
Example three: an app claims to infer political leaning from profile photographs. Squarely prohibited since February 2025, whatever its accuracy — and its accuracy claims would themselves be scientifically indefensible.
Action Before August 2, 2026
The prohibition already applies, so the first action is retrospective: confirm that nothing in your deployed estate infers the banned categories, including through proxies, and record that confirmation. The high-risk regime arrives August 2, 2026 for permitted sensitive-attribute categorisation, and providers in that band should sequence conformity assessment now, with particular attention to the notified body question that Annex III point 1 uniquely raises where harmonised standards are not fully applied. Deployers should fold biometric categorisation into the same audit as emotion recognition — the two share the Article 50(3) disclosure duty and frequently ship in the same analytics products. The regulatory direction of travel is unmistakable: Europe has decided that sorting people by their bodies is either forbidden, heavily governed or fully disclosed. Product strategies that depend on it being silent and unexamined have no future in this market.
The Proxy Problem in Depth
The hardest compliance work in this category is not reading the attribute list — it is recognising when a system infers banned attributes without naming them. Modern embedding-based systems learn whatever structure the data contains, and biometric data is saturated with correlates of the prohibited categories: facial morphology correlates with ancestry, voice characteristics with regional and social origin, appearance choices with religious practice. A categorisation system trained to segment audiences for marketing can therefore reconstruct prohibited categories internally even when its output labels read as neutral segments. The legal exposure is real on two fronts: Article 5(1)(g) speaks of systems that deduce or infer the listed attributes, which reaches internal inference deployed through proxies, and Union non-discrimination law attaches to outcomes regardless of mechanism. The defensible engineering response is affirmative testing: probe whether the system's representations or outputs predict the prohibited attributes, document the methodology and results, and constrain features where leakage appears. Providers should retain these probe results within their Article 10 data governance records; deployers should ask for them by name during procurement. Teams that cannot answer the question — could your segments reconstruct race or beliefs? — with evidence rather than assurance have not finished their compliance work, however clean their marketing taxonomy looks. The discipline pays beyond compliance: proxy probes routinely surface dataset imbalances and spurious correlations that degrade model quality generally, which is why mature teams run them as standard evaluation practice rather than regulatory ceremony.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.