Spotify may take a photo of your face to estimate your age or verify your identity, using a third-party provider. The policy states this photo is deleted immediately after the check is complete.
This analysis describes what Spotify's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The collection of facial photographs for age estimation constitutes biometric data processing under several U.S. state laws, and the involvement of a third-party provider means Spotify is not the sole party handling this data, raising questions about that provider's own data practices.
Interpretive note: Whether the act of using an Age Check feature constitutes legally adequate consent under BIPA and analogous biometric statutes is jurisdiction-dependent and subject to enforcement interpretation.
If you use a feature subject to an Age Check, Spotify's third-party provider may process a photograph of your face for facial age estimation or identity verification; the policy states this Age Check Data is deleted immediately after the check, but the third-party provider's handling of that data is governed by their own practices and Spotify's contractual arrangements with them.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Spotify has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Age Check Data is the data you provide if you (i) choose to use a feature that is subject to an Age Check or (ii) are a parent or legal guardian providing parental consent for a Managed Account ('Age Check'). Examples of Age Check methods we use, which are powered by a third party provider, are: identity document verification: a photo of your identity document is used to confirm your age. In some cases, we may also use a photo of your face to verify that your ID belongs to you; facial age estimation: a photo of your face which is used to estimate your age. All Age Check Data is deleted immediately after the Age Check.— Excerpt from Spotify's Spotify Privacy Policy
REGULATORY LANDSCAPE: Collection of facial photographs for biometric age estimation implicates the Illinois Biometric Information Privacy Act (BIPA), which requires informed written consent before collecting biometric identifiers including facial geometry, as well as analogous statutes in Texas (CUBI) and Washington (WFNBI). The FTC's authority over unfair data practices is also engaged. The policy's statement that Age Check Data is deleted immediately may satisfy retention elements of BIPA but does not address the written consent requirement; whether the act of using an Age Check feature constitutes adequate consent under BIPA is a live legal question. GOVERNANCE EXPOSURE: High. Biometric data collection via facial estimation by a third-party processor creates significant exposure under BIPA, which provides a private right of action with statutory damages of $1,000 to $5,000 per violation. The policy discloses the practice and states data is deleted immediately, but does not specify the third-party provider or detail that provider's data retention and security practices. JURISDICTION FLAGS: Illinois presents the highest exposure given BIPA's private right of action. Texas and Washington have state biometric laws with AG enforcement. California's CPRA treats biometric information as sensitive personal information requiring disclosure and opt-out rights. Users in these states create heightened compliance obligations. CONTRACT AND VENDOR IMPLICATIONS: The involvement of an unnamed third-party provider for Age Check processing is a significant due diligence trigger. Procurement teams should confirm that data processing agreements with this provider include binding deletion obligations aligned with the policy's 'immediately after the Age Check' commitment, and that the provider's security practices meet applicable standards. The policy does not identify the provider, limiting external verification. COMPLIANCE CONSIDERATIONS: Legal teams should audit whether current consent mechanisms for Age Check features satisfy BIPA's written consent requirement for Illinois users and analogous requirements in other biometric states. Data mapping should confirm that the third-party provider's deletion practices are contractually binding and auditable. The policy should be reviewed to confirm whether the CCPA sensitive data opt-out right applies to this biometric processing pathway.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The collection of facial photographs for age estimation constitutes biometric data processing under several U.S. state laws, and the involvement of a third-party provider means Spotify is not the sole party handling this data, raising questions about that provider's own data practices.
If you use a feature subject to an Age Check, Spotify's third-party provider may process a photograph of your face for facial age estimation or identity verification; the policy states this Age Check Data is deleted immediately after the check, but the third-party provider's handling of that data is governed by their own practices and Spotify's contractual arrangements with them.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Spotify.