It appears that after Facial Recognition Verification with a Selfie the data may NOT get instantly deleted

Many moons ago we were informed by one Ed Snowden, that the way intelligence agencies can get around the rules of gathering data on citizens was through bilateral agreements with strategic partners. Canada, for example, gathers intel on US citizens where our own government cannot (at least they are not supposed to), and vice versa. Then the info is accessed as needed. Well it seems that it is fairly similar with online ID and selfie verification, let me explain.

Whether you are a new or existing user of an online service, eventually the request may come to provide ID verification by scanning a credential and taking a selfie. Along with the request, you may see a message saying that your data is encrypted and will only be used for this purpose. Usually it will be Jumio, Persona or Onfido.

Well, if you decide to actually read their privacy policy, there are degrees of separation between the online service itself, the verification provider and their 3rd party affiliates that make all the difference. Each one abides by their own set of rules.

As an example, 3 years ago I posted here that after making a few sales of household junk on Mercari, they withheld funds until a selfie was uploaded. I read the privacy policy and their ID verifier, Jumio (a UK company), will store this info for 3 years and have complete ownership and discretion of the data. Additionally, the words "Google Analytics" pop up many times. Needless to say, no selfie and no more selling. Furthermore, since the data is transferred to the UK, my data would no longer be protected under any US privacy laws (pretty much non-existent anyway).

So this weekend, wifey decided to start uncluttering and selling some of her things like jewelry and decorations on Etsy. Right from the start to open an account an ID and selfie were required with Persona being the biometric data verifier. So I got to reading and I found some interesting facts.

Etsy holds true that they do NOT store your data and their privacy policy is fairly straightforward. Frankly, they have no reason to as once you are verified they have complied with their compliance and fraud prevention policies. However, Persona's privacy policy is quite revealing and states:

“Persona’s third party vendors may have access to the Scan Data to provide some or all of the analysis, to store the data, to maintain backup copies, and to service the systems on which such data is stored. Persona will permanently destroy Scan Data upon completion of Verification or within six months of your last interaction with Persona, unless Persona is otherwise required by law or legal process to retain the data.”

Even if I want to believe that Persona will “permanently destroy Scan Data upon completion of Verification”, it is during that process that data is backed-up, shared, and transferred. They are basically stating that they are giving access to these third parties for a number of reasons.

The next paragraph states:

"Persona may engage the third-party entities listed in the table below to process Customer Personal Data in connection with the provision of Persona Services."

So we must assume that our “selfie” has gone from Etsy to Persona to all of the following companies.

Here is the list of 3rd parties...

• Anthropic
• AWS
• Confluent
• DBT
• Elasticsearch Inc.
• FingerprintJS
• Google Cloud Platform
• Groqcloud
• MongoDB
• OpenAI
• Resistant AI
• Sigma Computing
• Snowflake
• Stripe
• Twilio
• Persona Identities Canada Inc.

This last one caught my eye. “Persona Identities Canada”. Seems very similar to the Jumio offshore setup I experienced with Mercari. There are no global or international privacy laws that I know of, so basically once your data goes offshore then no rules apply anymore.

Please correct me if I’m wrong folks, I so want to be wrong on this.

Edit: Clearly this is not intended for those who are fully aware of the subject, but for those whom every day seem to post questions or concerns with regards to age verification practices and privacy. Seems to be the topic of the day. Hopefully this sheds some light to some folks.