Dual-Camera Simultaneous Image Capture

What it is

Every time you post a BeReal, the app takes a photo from both your front camera (your face) and your rear camera (your surroundings) at the same moment, and both images along with time and location data are saved by the company.

Why it matters (compliance & governance perspective)

This provision is structurally unique: unlike most apps that collect photos you choose to share, BeReal's mechanism captures facial imagery and environmental context simultaneously on a randomised timer, meaning users may not always have full control over what is captured.

Consumer impact (what this means for users)

This clause means your facial image and a photo of your environment are captured together at unpredictable moments, and this dual-image data along with location and timestamp metadata is held by BeReal and may be shared with service providers.

What you can do

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: The simultaneous front-camera facial capture may implicate the Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier Act (CUBI), and Washington's biometric privacy law, each of which imposes written consent, data retention schedule disclosure, and prohibition on sale requirements for biometric identifiers and biometric information. The relevant enforcement authority for BIPA is the Illinois courts (private right of action); for CUBI, the Texas Attorney General. Under GDPR, facial imagery may constitute special category biometric data under Article 9 if processed for the purpose of uniquely identifying a natural person, requiring explicit consent or another Article 9(2) basis. The CNIL is the primary supervisory authority for BeReal's EU processing. (2) GOVERNANCE EXPOSURE: High. The randomised, mandatory dual-camera capture is operationally distinctive: users cannot complete the core product action without submitting facial imagery. If facial imagery is processed in a way that enables identification (e.g., through downstream facial recognition or feature extraction by service providers), this could trigger BIPA's written consent requirements and GDPR Article 9 obligations. Even absent such processing, the collection of facial imagery at scale from a platform with a young user base creates heightened regulatory attention risk. (3) JURISDICTION FLAGS: Illinois, Texas, and Washington create the highest biometric privacy exposure. EU/EEA users are protected by GDPR Article 9 if the imagery is processed for identification purposes. California users may have additional rights under CPRA regarding sensitive personal information. Minors across all jurisdictions create compounded exposure given age-specific consent requirements. (4) CONTRACT AND VENDOR IMPLICATIONS: Any third-party service provider receiving dual-camera imagery (e.g., cloud storage, content delivery, or moderation vendors) must be assessed for compliance with BIPA and equivalent statutes. Data processing agreements should explicitly prohibit downstream biometric processing or sale. Standard Contractual Clauses must cover image data transfers to non-EEA vendors. (5) COMPLIANCE CONSIDERATIONS: Legal teams should determine whether BeReal's current consent flow constitutes valid written informed consent under BIPA for Illinois users prior to facial image capture. A data mapping exercise should document all vendors receiving camera imagery and the processing purposes. If any service provider performs facial feature analysis (even for moderation), an Article 9 legal basis assessment under GDPR is required. Retention schedules for dual-camera imagery should be documented and disclosed.

Applicable agencies

Provision details

Other risks in this policy

• Location Data Collection high
• Third-Party Advertising Partner Data Sharing high
• User Rights for EU, UK, and California Residents medium
• Corporate Transaction Disclosure medium
• Data Retention medium
• Minors and Age Restrictions high