The policy discloses that Stripe may collect biometric data as part of its identity verification services, where applicable under local law.
This analysis describes what Stripe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that biometric data collection is within scope of Stripe's data practices for identity verification purposes, which engages state biometric privacy statutes and GDPR special category data provisions requiring explicit consent.
Interpretive note: The specific biometric data collection and consent mechanisms are referenced in the policy but the relevant sections were truncated in the provided document text; full assessment requires review of the complete policy.
Under this provision, individuals using Stripe's identity verification services may have biometric data collected and processed, subject to applicable law and the consent mechanisms Stripe employs in those contexts.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Stripe has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"This Privacy Policy describes the Personal Data that we collect, how we use and share it, and how you can reach us with privacy-related inquiries.— Excerpt from Stripe's Stripe Privacy Policy
1. REGULATORY LANDSCAPE: Biometric data collection engages Illinois BIPA, Texas and Washington state biometric privacy laws, GDPR Article 9 special category data provisions (requiring explicit consent or another specified legal basis), and CCPA sensitive personal information provisions. Enforcement authorities include state attorneys general and EU data protection authorities. BIPA in particular carries statutory damages provisions that have produced significant class action litigation. 2. GOVERNANCE EXPOSURE: High. Biometric data is subject to heightened statutory protections in multiple U.S. states and under GDPR. Collection without compliant consent mechanisms, inadequate retention and destruction schedules, or unauthorized disclosure can expose both Stripe and its merchant clients to regulatory enforcement and private litigation. Illinois BIPA does not require a showing of actual harm for statutory damages. 3. JURISDICTION FLAGS: Illinois residents have direct BIPA claims; Texas and Washington residents have state-specific biometric privacy protections. EU and EEA residents are protected under GDPR Article 9 explicit consent requirements for biometric data. Any Stripe merchant that uses Stripe's identity verification service with customers in these jurisdictions should assess whether its own privacy disclosures and consent mechanisms are compliant. 4. CONTRACT AND VENDOR IMPLICATIONS: Organizations using Stripe's identity verification features should confirm whether Stripe's data processing agreement addresses biometric data specifically, including retention limits, subprocessor restrictions, and deletion obligations. These terms may require negotiation or addendum for organizations with heightened exposure in BIPA jurisdictions. 5. COMPLIANCE CONSIDERATIONS: Organizations deploying Stripe identity verification should conduct a data protection impact assessment where required under GDPR Article 35, given the special category status of biometric data. Consent flows presented to end users should specifically identify biometric data collection and its purpose. Retention and deletion schedules for biometric data should be confirmed with Stripe and documented in internal data inventories.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that biometric data collection is within scope of Stripe's data practices for identity verification purposes, which engages state biometric privacy statutes and GDPR special category data provisions requiring explicit consent.
Under this provision, individuals using Stripe's identity verification services may have biometric data collected and processed, subject to applicable law and the consent mechanisms Stripe employs in those contexts.
ConductAtlas has identified this type of provision across 21 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Stripe.