The policy states that Uber collects facial verification and biometric data from users in jurisdictions where applicable law permits or requires it, using facial recognition technology for identity verification purposes including its Real-Time ID Check feature.
This analysis describes what Uber's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision authorizes collection of biometric identifiers, a category of sensitive personal data subject to specific statutory requirements in Illinois, Texas, Washington, and other jurisdictions, with distinct consent, retention, and destruction obligations that may exceed what a general privacy policy disclosure satisfies.
Interpretive note: Whether the policy's consent framing satisfies jurisdiction-specific written consent requirements under BIPA and analogous statutes requires legal analysis beyond the document text alone.
Under this clause, users in applicable jurisdictions may have biometric facial data collected and processed by Uber's identity verification systems. The policy states collection occurs when users choose to share such data or where required by law, but the adequacy of this framing under state biometric privacy laws depends on jurisdiction-specific requirements.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Uber has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We collect biometric data, including facial verification data, if you choose to share it, or where permitted or required by applicable law. We may use facial recognition technology to compare your photo against a selfie you take when verifying your identity, checking that you are wearing a mask, or otherwise verifying your identity as part of our Real-Time ID Check feature.— Excerpt from Uber's Uber Privacy Notice
1. REGULATORY LANDSCAPE: Biometric data collection directly implicates the Illinois Biometric Information Privacy Act (BIPA), which requires written informed consent prior to collection, prohibits sale of biometric data, and mandates written retention and destruction policies. Texas and Washington have analogous biometric privacy statutes. Under GDPR, biometric data used for the purpose of uniquely identifying natural persons is a special category of data under Article 9, requiring explicit consent or another enumerated lawful basis. The FTC has issued guidance on facial recognition data practices. 2. GOVERNANCE EXPOSURE: High. BIPA litigation in Illinois has resulted in substantial class action settlements, and the statute's private right of action creates significant litigation exposure for organizations collecting biometric data from Illinois residents without compliant consent procedures. The policy's framing of consent as 'if you choose to share it' may not satisfy BIPA's written informed consent requirement. 3. JURISDICTION FLAGS: Illinois creates the highest litigation exposure due to BIPA's private right of action. Texas and Washington impose regulatory enforcement obligations. EU and UK users are protected by GDPR Article 9 special category processing rules. California's CPRA treats biometric data as sensitive personal information with opt-out rights. 4. CONTRACT AND VENDOR IMPLICATIONS: If Uber uses third-party facial recognition vendors to process biometric data, data processing agreements with those vendors should be assessed for compliance with applicable biometric privacy statutes, including limitations on secondary use and data destruction obligations. 5. COMPLIANCE CONSIDERATIONS: Legal teams should verify that Uber's biometric data consent mechanisms in each applicable jurisdiction satisfy the specific written consent and disclosure requirements of applicable biometric privacy laws, not merely general privacy notice disclosure. Retention and destruction schedules for biometric data should be documented separately from general data retention policies.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision authorizes collection of biometric identifiers, a category of sensitive personal data subject to specific statutory requirements in Illinois, Texas, Washington, and other jurisdictions, with distinct consent, retention, and destruction obligations that may exceed what a general privacy policy disclosure satisfies.
Under this clause, users in applicable jurisdictions may have biometric facial data collected and processed by Uber's identity verification systems. The policy states collection occurs when users choose to share such data or where required by law, but the adequacy of this framing under state biometric privacy laws depends on jurisdiction-specific requirements.
ConductAtlas has identified this type of provision across 20 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Uber.