Onfido US Biometric Privacy Laws notices and consent (US)
Start here
US state biometric privacy laws, including but not limited to Section 14 of Title 740 of the Illinois Compiled Statutes (BIPA), Chapter 503 of Title 11 of the Texas Business and Commerce Code (CUBI), and Chapter 19.375 of Title 19 of the Revised Code of Washington (“US Biometric Privacy Laws”), may regulate the collection and use of biometric identifiers, biometric information, or biometric data (“Biometric Data“).
Onfido has built its products with privacy at their centre and with mandatory US biometric controls requiring customers with end users located in the US at the time Onfido processes a Document, Facial Similarity or Known Faces check to:
- incorporate Onfido US Biometric Privacy Laws notices and consent language into their interface; and,
- submit an API US Biometric Privacy Laws consent parameter which confirms that consent has been granted to collect biometric data
End user US Biometric Privacy Laws consents are valid for 6 months starting from the moment they are provided to or collected by Onfido. After this period, Onfido will require US Biometric Privacy Laws consents to be provided again.
We recommend you read this guide to better understand the requirements for Onfido US Biometric Privacy Laws notices and consent, and how to implement these into your interface to ensure you meet your contractual terms and Document, Facial Similarity and Known Faces checks are processed correctly.
Customers remain responsible for complying with US Biometric Privacy Laws and other applicable privacy laws, including any requirements to collect consent or give notice under laws such as GDPR, or US State Privacy laws. This guide is intended as guidance only and does not constitute legal advice. Clients should seek their own legal advice if using Onfido’s products in the US.
You can read our migration guide if you need to update your integration to use the latest US Biometric Privacy Laws consent options.
Note: If you have not complied with these requirements, we may be unable to continue to support your identity verification checks. It is therefore imperative that you make the necessary changes.
Requirements for Onfido US Biometric Privacy Laws notices and consent
In order to satisfy Onfido’s requirements for US Biometric Privacy Laws notices and consent, you must:
-
explain to your US end users that you use a third party, Onfido, to process their identity check and Biometric Data, which may include scans of face geometry and voiceprints depending on the Onfido check(s);
-
present your US end users with Onfido US Biometric Privacy Laws consent language before asking the end user to proceed to complete any Document, Facial Similarity or Known Faces check powered by Onfido:
- “By clicking “Accept,” you agree you have: (1) read, understand, and accept Onfido Facial Scan & Voice Recording Policy (Policy) and Terms of Service, (2) grant consent to Onfido, the Customer and the service providers listed below to process your Biometric Data and other Personal Data for the purposes described in the Policy.” *; and,
-
ensure that you provide the above URL links to the relevant policies within your application
* You may change the phrasing to be consistent with your user experience, as long as you obtain confirmation that the end user has read, understood and accepted Onfido's Facial Scan & Voice Recording Policy (Policy) and Terms of Service.
If you are offering any Document, Facial Similarity or Known Faces checks provided by Onfido to end users based in the US, you must present your end users with the Onfido US Biometric Privacy Laws consent language and link to the Facial Scan & Voice Recording Policy and Terms of Service, as described above.
How to implement Onfido US Biometric Privacy Laws notices and consent
You must include the above requirements for Onfido US Biometric Privacy Laws notices and consent into your interface for end users based in the US. There are 2 implementation options:
- Use the Onfido SDK US Biometric Privacy Laws consent screen
- Build an Onfido US Biometric Privacy Laws notices and consent stage into your own application and submit API consent parameters
1. Use the Onfido SDK consent screen
The Onfido SDK consent screen is a mandatory screen for US end users. US end users must accept Onfido’s Facial Scan & Voice Recording Policy and Terms of Service and consent to the processing of their Biometric Data collected within the Onfido SDK.
Implementation of the US Biometric Privacy Laws notices and consent language is automatically provided in an SDK screen when you use at least the following Onfido SDK versions:
The US Biometric Privacy Laws consent screen is only shown in the SDK flow when the end user is located in the US, or when Onfido is unable to determine the end user's location. Onfido uses the end user’s IP address, collected via the SDK, to approximate their location at a city and country level.
The SDK US Biometric Privacy Laws consent screen contains:
- The information required by US Biometric Privacy laws including describing:
- the capture and processing of Biometric Data by Onfido on behalf of customer,
- the purposes for which the Biometric Data are collected,
- other matters required by US Biometric Privacy Laws, including storage, retention periods, resale, and disclosure to third party service providers including Onfido’s cloud storage provider AWS and Microsoft Ireland Operations Limited (which provides Cloud Storage Services) and/or whose technology is used to convert a voice recording into written text.
