Onfido privacy notices and consent (US)
To ensure compliance with US laws on biometric data, and to take a privacy centric approach to protect the rights of end users, Onfido has specific requirements for all customers with end users located in the US. To verify end users in the US, customers must:
- incorporate Onfido privacy notices and consent language into their interface; and,
- submit an API consent parameter which confirms that consent has been granted to collect biometric data
End user privacy consents are valid for 6 months starting from the moment they are provided to or collected by Onfido. After this period, Onfido will require consents to be provided again.
We recommend you read this guide to better understand the requirements for Onfido privacy notices and consent, and how to implement these into your interface to ensure you meet your contractual terms and checks are processed correctly.
You may wish to read our migration guide if you need to update your integration to use the latest consent options.
Note: Starting in Q3 2022, if you have not complied with these requirements, we may be unable to continue to support your identity verification checks. It is therefore imperative that you make the necessary changes.
In order to satisfy Onfido’s requirements for privacy notices and consent, you need to take the following steps:
- explain to your end users that you use a third party, Onfido, to process their identity check;
present your end users with Onfido consent language before asking the end user to proceed to complete any check powered by Onfido
- ensure that you provide the above URL links to the relevant policies within your application
* You may change the phrasing to be consistent with your user experience, as long as you obtain confirmation that the end user has read, understood and accepted Onfido's policies and terms of service. For example, "By continuing to use this service you confirm that you have read, understand and accept Onfido’s …" or "By clicking ‘accept’ you confirm you have read, understand and accept Onfido’s …"
If you are offering any services provided by Onfido to end users based in the US, you must present your end users with the Onfido consent language and link to the policies and Terms of Service, as described above.
You must include the above requirements for Onfido privacy notices and consent into your interface for end users based in the US. There are 2 implementation options:
- Use the Onfido SDK consent screen
- Build an Onfido privacy notices and consent stage into your own application and submit API consent parameters
The Onfido SDK consent screen is a mandatory screen, where the end user’s acknowledgement of and consent for Onfido’s policies and terms can be collected within the Onfido SDK.
Implementation of the privacy notices and consent language is automatically provided in an SDK screen when you upgrade to at least the following Onfido SDK versions:
The consent screen is only shown in the SDK flow when the end user is located in the US, or when Onfido is unable to determine the end user's location. Onfido uses the end user’s IP address, collected via the SDK, to approximate their location at a city and country level.
The SDK consent screen contains:
- Onfido privacy notices and consent language
- a list of FAQs
The consent screen will be shown to the end user at the beginning of the SDK flow, before they are asked to enter any personal information or upload media. The end user will not be able to continue past the consent screen unless they click the "Accept" button.
Note: You do not need to provide any additional information on the backend. All location and consent requirements are handled by the SDK. If applicant location and consent is collected (using option 2 above) and provided to Onfido before the user begins the SDK flow, the Onfido consent screen will not be shown.
Build an Onfido privacy notices and consent stage into your own application and submit API consent parameters
If you are an API only customer, before creating checks with Onfido for end users located in the US, you must:
- include Onfido privacy notices and consent language, with links to Onfido's policies and terms, including Onfido’s Facial Scan Policy and Release, into your own application before requesting end users to provide any personal information or upload media; AND,
- submit the necessary API consent parameters
You can choose to include Onfido privacy notices and consent language and links on a new screen or on the screen where you collect consent for your own entity from end users. There needs to be some affirmative action by the end user, after they have been shown Onfido’s privacy notices and consent language, but you do not have to present a separate check box for consent.
Onfido has introduced the following API consent parameters to API v3.4 to submit the location and the consent status of your end users, before creating a check.
Location is a mandatory parameter for all end users. The current location of an end user determines the necessary consent required in order to process a verification. As a result, it is now mandatory to specify the location of each applicant before creating a check with Onfido.
You can include
location as part of your API request when creating an applicant, updating an applicant or uploading a document. You should provide the IP address and the country of residence of the applicant.
|The location of the applicant.
You must provide location information for all applicants. If you do not, all checks will fail with a validation error.
consents is a mandatory parameter for any end user located in the US.
If the location of the end user is the US, then you must also provide consent information confirming that the end user has viewed and accepted Onfido’s privacy notices and terms of service. You can include
consents as part of your API request when creating or updating an applicant who is located in the US.
|Indicates whether consent has been given by the applicant
You should provide
"granted": true if:
- the user is resident in the US, where this has been verified by providing the IP address and country of residence of the user; AND,
- the end user has viewed and accepted the Onfido privacy notices and consent language
If the consents parameter is set to
false, or not provided at all, check creation requests will fail with a validation error.
Note: Checks will fail if you do not provide location information and, where the location is the US, confirm that each applicant has granted consent after reading Onfido's privacy notices and consent language.
If you have any questions, please contact our Client Support team.