What can I do about this clause?

{'method': 'WEB_FORM', 'recipient': 'https://support.spotify.com/us/contact-spotify-privacy/', 'difficulty': 'MODERATE', 'action_type': 'DELETE_DATA', 'instructions': "Contact Spotify's privacy support via the chat bot or contact form at support.spotify.com/us/contact-spotify-privacy/ to request confirmation that your Age Check Data was deleted and to raise any concerns about biometric data handling.", 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has enforcement authority over unfair or deceptive biometric data collection practices under FTC Act Section 5, and has issued guidance on biometric privacy.', 'complaint_url': 'https://reportfraud.ftc.gov/'}, {'agency': 'State_AG', 'reason': 'Illinois AG enforces BIPA and Texas AG enforces CUBI — both cover facial image and biometric identifier collection without adequate consent.', 'complaint_url': 'https://www.naag.org/find-my-ag/'}

What is the severity of this clause?

ConductAtlas classifies this Biometric Age Check Data Collection clause as high severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Biometric Age Check Data Collection — Spotify

Share 𝕏 Share in Share 🔒 PDF

What it is

Spotify may take a photo of your face or your ID document to verify your age for certain features. These images are handled by a third-party provider and Spotify says they are deleted immediately after the check.

Consumer impact (what this means for users)

Your facial image or government-issued ID photo may be captured and processed by a third-party provider when you access age-restricted features — even though Spotify states the data is deleted immediately, the moment of collection itself triggers legal protections in states like Illinois and Texas.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

Contact Spotify's privacy support via the chat bot or contact form at support.spotify.com/us/contact-spotify-privacy/ to request confirmation that your Age Check Data was deleted and to raise any concerns about biometric data handling.

Cross-platform context

See how other platforms handle Biometric Age Check Data Collection and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Collecting facial images and identity documents is among the most sensitive forms of data collection and triggers specific biometric privacy laws in several U.S. states that require written consent and carry statutory damages per violation.

View original clause language

Age Check Data is the data you provide if you (i) choose to use a feature that is subject to an Age Check or (ii) are a parent or legal guardian providing parental consent for a Managed Account ('Age Check'). Examples of Age Check methods we use, which are powered by a third party provider, are: identity document verification: a photo of your identity document is used to confirm your age. In some cases, we may also use a photo of your face to verify that your ID belongs to you; facial age estimation: a photo of your face which is used to estimate your age. All Age Check Data is deleted immediately after the Age Check.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14/1 et seq.) requires written informed consent and a publicly available retention/destruction schedule before collecting biometric identifiers including facial geometry. Texas Capture or Use of Biometric Identifier Act (CUBI, Tex. Bus. & Com. Code §503.001) similarly requires informed consent before capture. Washington My Health MY Data Act and several other state laws may also apply. FTC Act Section 5 governs unfair or deceptive biometric data practices at the federal level. The FTC and State AGs are primary enforcement authorities. (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

The FTC has enforcement authority over unfair or deceptive biometric data collection practices under FTC Act Section 5, and has issued guidance on biometric privacy.
File a complaint →
State AG

Illinois AG enforces BIPA and Texas AG enforces CUBI — both cover facial image and biometric identifier collection without adequate consent.
File a complaint →

Provision details

Document information

Document

Spotify Privacy Policy

Entity

Spotify

Document last updated

April 29, 2026

Tracking information

First tracked

April 28, 2026

Last verified

April 28, 2026

Record ID

CA-P-003896

Document ID

CA-D-00036

Evidence Provenance

Source URL

https://www.spotify.com/us/legal/privacy-policy/

Wayback Machine

View archived versions →

SHA-256

62bfd0910e1d9815b6915626d36d1058b28aa407638be86ce562523eaf99f811

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Spotify | Document: Spotify Privacy Policy | Record: CA-P-003896
Captured: 2026-04-28 08:47:36 UTC | SHA-256: 62bfd0910e1d9815…
URL: https://conductatlas.com/platform/spotify/spotify-privacy-policy/biometric-age-check-data-collection/
Accessed: May 2, 2026

Classification

Severity

High

Biometric Age Check Data Collection