DraftKings uses third-party identity verification services to scan your facial geometry or other biometric data when verifying your identity. The company states it does not retain this biometric data after the verification is complete, but the actual processing is done by external vendors.
This analysis describes what DraftKings's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Biometric data is among the most sensitive personal information categories because it is immutable. State laws like Illinois BIPA impose strict requirements and statutory damages for non-compliant biometric data collection, making this provision legally significant regardless of the stated retention limit.
Interpretive note: The provision does not name the identity verification vendors or provide a standalone biometric retention schedule, creating uncertainty about whether the stated practices fully satisfy BIPA and CUBI requirements.
When you verify your identity on DraftKings, your facial geometry or similar biometric identifiers are captured and processed by third-party vendors. The policy states this data is not retained beyond the transaction, but users have limited ability to independently verify vendor-side retention or processing practices.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
DraftKings has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"DraftKings may use the biometric information we receive from our identity verification service providers for the purpose of verifying your identity. We do not directly collect your biometric information; rather, our identity verification service providers collect and process this information on our behalf. We do not store your biometric information beyond the completion of the verification transaction. The biometric information collected by our identity verification service providers in connection with the verification of your identity may include facial geometry or other biometric information as defined by applicable law.— Excerpt from DraftKings's DraftKings Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (CUBI, Tex. Bus. & Com. Code Ch. 503), and Washington's My Health MY Data Act to the extent biometric data intersects with health-adjacent data. BIPA provides a private right of action with statutory damages of $1,000 to $5,000 per violation. The FTC Act's unfair or deceptive practices standards also apply. The enforcement authority under BIPA is private litigants and Illinois courts; under CUBI, the Texas AG. GOVERNANCE EXPOSURE: High. The delegation of biometric processing to unnamed third-party identity verification service providers, combined with the absence of explicit vendor identification, creates audit and contractual exposure. BIPA requires written informed consent and a publicly available retention schedule prior to collection. The notice's statement that biometric data is not retained 'beyond the completion of the verification transaction' may not satisfy BIPA's written policy and retention schedule requirements if not accompanied by a standalone biometric data policy. JURISDICTION FLAGS: Illinois creates the highest exposure due to BIPA's private right of action and class action history. Texas CUBI enforcement by the AG is an emerging risk. California CPRA treats biometric data as sensitive personal information requiring opt-in consent for certain uses. New York does not yet have a biometric-specific statute but has introduced legislation. Users in the EU/EEA would have additional rights under GDPR Article 9 governing special category data. CONTRACT AND VENDOR IMPLICATIONS: The provision does not name the identity verification service providers processing biometric data. Procurement teams should verify that data processing agreements with these vendors include BIPA-compliant provisions, explicit retention schedules, data destruction certifications, and indemnification for biometric data violations. The assertion that DraftKings does not 'directly collect' biometric data does not eliminate BIPA liability if DraftKings is deemed to be in possession of or benefit from the data. COMPLIANCE CONSIDERATIONS: Legal teams should review whether a standalone biometric data retention and destruction policy has been published as required by BIPA. Consent mechanisms for biometric collection should be audited to confirm they are obtained prior to collection and are not bundled solely within general privacy notice acceptance. Data mapping should identify all identity verification vendors and confirm contractual obligations align with applicable state biometric statutes.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Biometric data is among the most sensitive personal information categories because it is immutable. State laws like Illinois BIPA impose strict requirements and statutory damages for non-compliant biometric data collection, making this provision legally significant regardless of the stated retention limit.
When you verify your identity on DraftKings, your facial geometry or similar biometric identifiers are captured and processed by third-party vendors. The policy states this data is not retained beyond the transaction, but users have limited ability to independently verify vendor-side retention or processing practices.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by DraftKings.