Stash may collect a photo of your government-issued ID and a selfie photograph from you as part of verifying your identity when you sign up or use certain services.
This analysis describes what Stash's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Selfie photographs used for identity verification may involve facial recognition or biometric processing, which in states like Illinois is subject to specific legal requirements including consent and data handling obligations under the Biometric Information Privacy Act.
Interpretive note: The policy does not specify whether facial geometry or biometric templates are extracted from selfie photographs, making it unclear whether state biometric privacy statutes are triggered; this depends on the technical implementation of Stash's or its vendor's identity verification process.
Your government-issued ID photo and selfie may be collected and processed, potentially including facial geometry extraction, for identity verification purposes; depending on your state of residence, you may have specific rights or protections regarding this biometric data that are not fully addressed in this policy.
Cross-platform context
See how other platforms handle Selfie and Government ID Collection for Identity Verification and similar clauses.
Compare across platforms →Monitoring
Stash has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We may collect information for purposes of identify verification, government-issued identification documents and self-portrait photographs ("Selfie"); and other information required by federal and industry laws and regulations.— Excerpt from Stash's Stash Privacy Policy
REGULATORY LANDSCAPE: The Illinois Biometric Information Privacy Act (BIPA) requires informed written consent before collecting biometric identifiers including facial geometry scans, as well as a written retention and destruction policy. Texas and Washington have similar but not identical biometric privacy statutes. If Stash or its identity verification vendors extract facial geometry from selfie photographs, BIPA compliance obligations may be triggered for Illinois residents. The FTC Act Section 5 also applies to material misrepresentations about sensitive data collection practices. GOVERNANCE EXPOSURE: High for Illinois residents and potentially other states with biometric privacy laws. The policy discloses collection of selfie photographs but does not specify whether facial geometry or biometric templates are extracted, who processes the data (Stash or a third-party vendor), how long biometric data is retained, or whether a written biometric data policy exists. This ambiguity creates compliance exposure in BIPA-covered jurisdictions. JURISDICTION FLAGS: Illinois BIPA creates the highest exposure, with a private right of action and statutory damages of $1,000 to $5,000 per violation. Texas and Washington impose state enforcement mechanisms without a private right of action. Several other states have introduced or are considering biometric privacy legislation. The policy's scope is limited to US residents, which narrows international exposure but does not eliminate domestic state-level risk. CONTRACT AND VENDOR IMPLICATIONS: If a third-party identity verification vendor (such as a KYC provider) processes selfie photographs on Stash's behalf, the vendor agreement should address BIPA compliance, biometric data retention and destruction timelines, and prohibitions on secondary use. Stash's liability for vendor biometric processing practices may depend on the terms of those agreements. COMPLIANCE CONSIDERATIONS: Legal teams should determine whether selfie processing involves biometric identifier extraction and, if so, ensure BIPA-compliant consent mechanisms and written retention schedules are in place for Illinois residents. Vendor contracts for identity verification should be reviewed for biometric data handling provisions. The privacy policy should be evaluated to determine whether its current disclosure is sufficient to satisfy informed consent requirements under applicable biometric statutes.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Selfie photographs used for identity verification may involve facial recognition or biometric processing, which in states like Illinois is subject to specific legal requirements including consent and data handling obligations under the Biometric Information Privacy Act.
Your government-issued ID photo and selfie may be collected and processed, potentially including facial geometry extraction, for identity verification purposes; depending on your state of residence, you may have specific rights or protections regarding this biometric data that are not fully addressed in this policy.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Stash.