Do I need to disclose Persona in my privacy policy?

Yes. Persona processes sensitive personal data including government IDs, biometric information, and SSN data, making disclosure legally required under GDPR, CCPA, BIPA, and other privacy regulations. Your policy must identify Persona as a data processor and explain why you collect this data. Users have a right to know their biometric data is being collected and shared with a third party.

What specific data does Persona collect?

Persona collects government ID document images, facial biometric data for liveness verification, Social Security Numbers or tax IDs (when configured), address and phone number verification data, and results from watchlist and sanctions screening. All data is encrypted using AES-256 encryption during transmission and storage.

Does Persona require a cookie consent banner?

No. Persona does not use cookies. However, you still need explicit user consent before collecting the biometric and identity data Persona processes, as this data is sensitive and regulated separately from cookie consent—particularly under BIPA and GDPR Article 9.

Who is the data processor and where is data transferred?

Persona Identities Inc., a United States-based company, processes all data. Under GDPR, data transfers to the US require an appropriate legal mechanism such as Standard Contractual Clauses. Persona maintains SOC 2 Type II certification and complies with AML/KYC regulatory requirements. Review their privacy policy at https://withpersona.com/legal/privacy-policy for complete processor details.

Identity Verification

Privacy policy clauses for Persona

Persona is an identity verification platform that uses government-issued ID documents, facial recognition, and biometric analysis to confirm user identity and conduct Know Your Customer (KYC) compliance checks. Websites integrate Persona to prevent fraud, meet regulatory requirements, and verify user authenticity during onboarding.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Persona collects

Your privacy policy must disclose each of the following data types when you use Persona.

Government ID document images

Facial biometric data

SSN or tax ID (when configured)

Address and phone verification

Watchlist and sanctions screening results

When does Persona trigger privacy obligations?

Data flows that trigger obligations

Persona collection begins the moment its SDK or API is invoked on your site or app. Persona immediately captures:

–Government ID images (front/back scans or live photos)
–

Common compliance pitfalls

1. Omitting biometric disclosure in privacy notices

The mistake: Many operators add Persona without updating their privacy policy to explicitly name facial biometric collection, retention periods, or deletion rights. They rely on generic "identity verification" language.

Why it happens with Persona: Persona's biometric data (liveness selfies, face matching) is not immediately obvious to non-technical founders—they focus on the ID document upload. But GDPR Articles 13–14, CCPA Section 1798.100, and BIPA Section 15 all require *specific* disclosure of biometric collection before or at the point of collection.

Consequence: GDPR DPAs can issue substantial fines (Article 83); CCPA/CPRA violations carry statutory damages ($100–$750/consumer/incident). Illinois regulators have pursued enforcement for BIPA violations without explicit consent. Regulators also treat vague notices as bad-faith indicators in larger investigations.

2. Missing or outdated Data Processing Agreement

The mistake: Operators deploy Persona without executing a written DPA or fail to update an existing DPA when workflows change (e.g., adding SSN collection, expanding to new jurisdictions).

Why it happens with Persona: Persona is a SaaS point-and-click integration; founders assume "privacy terms are covered" by Persona's standard terms. But GDPR Article 28 mandates a *specific, written* contract governing processor obligations, subprocessor authorization, data subject rights support, deletion/return timelines, and audit rights—Persona's privacy policy alone does not constitute a DPA.

Consequence: GDPR non-compliance (no contractual safeguards) exposes you to supervisory authority action and can void your lawful basis defense. Processors can also refuse to process without a DPA in place.

3. Collecting biometric/SSN data without jurisdiction-specific consent

The mistake: Operators deploy Persona globally or in high-regulation jurisdictions (EU, California, Illinois) without configuring separate consent flows. They treat consent as binary (yes/no) rather than layered by data type.

Why it happens with Persona: Persona's UI is streamlined for KYC speed; it doesn't prompt differently for biometric vs. ID document vs. SSN. Founders assume "consent to verify identity" covers all three, but BIPA requires explicit consent *for biometric collection specifically*, GDPR Article 9 requires explicit consent or a lawful Article 9(2) derogation, and CCPA requires separate notice of SSN collection as a sensitive category.

Consequence: Regulators flag consent failures as structural non-compliance. BIPA cases have resulted in class-action settlements (e.g., Clearview AI). GDPR fines scale up when consent is absent for special-category data. CCPA enforcement prioritizes SSN collection without compliant disclosures.

What regulators look for

Enforcement priorities

Biometric data regulators (BIPA, GDPR ICOs, CPRA): The first red flag is absence of explicit, *informed* consent specifically mentioning facial biometric collection. Regulators examine:

–Whether users were told face data would be captured, matched, and retained
–Deletion/retention timelines (BIPA requires deletion when purpose expires; GDPR mandates retention limits; California requires opt-out for sale/sharing)
–Whether consent was bundled with other consents (not permitted under BIPA; disfavored under GDPR)

Recent BIPA enforcement (e.g., against social media and ID-verification platforms) has focused on lack of disclosure and inability to verify deletion.

Data Protection Authorities (GDPR): Audits of Persona deployments typically start with:

1. DPA execution — Is there a written Data Processing Agreement? Are subprocessor terms documented? (Persona may use subprocessors for background checks, watchlists)

2. Article 9 lawful basis — What derogation was used (e.g., Article 9(2)(c) legal obligation, Article 9(2)(h) vital interests)? Is it documented?

3. Data minimization — Is SSN collection necessary, or is ID document + address sufficient? (GDPR Article 5(1)(c))

4. Retention and deletion — Are biometric images deleted after verification, or retained? (Many audits find indefinite retention in violation of Article 5(1)(e))

CCPA/CPRA enforcement (California Attorney General, private right of action): Focus areas:

–Was SSN collection disclosed as a CPRA "sensitive personal information" category (California Civil Code § 1798.140(ae))?
–Was biometric data deletion implemented? (CPRA Section 1798.105)
–Are third-party watchlist/sanctions results disclosed as data shared with unaffiliated entities? (CCPA Section 1798.115)

Red flag pattern: Regulators escalate scrutiny when they find Persona deployed to process high-risk data (minors, financial fraud subjects, undocumented persons) without documented DPA, jurisdiction-specific consent, or retention controls.

Privacy policy clauses for Persona

What data Persona collects

When does Persona trigger privacy obligations?

Data flows that trigger obligations

Regulatory triggers

First concrete step

Where data goes