Square may collect government ID documents and, in some cases, biometric data such as facial recognition information to verify who you are and to comply with legal requirements.
This analysis describes what Square's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Biometric data and government-issued identity documents are among the most sensitive categories of personal information, and their collection triggers specific legal obligations in several US states and under GDPR that go beyond standard privacy protections.
Interpretive note: The specific biometric data types collected, the consent mechanism used, and the retention schedule are not fully detailed in the policy excerpt, creating uncertainty about whether collection practices satisfy BIPA and CPRA requirements in all applicable contexts.
If Square collects biometric identifiers from you during identity verification, this data is subject to heightened legal protections in states like Illinois, Texas, and Washington, and you may have rights to consent, disclosure, and deletion that Square must honor under applicable state law.
How other platforms handle this
When you visit the Careers portion of our websites, we collect the information that you provide to us in connection with your job application. This includes but is not limited to business and personal contact information, professional credentials and skills, educational and work history and other in...
American does not knowingly collect personal information directly from children – persons under the age of 13, or another age if required by applicable law – other than when required to comply with the law or for safety and security reasons. Due to the nature of our Services, we may collect travel i...
We may collect information about your location, including precise geolocation information, when you use our Services. We use this information to provide location-based services, such as showing you products available in your area, and for other purposes described in this Privacy Policy.
Monitoring
Square has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We collect identity verification information including government-issued identification documents (such as a driver's license or passport) and may collect biometric information or biometric identifiers as needed to verify your identity, comply with legal requirements, or prevent fraud.— Excerpt from Square's Square Privacy Notice
REGULATORY LANDSCAPE: Biometric data collection engages Illinois BIPA, Texas CUBI Act, and Washington's My Health MY Data Act (for certain contexts), each of which imposes specific consent, retention, and destruction requirements. GDPR Article 9 classifies biometric data used for unique identification as special category data requiring explicit consent or another qualifying basis. The CCPA/CPRA also treats biometric information as sensitive personal information requiring opt-in consent for collection and use. GOVERNANCE EXPOSURE: High. BIPA litigation in Illinois has produced some of the largest privacy-related class action settlements in US history. Noncompliance with biometric data statutes carries statutory damages and class action exposure. The policy's statement that biometric data may be collected for verification purposes without clearly specifying the consent mechanism creates compliance risk in jurisdictions with explicit consent requirements. JURISDICTION FLAGS: Illinois BIPA requires written consent before biometric data collection and has a private right of action. Texas and Washington have similar but distinct frameworks. GDPR Article 9 applies to EEA users. California CPRA requires opt-in consent for sensitive personal information including biometric data. New York does not have a statewide biometric privacy law as of the document analysis date, but New York City has enacted relevant protections. CONTRACT AND VENDOR IMPLICATIONS: Third-party identity verification vendors used by Square in connection with this collection should be assessed for their own biometric data handling compliance, consent infrastructure, and retention and destruction practices. Data processing agreements with these vendors should specify that biometric data is not retained beyond the verification purpose. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that Square's consent collection mechanism for biometric or identity document data meets BIPA and CPRA requirements, including written consent and disclosure of retention schedule. Data mapping should clearly document which user populations are subject to biometric collection and in which product flows. Retention and destruction schedules for biometric data should be audited against statutory requirements in applicable jurisdictions.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Biometric data and government-issued identity documents are among the most sensitive categories of personal information, and their collection triggers specific legal obligations in several US states and under GDPR that go beyond standard privacy protections.
If Square collects biometric identifiers from you during identity verification, this data is subject to heightened legal protections in states like Illinois, Texas, and Washington, and you may have rights to consent, disclosure, and deletion that Square must honor under applicable state law.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Square.