Yes, that's a critical part of any regulation. There should be a sunset period, as I mentioned. We've suggested one year after the last interaction with a business as a default, but certainly any time an individual chooses to have their biometrics deleted from a database, that option should remain.
Again, recognizing that people may choose to use biometrics for a very specific purpose, even with the risks that entails, that doesn't give carte blanche to the company to hold on to those because they are such sensitive identifiers and could lead to identity theft and a whole host of other issues.