As of July 8, 2026, Anthropic has the legal authority to require consumer Claude users to hand over a government ID, take a live selfie, and submit to facial geometry scanning before accessing certain platform features. If your team uses Claude through the API, Team plan, or Enterprise plan, none of this affects you directly. If employees are using personal Claude Pro or Max subscriptions for work, it is worth understanding what data those accounts may now be asked to produce.
TL;DR: Anthropic's updated privacy policy (effective July 8) allows it to collect government IDs, live selfies, and facial geometry templates from Free, Pro, and Max consumer users through third-party vendor Persona Identities. API, Team, and Enterprise plans are fully exempt. The policy does not specify a data retention period for biometric verification data, which legal experts flag as a BIPA compliance gap. For teams, the governance question is whether employees accessing Claude for work are doing so through corporate-controlled accounts or personal consumer subscriptions.
What the policy change actually says
Anthropic updated its privacy policy around June 8, 2026, with an effective date of July 8. The change authorizes the collection of identity verification data from consumer subscribers under certain unspecified circumstances.
The data Anthropic can now collect includes an image of a government-issued identity document and all personal information printed on it, including name, date of birth, and ID number. It also includes a photo or video of the user's face, and what the policy calls "facial geometry templates," which Anthropic itself acknowledges "may be considered biometric data in some jurisdictions."
This is not routine account verification. Facial geometry templates are biometric identifiers, mathematically derived representations of your face that can persist as a reference point across future comparisons. Anthropic's policy does not specify when these are required, how long they are retained, or what happens to them if a user closes their account.
The checks have been running in limited form since April 14, 2026, when Anthropic quietly launched biometric ID verification for what it described as certain use cases through Persona Identities, a third-party identity verification vendor.
Who is exempt and who is not
The scope of the policy is narrower than it first appears.
Not covered: Claude API users, Claude for Work (Team plan) users, and Claude Enterprise users. These plans authenticate through API keys or enterprise SSO, not through the consumer account system. API calls to api.anthropic.com are not affected. Production pipelines, CI/CD systems, and developer integrations are not affected.
Covered: Claude Free, Claude Pro, and Claude Max consumer subscribers. These are the personal accounts accessed through claude.ai. Verification requests are not triggered for every user; the policy authorizes them for certain capabilities without specifying which ones.
The distinction matters because many individuals access Claude through consumer accounts for convenience, even in work contexts. An employee who subscribes to Claude Pro personally and uses it for work-related tasks is not on a corporate-managed plan, and their account is within the policy scope.
The BIPA problem with no retention period
Illinois' Biometric Information Privacy Act is the most stringent biometric data law in the United States. It classifies facial geometry as biometric data, requires written consent before collection, mandates publication of a retention schedule and destruction date, and prohibits selling or profiting from biometric data. Violations carry penalties of $1,000 per negligent violation and $5,000 per intentional or reckless violation.
Anthropic's current policy does not specify a data retention period for verification data. Legal experts have cited this as a potential BIPA gap. If Anthropic collects facial geometry from an Illinois user without specifying how long that data is kept or when it will be destroyed, that collection may not satisfy BIPA's written policy requirement, regardless of whether the user consented to the terms of service.
The data itself is held by Persona Identities, not stored on Anthropic's own systems. Anthropic can access verification records through Persona's platform when needed, but says it does not copy or store the biometric images. Whether a third-party arrangement satisfies BIPA's collection and handling requirements for the disclosing party is a question that has not been settled for this specific configuration.
What this means for teams using Claude
The shadow AI account problem
Teams that have moved to Claude for Work or Enterprise plans have clear governance: the team's AI usage runs through corporate-controlled accounts, the data processing agreement covers how Anthropic handles company information, and employees are not using personal consumer accounts for work tasks.
Many teams have not fully made this transition. In practice, employees often use personal Claude Pro accounts alongside or instead of corporate tools, particularly when the corporate account lacks features they want or when they set up their own subscription before the company standardized. These personal accounts are now within the scope of Anthropic's identity verification policy.
This creates a visibility gap. A team that has done a thorough vendor risk review of Claude through its corporate API access may not have considered that some fraction of Claude-related work actually runs through employee personal accounts that are governed by entirely different terms.
What the biometric collection means for work data
The concern here is not primarily about the ID check itself. It is about the relationship between biometric verification and the data that verification enables. If an employee submits facial geometry data to Persona Identities in order to access a capability, and uses that capability for work, the connection between their biometric identity and their work-related conversations is now in a third-party verification system.
This is not necessarily a crisis, but it is a data governance fact that should be visible to teams with compliance obligations under GDPR, HIPAA, or state privacy laws.
The audit step that most teams have not done
Ask which members of your team regularly use Claude for work. For each, determine whether they are accessing Claude through:
- A corporate Claude for Work or Enterprise account (governed by your DPA, outside biometric scope)
- A personal Claude Free/Pro/Max account (within biometric policy scope, no corporate DPA)
- The API directly (fully exempt)
If a meaningful fraction of work-related Claude use runs through personal consumer accounts, the governance response is straightforward: provision corporate accounts and provide guidance about using them for work tasks. This also improves your visibility into how Claude is being used, what data is being submitted, and what your contractual protections are.
The vendor trust dimension
The Anthropic biometric ID policy is a specific instance of a broader pattern in AI vendor governance: the terms under which employees interact with AI tools can change, and those changes can affect the data footprint of work-related AI use in ways that are not visible to the team.
Flock Safety's data sharing defaults affected municipalities that had signed contracts but had not read the fine print on enabled features. Anthropic's biometric policy affects consumer users who agreed to terms of service without necessarily tracking quarterly policy updates. In both cases, the gap between what the vendor was authorized to do and what the team expected is where the governance problem lives.
The mitigation is the same in both cases: audit what accounts your team actually uses, confirm those accounts are on plans with appropriate contractual protections, and track vendor policy changes that affect the data handling terms you are operating under.
Teams using Claude through API or Enterprise accounts have no biometric exposure from this policy change. Teams where employees use personal consumer accounts for work need to understand that those accounts are now on terms that include potential facial geometry collection, with no specified retention period.
Related Reading
- AI Vendor Due Diligence Checklist 2026
- Flock Safety: When Your AI Vendor's Default Settings Share Your Data
- GenAI Vendor Risk Assessment Framework 2026
- Vetting AI Tools: What the Fake Malware Cases Teach Us
- AI Data Privacy for Small Teams: GDPR and CCPA Guide
- China's AI Companion Law Takes Effect July 15: What It Requires
Sources: TechTimes, "Claude Identity Verification Starts July 8", The Next Web, "Anthropic's new privacy policy collects biometric data from flagged Claude users", State of Surveillance, "Anthropic's Claude ID Plan Crossed 500 Points", byteiota, "Claude Biometric Checks Hit July 8: API Users Are Exempt", TechCrunch, "Anthropic says Claude may want to see your ID".
