If you use the MetaHuman feature to create a game character based on your appearance, Epic collects photos of your face, but states the images are used only to generate a 3D mesh and not to identify you.
This analysis describes what Unreal Engine's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Facial images are considered biometric data under several state laws, and the policy's assertion that they are not used for identification does not necessarily exempt their collection from biometric privacy statute requirements in states like Illinois, which require prior written consent regardless of the intended use.
Interpretive note: Whether the facial image collection for MetaHuman triggers biometric privacy statutes depends on jurisdiction-specific definitions and whether the mesh generation process involves extraction of biometric identifiers, which is not technically specified in the policy.
Users of Epic's MetaHuman tool who submit facial photos should be aware that biometric privacy laws in some states may give them specific rights regarding how their facial image data is collected, retained, and deleted, independent of Epic's stated purpose limitation.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Unreal Engine has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"When you use MetaHuman to create in-game characters, we collect images of you to generate a mesh solely to provide the requested functionality, not to identify you.— Excerpt from Unreal Engine's Epic Games Privacy Policy
REGULATORY LANDSCAPE: Facial images collected for 3D mesh generation may constitute biometric identifiers or biometric information under Illinois BIPA (740 ILCS 14), Texas CUBI, Washington's My Health MY Data Act, and other state biometric frameworks, which in some cases apply regardless of the collector's intent to identify the individual. Illinois BIPA in particular does not require identification as an element of the regulated activity and has generated significant class action litigation. GDPR Article 9 classifies biometric data processed for the purpose of uniquely identifying a natural person as a special category requiring explicit consent, though the policy's assertion of a non-identification purpose may affect this classification under EU law. GOVERNANCE EXPOSURE: High for Illinois and other states with active biometric privacy statutes. BIPA provides a private right of action with statutory damages of $1,000 to $5,000 per violation, and class actions in the gaming and technology sectors have resulted in significant settlements. The policy's purpose limitation language ('solely to provide the requested functionality, not to identify you') may be relevant to GDPR Article 9 classification but does not substitute for compliance with state biometric statutes that do not require identification as a predicate. JURISDICTION FLAGS: Illinois (BIPA, private right of action, class action risk), Texas (CUBI), Washington state (My Health MY Data Act), EU/EEA (GDPR Article 9 special category data assessment required), United Kingdom (UK GDPR). California's CPRA includes biometric information in its definition of sensitive personal information, triggering opt-out rights. CONTRACT AND VENDOR IMPLICATIONS: If MetaHuman's image processing involves third-party computer vision or mesh generation vendors, those vendors' handling of facial images must be covered by data processing agreements that address biometric data obligations. Retention and deletion timelines for raw facial images should be contractually specified and aligned with the policy's purpose limitation assertion. COMPLIANCE CONSIDERATIONS: Compliance teams should (1) conduct a biometric data legal assessment for all jurisdictions where MetaHuman is available, mapping facial image collection against applicable state and national biometric privacy statutes; (2) implement and document consent mechanisms that satisfy BIPA's written release requirement for Illinois users if not already in place; (3) establish and publish a publicly available retention and deletion schedule for facial images as required by BIPA; and (4) confirm whether raw facial images are retained after mesh generation and, if not, document and operationalize the deletion process.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Facial images are considered biometric data under several state laws, and the policy's assertion that they are not used for identification does not necessarily exempt their collection from biometric privacy statute requirements in states like Illinois, which require prior written consent regardless of the intended use.
Users of Epic's MetaHuman tool who submit facial photos should be aware that biometric privacy laws in some states may give them specific rights regarding how their facial image data is collected, retained, and deleted, independent of Epic's stated purpose limitation.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Unreal Engine.