Spotify may take a photo of your face to estimate your age or verify your identity, using a third-party provider. The policy states this photo is deleted immediately after the check is complete.
This analysis describes what Spotify's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The collection of facial photographs for age estimation constitutes biometric data processing under several U.S. state laws, and the involvement of a third-party provider means Spotify is not the sole party handling this data, raising questions about that provider's own data practices.
Interpretive note: Whether the act of using an Age Check feature constitutes legally adequate consent under BIPA and analogous biometric statutes is jurisdiction-dependent and subject to enforcement interpretation.
If you use a feature subject to an Age Check, Spotify's third-party provider may process a photograph of your face for facial age estimation or identity verification; the policy states this Age Check Data is deleted immediately after the check, but the third-party provider's handling of that data is governed by their own practices and Spotify's contractual arrangements with them.
How other platforms handle this
When you visit the Careers portion of our websites, we collect the information that you provide to us in connection with your job application. This includes but is not limited to business and personal contact information, professional credentials and skills, educational and work history and other in...
American does not knowingly collect personal information directly from children – persons under the age of 13, or another age if required by applicable law – other than when required to comply with the law or for safety and security reasons. Due to the nature of our Services, we may collect travel i...
We may collect information about your location, including precise geolocation information, when you use our Services. We use this information to provide location-based services, such as showing you products available in your area, and for other purposes described in this Privacy Policy.
Monitoring
Spotify has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Age Check Data is the data you provide if you (i) choose to use a feature that is subject to an Age Check or (ii) are a parent or legal guardian providing parental consent for a Managed Account ('Age Check'). Examples of Age Check methods we use, which are powered by a third party provider, are: identity document verification: a photo of your identity document is used to confirm your age. In some cases, we may also use a photo of your face to verify that your ID belongs to you; facial age estimation: a photo of your face which is used to estimate your age. All Age Check Data is deleted immediately after the Age Check.— Excerpt from Spotify's Spotify Privacy Policy
REGULATORY LANDSCAPE: Collection of facial photographs for biometric age estimation implicates the Illinois Biometric Information Privacy Act (BIPA), which requires informed written consent before collecting biometric identifiers including facial geometry, as well as analogous statutes in Texas (CUBI) and Washington (WFNBI). The FTC's authority over unfair data practices is also engaged. The policy's statement that Age Check Data is deleted immediately may satisfy retention elements of BIPA but does not address the written consent requirement; whether the act of using an Age Check feature constitutes adequate consent under BIPA is a live legal question. GOVERNANCE EXPOSURE: High. Biometric data collection via facial estimation by a third-party processor creates significant exposure under BIPA, which provides a private right of action with statutory damages of $1,000 to $5,000 per violation. The policy discloses the practice and states data is deleted immediately, but does not specify the third-party provider or detail that provider's data retention and security practices. JURISDICTION FLAGS: Illinois presents the highest exposure given BIPA's private right of action. Texas and Washington have state biometric laws with AG enforcement. California's CPRA treats biometric information as sensitive personal information requiring disclosure and opt-out rights. Users in these states create heightened compliance obligations. CONTRACT AND VENDOR IMPLICATIONS: The involvement of an unnamed third-party provider for Age Check processing is a significant due diligence trigger. Procurement teams should confirm that data processing agreements with this provider include binding deletion obligations aligned with the policy's 'immediately after the Age Check' commitment, and that the provider's security practices meet applicable standards. The policy does not identify the provider, limiting external verification. COMPLIANCE CONSIDERATIONS: Legal teams should audit whether current consent mechanisms for Age Check features satisfy BIPA's written consent requirement for Illinois users and analogous requirements in other biometric states. Data mapping should confirm that the third-party provider's deletion practices are contractually binding and auditable. The policy should be reviewed to confirm whether the CCPA sensitive data opt-out right applies to this biometric processing pathway.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The collection of facial photographs for age estimation constitutes biometric data processing under several U.S. state laws, and the involvement of a third-party provider means Spotify is not the sole party handling this data, raising questions about that provider's own data practices.
If you use a feature subject to an Age Check, Spotify's third-party provider may process a photograph of your face for facial age estimation or identity verification; the policy states this Age Check Data is deleted immediately after the check, but the third-party provider's handling of that data is governed by their own practices and Spotify's contractual arrangements with them.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Spotify.