The policy explicitly carves out 'Face Recognition Data' as a distinct data category separate from the selfie-based age estimation and identity verification data described in the onboarding sections.
This analysis describes what OnlyFans's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The explicit separation of Face Recognition Data as a distinct category suggests the platform may process facial recognition data in some contexts, which carries the most stringent biometric data obligations under laws like Illinois BIPA.
Interpretive note: The document is truncated and the full Face Recognition Data section was not available for review, making it impossible to assess the full scope, legal basis, or consent mechanisms for this data category.
By acknowledging Face Recognition Data as a separate category, the policy implies this data type exists but the truncated document does not fully describe when or how it is collected, creating transparency gaps about a highly sensitive data type.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
OnlyFans has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Third-Party Onboarding Data and Technical Data does not include Face Recognition Data, as set out below.— Excerpt from OnlyFans's OnlyFans Privacy Policy
REGULATORY LANDSCAPE: Face Recognition Data is the most heavily regulated biometric data category in the US under Illinois BIPA, Texas CUBI, and Washington state law, all of which provide strong protections and in the case of BIPA a private right of action. GDPR treats biometric data used for unique identification as special category data under Article 9, requiring explicit consent or another qualifying basis. The UK ICO has also issued guidance on biometric data. GOVERNANCE EXPOSURE: High. The mere acknowledgement of Face Recognition Data as a distinct category in a consumer-facing privacy policy without full disclosure of when and how it is collected and processed creates significant regulatory and reputational exposure, particularly in jurisdictions with strict biometric laws. The document as provided is truncated and the full Face Recognition Data section could not be reviewed. JURISDICTION FLAGS: Illinois (BIPA private right of action with statutory damages), Texas (CUBI), Washington state, and GDPR/UK GDPR Article 9 all create heightened exposure. Any collection of Face Recognition Data from Illinois residents without compliant written consent and a published retention schedule creates significant litigation risk. CONTRACT AND VENDOR IMPLICATIONS: If Face Recognition Data is processed by third-party vendors, those vendors must meet the highest standards for biometric data processing and be covered by agreements that specify consent, retention, and destruction obligations consistent with applicable biometric laws. COMPLIANCE CONSIDERATIONS: Legal teams must review the full Face Recognition Data section (not available in the truncated document) to assess the scope of collection, the legal bases cited, and the consent mechanisms used. Jurisdiction-by-jurisdiction compliance with biometric data laws should be documented and verified.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The explicit separation of Face Recognition Data as a distinct category suggests the platform may process facial recognition data in some contexts, which carries the most stringent biometric data obligations under laws like Illinois BIPA.
By acknowledging Face Recognition Data as a separate category, the policy implies this data type exists but the truncated document does not fully describe when or how it is collected, creating transparency gaps about a highly sensitive data type.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OnlyFans.