Square may collect government ID documents and, in some cases, biometric data such as facial recognition information to verify who you are and to comply with legal requirements.
This analysis describes what Square's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Biometric data and government-issued identity documents are among the most sensitive categories of personal information, and their collection triggers specific legal obligations in several US states and under GDPR that go beyond standard privacy protections.
Interpretive note: The specific biometric data types collected, the consent mechanism used, and the retention schedule are not fully detailed in the policy excerpt, creating uncertainty about whether collection practices satisfy BIPA and CPRA requirements in all applicable contexts.
This new provision discloses the collection of sensitive identity documents and biometric data, addressing a significant privacy practice not explicitly covered in the previous version.
View full change record →If Square collects biometric identifiers from you during identity verification, this data is subject to heightened legal protections in states like Illinois, Texas, and Washington, and you may have rights to consent, disclosure, and deletion that Square must honor under applicable state law.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Square has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We collect identity verification information including government-issued identification documents (such as a driver's license or passport) and may collect biometric information or biometric identifiers as needed to verify your identity, comply with legal requirements, or prevent fraud.— Excerpt from Square's Square Privacy Notice
REGULATORY LANDSCAPE: Biometric data collection engages Illinois BIPA, Texas CUBI Act, and Washington's My Health MY Data Act (for certain contexts), each of which imposes specific consent, retention, and destruction requirements. GDPR Article 9 classifies biometric data used for unique identification as special category data requiring explicit consent or another qualifying basis. The CCPA/CPRA also treats biometric information as sensitive personal information requiring opt-in consent for collection and use. GOVERNANCE EXPOSURE: High. BIPA litigation in Illinois has produced some of the largest privacy-related class action settlements in US history. Noncompliance with biometric data statutes carries statutory damages and class action exposure. The policy's statement that biometric data may be collected for verification purposes without clearly specifying the consent mechanism creates compliance risk in jurisdictions with explicit consent requirements. JURISDICTION FLAGS: Illinois BIPA requires written consent before biometric data collection and has a private right of action. Texas and Washington have similar but distinct frameworks. GDPR Article 9 applies to EEA users. California CPRA requires opt-in consent for sensitive personal information including biometric data. New York does not have a statewide biometric privacy law as of the document analysis date, but New York City has enacted relevant protections. CONTRACT AND VENDOR IMPLICATIONS: Third-party identity verification vendors used by Square in connection with this collection should be assessed for their own biometric data handling compliance, consent infrastructure, and retention and destruction practices. Data processing agreements with these vendors should specify that biometric data is not retained beyond the verification purpose. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that Square's consent collection mechanism for biometric or identity document data meets BIPA and CPRA requirements, including written consent and disclosure of retention schedule. Data mapping should clearly document which user populations are subject to biometric collection and in which product flows. Retention and destruction schedules for biometric data should be audited against statutory requirements in applicable jurisdictions.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Biometric data and government-issued identity documents are among the most sensitive categories of personal information, and their collection triggers specific legal obligations in several US states and under GDPR that go beyond standard privacy protections.
If Square collects biometric identifiers from you during identity verification, this data is subject to heightened legal protections in states like Illinois, Texas, and Washington, and you may have rights to consent, disclosure, and deletion that Square must honor under applicable state law.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Square.