- An acknowledgement and consent statement. US users are unable to proceed unless they explicitly confirm their consent
- Links to the full text of Onfido’s Facial Scan & Voice Recording Policy and Terms of Service (the latter contains a non-severable class action waiver)
The US Biometric Privacy Laws consent screen will be shown to US end users at the beginning of the SDK flow, before they are asked to enter any personal information or upload media. The end user will not be able to continue past the consent screen unless they click the "Accept" button.
Note: You do not need to provide any additional information on the backend. If applicant location and US Biometric Privacy Laws consent is collected (using option 2 above) and the API consent parameter is provided to Onfido before the user begins the SDK flow, the Onfido US Biometric Privacy Laws consent screen will not be shown.
2. Build an Onfido US Biometric Privacy Laws notices and consent stage into your own application and submit API consent parameters
If you are an API only customer, before creating checks with Onfido for end users located in the US, you must:
-
Present end users with an appropriate policy document which meets the requirements of US Biometric Privacy Laws before requesting end users to provide or capture an image or video of their face and/or an image/video of their identity document, and in particular describes:
-
the capture and processing of Biometric Data, as applicable for each Onfido Service; the purposes for which the Biometric Data are collected as described in Onfido’s Facial Scan & Voice Recording Policy;
-
the use of third party identity verification service provider(s) to perform this service on the customer’s behalf
-
other matters required by US Biometric Privacy Laws, including as to storage, retention periods, resale, and disclosure to service providers including Onfido’s cloud storage provider AWS and Microsoft Ireland Operations Limited (which provides Cloud Storage Services) and/or whose technology is used to convert a voice recording into written text.
Customers can link to Onfido's Facial Scan & Voice Recording Policy in describing how Onfido processes Biometric Data.
-
-
Obtain consent from US end users to the processing of their Biometric Data by Onfido for the purposes of performing identity verification (as described in more detail in the Client’s linked policies / terms and conditions / legal agreements which are presented to the User), before any Biometric Data information is captured or uploaded to Onfido. US users should be unable to proceed unless they explicitly provide their consent
-
Ensure that all disputes with US end users regarding the provision of the service are pursued through individual proceedings in US federal or state courts. To achieve this, customers can link to Onfido’s Terms of Service, which includes a non-severable waiver or incorporate such a clause in their terms and conditions with US end users. The waiver should expressly name Onfido, and confirm that the User shall not sue Onfido as a class plaintiff or class representative, join as a class member, or participate as an adverse party in any way in a class action lawsuit against Onfido. Clients must obtain US User acceptance of the terms and conditions.
-
Implement the following API consent parameter in respect of use of the Services in the United States:
- API location parameter
location
- API US Biometric Privacy Laws consent parameter
consents
- API location parameter
Your application
You can choose to include Onfido US Biometric Privacy Laws notices and consent language and links on a new screen or on the screen where you collect consent for your own entity from end users. There needs to be some affirmative action by the end user, after they have been shown Onfido’s privacy notices and consent language, but you do not have to present a separate check box for consent.
Customers remain responsible for complying with US Biometric Privacy Laws and other applicable privacy laws, including any requirements to collect consent or give notice under laws such as GDPR, or US State Privacy laws.
API parameters
Onfido has introduced the following API US Biometric Privacy Laws consent parameters to API v3.4 (and later) to submit the location and the US Biometric Privacy Laws consent status of your end users, before creating a check.
Location Location is a mandatory parameter for all end users. The current location of an end user determines whether the US Biometric Privacy Laws consent is required in order to process a Document, Facial Similarity Check or Known Faces check. As a result, it is now mandatory to specify the location of each applicant before creating a check with Onfido.
You can include location
as part of your API request when creating an applicant, updating an applicant or uploading a document. You should provide the IP address and the country of residence of the applicant.
location | The location of the applicant. |
You must provide location information for all applicants. If you do not, all checks will fail with a validation error.
US Biometric Privacy Laws Consents
consents
is a mandatory parameter for any end user located in the US.
If the location of the end user is the US, then you must also provide US Biometric Privacy Laws consent information confirming that the end user has viewed and accepted Onfido’s Facial Scan & Voice Recording Policy and Terms of Service. You can include consents
as part of your API request when creating or updating an applicant who is located in the US.
consents | Indicates whether consent has been given by the applicant |
You should provide privacy_notices_read
as "granted": true
if:
- the user is resident in the US, where this has been verified by providing the IP address and country of residence of the user; AND,
- the end user has viewed and accepted the Onfido's Facial Scan & Voice Recording Policy and Terms of Service
If the US Biometric Privacy Laws consent parameter is set to false
, or not provided at all, Document, Facial Similarity or Known Faces check creation requests will fail with a validation error.
Note: Document, Facial Similarity or Known Faces checks will fail if you do not provide location information and, where the location is the US, confirm that each applicant has granted US Biometric Privacy Laws consent after reading Onfido's Facial Scan & Voice Recording Policy and Terms of Service.
If you have any questions, please contact our Client Support team.