If you use the MetaHuman feature to create a game character based on your appearance, Epic collects photos of your face, but states the images are used only to generate a 3D mesh and not to identify you.
This analysis describes what Unreal Engine's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Facial images are considered biometric data under several state laws, and the policy's assertion that they are not used for identification does not necessarily exempt their collection from biometric privacy statute requirements in states like Illinois, which require prior written consent regardless of the intended use.
Interpretive note: Whether the facial image collection for MetaHuman triggers biometric privacy statutes depends on jurisdiction-specific definitions and whether the mesh generation process involves extraction of biometric identifiers, which is not technically specified in the policy.
Users of Epic's MetaHuman tool who submit facial photos should be aware that biometric privacy laws in some states may give them specific rights regarding how their facial image data is collected, retained, and deleted, independent of Epic's stated purpose limitation.
Cross-platform context
See how other platforms handle Facial Image Collection for MetaHuman and similar clauses.
Compare across platforms →Monitoring
Unreal Engine has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"When you use MetaHuman to create in-game characters, we collect images of you to generate a mesh solely to provide the requested functionality, not to identify you.— Excerpt from Unreal Engine's Epic Games Privacy Policy
REGULATORY LANDSCAPE: Facial images collected for 3D mesh generation may constitute biometric identifiers or biometric information under Illinois BIPA (740 ILCS 14), Texas CUBI, Washington's My Health MY Data Act, and other state biometric frameworks, which in some cases apply regardless of the collector's intent to identify the individual. Illinois BIPA in particular does not require identification as an element of the regulated activity and has generated significant class action litigation. GDPR Article 9 classifies biometric data processed for the purpose of uniquely identifying a natural person as a special category requiring explicit consent, though the policy's assertion of a non-identification purpose may affect this classification under EU law. GOVERNANCE EXPOSURE: High for Illinois and other states with active biometric privacy statutes. BIPA provides a private right of action with statutory damages of $1,000 to $5,000 per violation, and class actions in the gaming and technology sectors have resulted in significant settlements. The policy's purpose limitation language ('solely to provide the requested functionality, not to identify you') may be relevant to GDPR Article 9 classification but does not substitute for compliance with state biometric statutes that do not require identification as a predicate. JURISDICTION FLAGS: Illinois (BIPA, private right of action, class action risk), Texas (CUBI), Washington state (My Health MY Data Act), EU/EEA (GDPR Article 9 special category data assessment required), United Kingdom (UK GDPR). California's CPRA includes biometric information in its definition of sensitive personal information, triggering opt-out rights. CONTRACT AND VENDOR IMPLICATIONS: If MetaHuman's image processing involves third-party computer vision or mesh generation vendors, those vendors' handling of facial images must be covered by data processing agreements that address biometric data obligations. Retention and deletion timelines for raw facial images should be contractually specified and aligned with the policy's purpose limitation assertion. COMPLIANCE CONSIDERATIONS: Compliance teams should (1) conduct a biometric data legal assessment for all jurisdictions where MetaHuman is available, mapping facial image collection against applicable state and national biometric privacy statutes; (2) implement and document consent mechanisms that satisfy BIPA's written release requirement for Illinois users if not already in place; (3) establish and publish a publicly available retention and deletion schedule for facial images as required by BIPA; and (4) confirm whether raw facial images are retained after mesh generation and, if not, document and operationalize the deletion process.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Facial images are considered biometric data under several state laws, and the policy's assertion that they are not used for identification does not necessarily exempt their collection from biometric privacy statute requirements in states like Illinois, which require prior written consent regardless of the intended use.
Users of Epic's MetaHuman tool who submit facial photos should be aware that biometric privacy laws in some states may give them specific rights regarding how their facial image data is collected, retained, and deleted, independent of Epic's stated purpose limitation.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Unreal Engine.