Wealthfront collects a selfie photograph from Clients to verify their identity, and in some states this counts as biometric data under privacy law. The company requires its identity verification vendors to delete this data within 90 days.
This analysis describes what Wealthfront's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Biometric data carries heightened legal protection in several states, and the 90-day vendor destruction timeline is a contractual commitment rather than a statutory minimum, meaning enforcement depends on Wealthfront's vendor contracts rather than direct regulatory obligation in all jurisdictions.
Interpretive note: The adequacy of the consent mechanism ('where required by law') varies by jurisdiction; Illinois BIPA requires affirmative written consent before collection, and the policy's conditional framing may not satisfy this standard uniformly.
Clients must submit a selfie photograph for identity verification, which may be treated as biometric data under laws like Illinois BIPA; this data is held by third-party vendors and is contractually required to be destroyed within 90 days, but consumers have no direct mechanism to request earlier deletion from those vendors.
How other platforms handle this
When you visit the Careers portion of our websites, we collect the information that you provide to us in connection with your job application. This includes but is not limited to business and personal contact information, professional credentials and skills, educational and work history and other in...
American does not knowingly collect personal information directly from children – persons under the age of 13, or another age if required by applicable law – other than when required to comply with the law or for safety and security reasons. Due to the nature of our Services, we may collect travel i...
We may collect information about your location, including precise geolocation information, when you use our Services. We use this information to provide location-based services, such as showing you products available in your area, and for other purposes described in this Privacy Policy.
Monitoring
Wealthfront has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We may use third-party vendors for identity verification. These vendors analyze whether the Client's "selfie" matches the government-issued identity document. The information collected from Client photographs may constitute biometric information in some jurisdictions. Where required by law, we will seek consent from you prior to any such collection. We require our third-party vendors who support identity verification to agree to destroy any potential biometric data that is created or gathered for purposes of verifying your identity no more than ninety (90) days after its collection.— Excerpt from Wealthfront's Wealthfront Privacy Policy
(1) REGULATORY LANDSCAPE: This provision directly engages Illinois BIPA (740 ILCS 14), which requires informed written consent before collecting biometric identifiers and mandates a retention and destruction schedule, and Texas and Washington biometric privacy statutes. The FTC has also issued guidance on biometric data practices under its unfair or deceptive practices authority. State AGs in Illinois, Texas, and Washington are primary enforcement authorities. The policy's conditional language ('where required by law, we will seek consent') may be insufficient in BIPA-governed contexts, which require affirmative written consent before collection, not merely where legally mandated. (2) GOVERNANCE EXPOSURE: High. BIPA carries a private right of action with statutory damages of $1,000 to $5,000 per violation, and Illinois courts have applied this broadly. The policy's formulation that consent will be sought 'where required by law' rather than uniformly may create exposure if Illinois residents are subject to collection without jurisdiction-specific consent workflows. (3) JURISDICTION FLAGS: Illinois creates the highest exposure due to BIPA's private right of action. Texas and Washington have similar statutes with AG enforcement. California's CCPA treats certain biometric data as sensitive personal information requiring opt-in consent, creating an additional compliance layer for California Clients. The 90-day destruction timeline should be verified as compliant with applicable state statutory destruction schedules, which vary by jurisdiction. (4) CONTRACT AND VENDOR IMPLICATIONS: The 90-day destruction commitment is a contractual obligation imposed on vendors, not a self-executing regulatory requirement. Vendor contracts should be audited to confirm this language is present, enforceable, and that vendors have deletion certifications. Procurement teams should assess whether identity verification vendors operate in jurisdictions with independent biometric data obligations that could conflict with the 90-day schedule. (5) COMPLIANCE CONSIDERATIONS: Consent workflows should be reviewed to ensure that jurisdiction-specific BIPA and CCPA consent requirements are met before biometric collection occurs, rather than relying on a general 'where required by law' standard. A vendor audit should confirm adherence to the 90-day destruction requirement, and deletion certifications should be documented for regulatory defensibility.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Biometric data carries heightened legal protection in several states, and the 90-day vendor destruction timeline is a contractual commitment rather than a statutory minimum, meaning enforcement depends on Wealthfront's vendor contracts rather than direct regulatory obligation in all jurisdictions.
Clients must submit a selfie photograph for identity verification, which may be treated as biometric data under laws like Illinois BIPA; this data is held by third-party vendors and is contractually required to be destroyed within 90 days, but consumers have no direct mechanism to request earlier deletion from those vendors.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Wealthfront.