When you sign up as a Fan, OnlyFans may ask you to take a selfie video (.gif) which is processed by a third-party provider to estimate your age or verify your identity. The results and metadata of this process are collected and stored.
This analysis describes what OnlyFans's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Selfie-based age estimation involves the processing of facial image data, which may qualify as biometric data under certain state laws such as Illinois BIPA, creating significant legal and consent obligations that the policy does not explicitly address.
Interpretive note: Whether the selfie .gif age estimation process legally constitutes biometric data processing under BIPA or analogous statutes is legally uncertain and depends on the specific technology used and jurisdictional interpretation.
Fans may have their facial image data processed by a third-party vendor to estimate age, which goes beyond standard identity checks and may create biometric data rights and risks depending on the user's location.
How other platforms handle this
You must be at least 13 years old (or the minimum age required in your country) to use Threads. If you are under 18, you must have your parent or legal guardian's permission to use Threads.
Our Services are not directed to children under 13. If you learn that anyone younger than 13 has unlawfully provided us with personal data, please contact us at privacy@medium.com.
The Service is intended for general audiences and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child under the age of 13 has provided us with personal information without your cons...
Monitoring
OnlyFans has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"where we carry out third-party age estimation, or third-party age and identity verification of Fans, a short .gif, taken from a 'selfie' that you provide to our third-party providers ... the results of the third-party age estimation process or third-party age and identity verification process (pass / fail and reason for failing) ... metadata associated with the third-party age estimation process or third-party age and identity verification process (e.g. user start and finish time)— Excerpt from OnlyFans's OnlyFans Privacy Policy
REGULATORY LANDSCAPE: This provision may engage Illinois BIPA, Texas CUBI, Washington state biometric law, and GDPR/UK GDPR provisions on special category data (Article 9). The policy explicitly separates 'Face Recognition Data' from this category, but whether that distinction is legally operative under BIPA or analogous statutes is uncertain. Enforcement authorities include the Illinois AG and private plaintiffs under BIPA's private right of action, as well as the UK ICO and EU supervisory authorities under GDPR. GOVERNANCE EXPOSURE: High. The collection of selfie .gif data for age estimation by a third-party processor raises significant biometric data liability exposure in Illinois, where BIPA provides a private right of action with statutory damages. The policy does not explicitly obtain BIPA-compliant written consent or publish a retention schedule for biometric data, which are required under BIPA. JURISDICTION FLAGS: Illinois (BIPA), Texas (CUBI), Washington state biometric law, and GDPR/UK GDPR Article 9 all create heightened exposure. California users may have additional rights under CCPA's sensitive personal information provisions. The provision applies to Fans globally where age estimation is deployed. CONTRACT AND VENDOR IMPLICATIONS: The third-party age estimation vendor relationship requires a GDPR Article 28 processor agreement and, for US biometric law purposes, contractual provisions addressing data retention, destruction, and consent. The policy does not name the vendors involved, limiting due diligence visibility. COMPLIANCE CONSIDERATIONS: Legal teams should assess whether the selfie-based age estimation process constitutes biometric identifier or biometric information collection under applicable state laws and obtain jurisdiction-specific written consent where required. A data mapping exercise should document the vendor, processing purpose, retention period, and destruction schedule for this data category.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Selfie-based age estimation involves the processing of facial image data, which may qualify as biometric data under certain state laws such as Illinois BIPA, creating significant legal and consent obligations that the policy does not explicitly address.
Fans may have their facial image data processed by a third-party vendor to estimate age, which goes beyond standard identity checks and may create biometric data rights and risks depending on the user's location.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OnlyFans.