Spotify · Spotify Privacy Policy

Facial Age Estimation and Identity Document Collection

High severity
Share 𝕏 Share in Share

What it is

Spotify may collect a photo of your face and a photo of your ID document to verify your age through a third-party provider. Spotify says this data is deleted immediately after the check.

Consumer impact (what this means for users)

If you use the Age Check feature, a photo of your face and potentially your government ID will be processed by a third-party provider — this is highly sensitive biometric-adjacent data, and while Spotify states it is deleted immediately, the third-party provider's processing is governed by their own policies.

How other platforms handle this

Public.com Medium

We, and our analytics and advertising providers, use these technologies to collect personal information (such as the pages you visit, the links you click on, and similar usage information, identifiers, and device information) when you use our Services, including personal information about your onlin...

Wealthfront Medium

Your browsing activity may be tracked across different websites and different devices or apps. For example, we may attempt to match your browsing activity on your mobile device with your browsing activity on your computer. To do this, we may analyze your browsing patterns, geo-location and device id...

OpenAI Medium

We may receive information about you from third parties, such as social media platforms, identity verification services, and other users who share content about you when using our services.

See all platforms with this clause type →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Collection of facial images and identity documents is among the most sensitive categories of personal data and may trigger biometric privacy laws in Illinois, Texas, and other states, even if the data is immediately deleted.

View original clause language
Age Check Data is the data you provide if you use an Age Check powered by a third party provider on Spotify ('Age Check'). This includes: Facial age estimation: a photo of your face which is used to estimate your age. Identity document verification: photos of your face and ID which are used to confirm your age and to verify that the ID belongs to you. Where Age Check Data is collected, we will obtain your consent and provide notice of the third party policies that apply to the processing of such data. All Age Check Data is deleted immediately after the Age Check.

Institutional analysis (Compliance & legal intelligence)

1) REGULATORY FRAMEWORK: This provision potentially implicates Illinois BIPA (740 ILCS 14/1 et seq.) which requires informed written consent before collecting biometric identifiers including facial geometry; Texas CUBI (Tex. Bus. & Com. Code §503.001) which prohibits capturing biometric identifiers without informed consent; the Washington My Health MY Data Act (SB 1155) as it relates to biometric health data; CCPA/CPRA sensitive personal information provisions (Cal. Civ. Code §1798.121) which classify biometric information as sensitive and require a separate opt-in or right to limit use; and COPPA (15 U.S.C. §6501) for any minor users who undergo age verification. The FTC and state AGs have enforcement authority. Illinois BIPA is privately enforceable with statutory damages of $1,000–$5,000 per violation. 2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    The FTC has enforcement authority over unfair or deceptive practices related to biometric data collection and children's privacy under COPPA.
    File a complaint →
  • State AG
    State AGs in Illinois (BIPA enforcement), Texas (CUBI), and California (CPRA sensitive personal information) have enforcement authority over biometric and facial data collection practices.
    File a complaint →

Applicable regulations

EU AI Act
European Union
BIPA
Illinois, USA
CCPA/CPRA
California, USA
COPPA
United States Federal
CAN-SPAM
United States Federal
DMA
European Union
FCRA
United States Federal
GDPR
European Union
GLBA
United States Federal
HIPAA
United States Federal
TCPA
United States Federal
UK GDPR
United Kingdom

Provision details

Document information
Document
Spotify Privacy Policy
Entity
Spotify
Document last updated
April 16, 2026
Tracking information
First tracked
March 6, 2026
Last verified
April 9, 2026
Record ID
CA-P-002608
Document ID
CA-D-00036
Evidence Provenance
Source URL
https://www.spotify.com/us/legal/privacy-policy/
Wayback Machine
View archived versions →
SHA-256
20e7378325f90f73de8e5f0d9b2d1ec4523f9cf07b406b492edd5753b96f24ad
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Spotify | Document: Spotify Privacy Policy | Record: CA-P-002608
Captured: 2026-03-06 20:27:52 UTC | SHA-256: 20e7378325f90f73…
URL: https://conductatlas.com/platform/spotify/spotify-privacy-policy/facial-age-estimation-and-identity-document-collection/
Accessed: April 29, 2026
Classification
Severity
High
Categories
Data collection

Other provisions in this document

Related Analysis