The policy states that images submitted by users to MetaHuman for character creation are collected to generate a 3D mesh for the requested in-game functionality, and asserts that the images are not used to identify the user.
This analysis describes what Unreal Engine's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision involves collection of photographic images of users, which may constitute biometric information or biometric identifiers under laws such as the Illinois Biometric Information Privacy Act (BIPA) and similar state statutes, even where Epic asserts the purpose is limited to mesh generation rather than identification. The legal classification of facial scan data used for mesh generation under applicable biometric privacy frameworks is not resolved by the policy's assertion of non-identification purpose.
Interpretive note: Whether collection of facial images for mesh generation constitutes collection of biometric identifiers or biometric information under applicable state law depends on the specific statutory definitions and how the processing pipeline operates, which is not fully described in the policy.
Under this provision, users who use MetaHuman provide facial images that Epic processes to create a character mesh. The agreement asserts that these images are not used to identify the user, but does not specify the retention period for the images or the generated mesh data following character creation.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Unreal Engine has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"When you use MetaHuman to create in-game characters, we collect images of you to generate a mesh solely to provide the requested functionality, not to identify you.— Excerpt from Unreal Engine's Epic Games Privacy Policy
1) REGULATORY LANDSCAPE: Collection of facial images for mesh generation may implicate the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (CUBI, Tex. Bus. & Com. Code 503.001), the Washington My Health MY Data Act, and equivalent state biometric statutes. GDPR may also classify facial scan data as biometric data under Article 9, requiring explicit consent and a specific processing condition. The Illinois Attorney General and private plaintiffs have standing under BIPA. 2) GOVERNANCE EXPOSURE: High in Illinois and Texas. The policy's assertion that images are collected solely for mesh generation rather than identification does not eliminate regulatory exposure under BIPA, which applies to the collection and retention of biometric data regardless of the intended purpose, unless a statutory exception applies. 3) JURISDICTION FLAGS: Illinois creates the highest exposure due to BIPA's private right of action and per-violation damages structure. Texas, Washington, and other states with biometric privacy laws also create heightened exposure. EU/EEA users face potential GDPR Article 9 scrutiny given that facial scan data used to generate unique identifiers may qualify as biometric data. 4) CONTRACT AND VENDOR IMPLICATIONS: Organizations deploying MetaHuman in commercial production pipelines should assess whether their use of the tool and any associated data flows trigger their own biometric data obligations under applicable state law. Sub-processor arrangements for image processing infrastructure should be reviewed. 5) COMPLIANCE CONSIDERATIONS: Legal teams should assess whether the image collection, processing, and deletion workflow satisfies BIPA's written policy, retention schedule, and written consent requirements for Illinois users. GDPR compliance teams should confirm whether explicit consent under Article 9(2)(a) is obtained where facial images are processed. Retention periods for source images and generated mesh data should be documented and disclosed.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision involves collection of photographic images of users, which may constitute biometric information or biometric identifiers under laws such as the Illinois Biometric Information Privacy Act (BIPA) and similar state statutes, even where Epic asserts the purpose is limited to mesh generation rather than identification. The legal classification of facial scan data used for mesh generation under applicable biometric …
Under this provision, users who use MetaHuman provide facial images that Epic processes to create a character mesh. The agreement asserts that these images are not used to identify the user, but does not specify the retention period for the images or the generated mesh data following character creation.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Unreal Engine.