Spotify may collect a photo of your face and a photo of your ID document to verify your age through a third-party provider. Spotify says this data is deleted immediately after the check.
This analysis describes what Spotify's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision establishes the operational scope and retention parameters for biometric and identity document data processed through Spotify's age verification mechanism. By restricting retention to the duration of the verification process and requiring prior consent and third-party notice, the clause defines the conditions under which sensitive personal data may be collected and processed.
If you use the Age Check feature, a photo of your face and potentially your government ID will be processed by a third-party provider — this is highly sensitive biometric-adjacent data, and while Spotify states it is deleted immediately, the third-party provider's processing is governed by their own policies.
How other platforms handle this
"By clicking 'Next', you are indicating that you have read and agree to the TERMS OF USE AND PRIVACY POLICY"
We automatically collect certain information from your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Service, we collect information about the individual web pages or products th...
Location data. Data about your device's location, which can be either precise or imprecise. For example, we collect location data using Global Navigation Satellite System (GNSS) (e.g., GPS) and data about nearby cell towers and Wi-Fi hotspots. Location can also be inferred from a device's IP address...
Monitoring
Spotify has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Age Check Data is the data you provide if you use an Age Check powered by a third party provider on Spotify ('Age Check'). This includes: Facial age estimation: a photo of your face which is used to estimate your age. Identity document verification: photos of your face and ID which are used to confirm your age and to verify that the ID belongs to you. Where Age Check Data is collected, we will obtain your consent and provide notice of the third party policies that apply to the processing of such data. All Age Check Data is deleted immediately after the Age Check.— Excerpt from Spotify's Spotify Privacy Policy
1) REGULATORY FRAMEWORK: This provision potentially implicates Illinois BIPA (740 ILCS 14/1 et seq.) which requires informed written consent before collecting biometric identifiers including facial geometry; Texas CUBI (Tex. Bus. & Com. Code §503.001) which prohibits capturing biometric identifiers without informed consent; the Washington My Health MY Data Act (SB 1155) as it relates to biometric health data; CCPA/CPRA sensitive personal information provisions (Cal. Civ. Code §1798.121) which classify biometric information as sensitive and require a separate opt-in or right to limit use; and COPPA (15 U.S.C. §6501) for any minor users who undergo age verification. The FTC and state AGs have enforcement authority. Illinois BIPA is privately enforceable with statutory damages of $1,000–$5,000 per violation. 2)
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision establishes the operational scope and retention parameters for biometric and identity document data processed through Spotify's age verification mechanism. By restricting retention to the duration of the verification process and requiring prior consent and third-party notice, the clause defines the conditions under which sensitive personal data may be collected and processed.
If you use the Age Check feature, a photo of your face and potentially your government ID will be processed by a third-party provider — this is highly sensitive biometric-adjacent data, and while Spotify states it is deleted immediately, the third-party provider's processing is governed by their own policies.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Spotify.