When you sign up as a Fan, OnlyFans may ask you to take a selfie video (.gif) which is processed by a third-party provider to estimate your age or verify your identity. The results and metadata of this process are collected and stored.
This analysis describes what OnlyFans's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Selfie-based age estimation involves the processing of facial image data, which may qualify as biometric data under certain state laws such as Illinois BIPA, creating significant legal and consent obligations that the policy does not explicitly address.
Interpretive note: Whether the selfie .gif age estimation process legally constitutes biometric data processing under BIPA or analogous statutes is legally uncertain and depends on the specific technology used and jurisdictional interpretation.
Fans may have their facial image data processed by a third-party vendor to estimate age, which goes beyond standard identity checks and may create biometric data rights and risks depending on the user's location.
How other platforms handle this
Only to the extent Customer cannot reasonably be satisfied with Mistral AI's compliance with this DPA through the exercise of the audit set out in Section 9.1 (Document Audit) of this DPA, Customer may conduct up to one (1) on-site audit per year to verify Mistral AI's compliance with this DPA, unde...
When you visit the Careers portion of our websites, we collect the information that you provide to us in connection with your job application. This includes but is not limited to business and personal contact information, professional credentials and skills, educational and work history and other in...
We use cookies and similar tracking technologies to track the activity on our websites and services and store certain information. Tracking technologies used include beacons, tags, and scripts to collect and track information and to improve and analyze our services. You can instruct your browser to ...
Monitoring
OnlyFans has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"where we carry out third-party age estimation, or third-party age and identity verification of Fans, a short .gif, taken from a 'selfie' that you provide to our third-party providers ... the results of the third-party age estimation process or third-party age and identity verification process (pass / fail and reason for failing) ... metadata associated with the third-party age estimation process or third-party age and identity verification process (e.g. user start and finish time)— Excerpt from OnlyFans's OnlyFans Privacy Policy
REGULATORY LANDSCAPE: This provision may engage Illinois BIPA, Texas CUBI, Washington state biometric law, and GDPR/UK GDPR provisions on special category data (Article 9). The policy explicitly separates 'Face Recognition Data' from this category, but whether that distinction is legally operative under BIPA or analogous statutes is uncertain. Enforcement authorities include the Illinois AG and private plaintiffs under BIPA's private right of action, as well as the UK ICO and EU supervisory authorities under GDPR. GOVERNANCE EXPOSURE: High. The collection of selfie .gif data for age estimation by a third-party processor raises significant biometric data liability exposure in Illinois, where BIPA provides a private right of action with statutory damages. The policy does not explicitly obtain BIPA-compliant written consent or publish a retention schedule for biometric data, which are required under BIPA. JURISDICTION FLAGS: Illinois (BIPA), Texas (CUBI), Washington state biometric law, and GDPR/UK GDPR Article 9 all create heightened exposure. California users may have additional rights under CCPA's sensitive personal information provisions. The provision applies to Fans globally where age estimation is deployed. CONTRACT AND VENDOR IMPLICATIONS: The third-party age estimation vendor relationship requires a GDPR Article 28 processor agreement and, for US biometric law purposes, contractual provisions addressing data retention, destruction, and consent. The policy does not name the vendors involved, limiting due diligence visibility. COMPLIANCE CONSIDERATIONS: Legal teams should assess whether the selfie-based age estimation process constitutes biometric identifier or biometric information collection under applicable state laws and obtain jurisdiction-specific written consent where required. A data mapping exercise should document the vendor, processing purpose, retention period, and destruction schedule for this data category.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Selfie-based age estimation involves the processing of facial image data, which may qualify as biometric data under certain state laws such as Illinois BIPA, creating significant legal and consent obligations that the policy does not explicitly address.
Fans may have their facial image data processed by a third-party vendor to estimate age, which goes beyond standard identity checks and may create biometric data rights and risks depending on the user's location.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OnlyFans.