DraftKings uses third-party identity verification services to scan your facial geometry or other biometric data when verifying your identity. The company states it does not retain this biometric data after the verification is complete, but the actual processing is done by external vendors.
This analysis describes what DraftKings's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Biometric data is among the most sensitive personal information categories because it is immutable. State laws like Illinois BIPA impose strict requirements and statutory damages for non-compliant biometric data collection, making this provision legally significant regardless of the stated retention limit.
Interpretive note: The provision does not name the identity verification vendors or provide a standalone biometric retention schedule, creating uncertainty about whether the stated practices fully satisfy BIPA and CUBI requirements.
When you verify your identity on DraftKings, your facial geometry or similar biometric identifiers are captured and processed by third-party vendors. The policy states this data is not retained beyond the transaction, but users have limited ability to independently verify vendor-side retention or processing practices.
How other platforms handle this
When you visit the Careers portion of our websites, we collect the information that you provide to us in connection with your job application. This includes but is not limited to business and personal contact information, professional credentials and skills, educational and work history and other in...
American does not knowingly collect personal information directly from children – persons under the age of 13, or another age if required by applicable law – other than when required to comply with the law or for safety and security reasons. Due to the nature of our Services, we may collect travel i...
We may collect information about your location, including precise geolocation information, when you use our Services. We use this information to provide location-based services, such as showing you products available in your area, and for other purposes described in this Privacy Policy.
Monitoring
DraftKings has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"DraftKings may use the biometric information we receive from our identity verification service providers for the purpose of verifying your identity. We do not directly collect your biometric information; rather, our identity verification service providers collect and process this information on our behalf. We do not store your biometric information beyond the completion of the verification transaction. The biometric information collected by our identity verification service providers in connection with the verification of your identity may include facial geometry or other biometric information as defined by applicable law.— Excerpt from DraftKings's DraftKings Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (CUBI, Tex. Bus. & Com. Code Ch. 503), and Washington's My Health MY Data Act to the extent biometric data intersects with health-adjacent data. BIPA provides a private right of action with statutory damages of $1,000 to $5,000 per violation. The FTC Act's unfair or deceptive practices standards also apply. The enforcement authority under BIPA is private litigants and Illinois courts; under CUBI, the Texas AG. GOVERNANCE EXPOSURE: High. The delegation of biometric processing to unnamed third-party identity verification service providers, combined with the absence of explicit vendor identification, creates audit and contractual exposure. BIPA requires written informed consent and a publicly available retention schedule prior to collection. The notice's statement that biometric data is not retained 'beyond the completion of the verification transaction' may not satisfy BIPA's written policy and retention schedule requirements if not accompanied by a standalone biometric data policy. JURISDICTION FLAGS: Illinois creates the highest exposure due to BIPA's private right of action and class action history. Texas CUBI enforcement by the AG is an emerging risk. California CPRA treats biometric data as sensitive personal information requiring opt-in consent for certain uses. New York does not yet have a biometric-specific statute but has introduced legislation. Users in the EU/EEA would have additional rights under GDPR Article 9 governing special category data. CONTRACT AND VENDOR IMPLICATIONS: The provision does not name the identity verification service providers processing biometric data. Procurement teams should verify that data processing agreements with these vendors include BIPA-compliant provisions, explicit retention schedules, data destruction certifications, and indemnification for biometric data violations. The assertion that DraftKings does not 'directly collect' biometric data does not eliminate BIPA liability if DraftKings is deemed to be in possession of or benefit from the data. COMPLIANCE CONSIDERATIONS: Legal teams should review whether a standalone biometric data retention and destruction policy has been published as required by BIPA. Consent mechanisms for biometric collection should be audited to confirm they are obtained prior to collection and are not bundled solely within general privacy notice acceptance. Data mapping should identify all identity verification vendors and confirm contractual obligations align with applicable state biometric statutes.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Biometric data is among the most sensitive personal information categories because it is immutable. State laws like Illinois BIPA impose strict requirements and statutory damages for non-compliant biometric data collection, making this provision legally significant regardless of the stated retention limit.
When you verify your identity on DraftKings, your facial geometry or similar biometric identifiers are captured and processed by third-party vendors. The policy states this data is not retained beyond the transaction, but users have limited ability to independently verify vendor-side retention or processing practices.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by DraftKings.