Roblox may collect a selfie or facial image from you to verify your age. The policy states this image is deleted after the age check is complete, but the collection of facial imagery is a form of biometric data processing.
This analysis describes what Roblox's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision establishes the operational procedure and data handling framework for age verification, including the collection mechanism (facial imaging), the purpose (age assurance), and the data retention policy (deletion post-verification). This addresses regulatory compliance with age assurance requirements in digital services.
Interpretive note: The scope of users subject to facial age estimation, the identity of the age estimation vendor, and the technical deletion mechanism are not fully described in this policy text; the referenced Facial Media Capture Policy would need to be reviewed for complete analysis.
Removal of this provision eliminates transparency about facial recognition data collection and the policy's promise of deletion after age verification, which is a significant privacy disclosure gap.
View full change record →If you are asked to complete age verification on Roblox, your facial image is collected and processed. The policy states this image is deleted after the age estimation process is complete, but the act of collection and processing of facial imagery may trigger biometric privacy rights in certain US states and GDPR special category data protections in the EU.
How other platforms handle this
"By clicking 'Next', you are indicating that you have read and agree to the TERMS OF USE AND PRIVACY POLICY"
We automatically collect certain information from your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Service, we collect information about the individual web pages or products th...
Location data. Data about your device's location, which can be either precise or imprecise. For example, we collect location data using Global Navigation Satellite System (GNSS) (e.g., GPS) and data about nearby cell towers and Wi-Fi hotspots. Location can also be inferred from a device's IP address...
Monitoring
Roblox has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"To assess user ages, Roblox may collect information about you, including images such as a selfie, to perform age assurance. Information collected to assess user ages, such as images taken to perform facial age estimation, is deleted once the age assurance process is complete. You can learn more about Roblox's practices in the Roblox Facial Media Capture Policy.— Excerpt from Roblox's Roblox Privacy Policy
REGULATORY LANDSCAPE: Facial imagery used for biometric identification or age estimation engages Illinois BIPA (which requires written consent and prohibits sale of biometric data), Texas CUBI, Washington's My Health MY Data Act, and GDPR Article 9 (special category biometric data requiring explicit consent). The FTC also has enforcement interest in biometric data practices under its unfair and deceptive practices authority. The policy's claim that images are deleted post-process does not eliminate the collection and processing event itself, which is the trigger for most biometric privacy obligations. GOVERNANCE EXPOSURE: High. Biometric data collection, even for a brief age-check purpose, creates significant regulatory exposure in Illinois (BIPA provides a private right of action with statutory damages of $1,000 to $5,000 per violation), and in EU/EEA jurisdictions where facial data is classified as special category data requiring explicit consent. The scope of the user population potentially subject to facial age estimation is not clearly bounded in the policy text, which adds to the exposure profile. JURISDICTION FLAGS: Illinois (BIPA, private right of action), Texas (CUBI), Washington (My Health My Data Act), EU and EEA (GDPR Article 9), UK (UK GDPR). California's CPRA includes biometric data as sensitive personal information with specific disclosure and opt-out obligations. The policy references a separate Roblox Facial Media Capture Policy for further detail, which should be reviewed in conjunction with this document. CONTRACT AND VENDOR IMPLICATIONS: If Roblox uses a third-party age estimation vendor, that vendor's data processing agreement must include biometric-specific protections, including prohibition on retention beyond the session, prohibition on secondary use, and confirmation of technical deletion. Standard DPAs may not cover biometric data adequately. Vendor assessment should include confirmation of ISO 27001 or equivalent certification and a review of the vendor's own subprocessor chain. COMPLIANCE CONSIDERATIONS: Compliance teams should confirm the technical deletion mechanism for facial images post-age-estimation, including audit logs demonstrating deletion. Consent flows for users in Illinois, Texas, and EU jurisdictions must be reviewed to ensure they meet jurisdiction-specific standards for biometric data. The Roblox Facial Media Capture Policy referenced in the document should be reviewed for consistency and completeness. A data protection impact assessment (DPIA) under GDPR Article 35 is likely required given the special category nature of biometric data.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision establishes the operational procedure and data handling framework for age verification, including the collection mechanism (facial imaging), the purpose (age assurance), and the data retention policy (deletion post-verification). This addresses regulatory compliance with age assurance requirements in digital services.
If you are asked to complete age verification on Roblox, your facial image is collected and processed. The policy states this image is deleted after the age estimation process is complete, but the act of collection and processing of facial imagery may trigger biometric privacy rights in certain US states and GDPR special category data protections in the EU.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Roblox.