Stripe Identity

Stripe Identity

Stripe Identity is a document-based identity verification service. Scripts load a verification flow that captures government-issued ID images and selfie photos via device camera, transmitting them to Stripe for automated document analysis and liveness detection. Collected biometric data and document details are processed to verify user identity.

Stripe
Part of Stripe
Back to Vendor Library

Overview

Stripe Identity is a document-based identity verification service that enables businesses to verify customer identities through government-issued ID scanning and biometric selfie matching. It is used for KYC (Know Your Customer) compliance, fraud prevention, and age verification. The verification flow loads within an embedded modal or redirect on the merchant's website, collecting sensitive biometric and document data.

What This Script Does

Stripe Identity loads a verification flow through Stripe.js or a dedicated verification session:

  • Document capture — the verification modal requests access to the device camera (or file upload) to capture images of a government-issued ID (passport, driver's license, or national ID card). Both front and back images may be required. The images are transmitted directly to Stripe's servers over an encrypted connection.
  • Selfie capture and liveness detection — a selfie photo or short video is captured to verify that the person presenting the ID is physically present. Stripe's liveness detection algorithms analyze the capture for signs of spoofing (photos of photos, masks, deepfakes).
  • Biometric processing — Stripe extracts facial biometric data from the ID photo and selfie, performing a facial similarity comparison. This biometric data is processed and stored by Stripe according to their biometric data retention policies.
  • Document data extraction — OCR and document analysis extract the name, date of birth, document number, expiration date, and other fields from the ID image. This data is returned to the merchant via API for verification decisions.

The verification flow loads scripts from js.stripe.com and communicates with Stripe's identity verification endpoints. Session tokens authenticate the verification attempt. The flow may set session-scoped cookies to maintain state during the multi-step verification process, but no persistent tracking cookies are set.

Consent & Compliance

Stripe Identity is classified as essential in contexts where identity verification is a legal or regulatory requirement (KYC for financial services, age verification for restricted products). Under GDPR, the processing of biometric data falls under Article 9 (special categories of data) and requires explicit consent under Article 9(2)(a) unless another exemption applies (such as substantial public interest under national law for anti-money laundering compliance).

The ePrivacy Directive does not pose additional cookie consent requirements, as the verification flow uses only session-scoped cookies strictly necessary for completing the verification process the user initiated.

Under CCPA/CPRA, biometric data is explicitly classified as sensitive personal information. The California Privacy Rights Act requires businesses to provide a clear "right to limit" the use of sensitive personal information, and biometric data collection requires a specific disclosure. Illinois BIPA (Biometric Information Privacy Act) imposes additional requirements including written consent before collection and specific data retention and destruction policies.

Despite being classified as essential, the sensitive nature of biometric data means businesses must still provide clear disclosure about the identity verification process before initiating it, even when it is legally required.

Should You Block This Without Consent?

No. When used for legally required identity verification (KYC, age verification), Stripe Identity is essential to the service. Blocking it would prevent compliance with legal obligations. However, the collection of biometric data requires clear disclosure and, in many jurisdictions, explicit consent for the biometric processing specifically — even though the verification service itself is essential. This consent is typically obtained through the verification flow's own disclosure screens rather than through cookie consent banners.

Visit website

Consent Categories

Essential

Also Known As

stripe identitystripe id verificationidentity verification consentbiometric data privacystripe kyc

Industries

Computers Electronics and TechnologyProgramming and Developer Software

Tracked Domains (1)

identity.stripe.comEssential

Frequently Asked Questions

Is consent required for Stripe Identity on my website?

Conditionally. Stripe Identity is essential when identity verification is legally required (KYC, age verification), so no cookie consent banner is needed. However, biometric data collection requires explicit disclosure and, in many jurisdictions, separate written consent — especially under Illinois BIPA and GDPR Article 9.

What does Stripe Identity collect?

Stripe Identity captures government-issued ID images and selfie photos via device camera, transmitting them to Stripe for OCR document analysis and liveness detection. Biometric facial similarity data is extracted and stored by Stripe. Only session-scoped cookies are used during the verification flow — no persistent tracking cookies.

How does ConsentStack manage Stripe Identity consent?

ConsentStack classifies Stripe Identity as essential and does not block it via a consent banner. The service is detected through js.stripe.com script loads and verification session patterns. Biometric disclosure obligations are handled through the verification flow's own screens, not the consent banner.

Other Stripe Products

Stripe Billing
Stripe Billing
Stripe Billing is Stripe's subscription and recurring revenue management module. Scripts embedded in checkout and account pages handle subscription lifecycle events, billing cycles, proration calculations, and payment retry logic. Stores session data and payment method tokens to support subscription management flows.
Stripe Connect
Stripe Connect
Stripe Connect is Stripe's platform payments product enabling marketplaces and SaaS platforms to process payments on behalf of third-party sellers. Scripts manage connected account onboarding flows, payment routing, and split payment configurations. OAuth tokens and account identifiers are stored to facilitate multi-party transactions.
Stripe Radar
Stripe Radar
Stripe Radar is Stripe's machine learning-based fraud detection system. Scripts collect browser signals including device fingerprints, behavioral patterns, and network metadata during payment flows to assess transaction risk. This data is used to score transactions and trigger 3D Secure challenges for suspicious activity.
Stripe Tax
Stripe Tax
Stripe Tax is an automated tax calculation and collection module integrated into Stripe checkout flows. Scripts calculate applicable sales tax, VAT, or GST in real time based on customer location and product type during payment. Tax calculations and jurisdiction data are transmitted to Stripe's servers for compliance reporting.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Stripe Identity

ConsentStack automatically detects and manages Stripe Identity trackers so your site stays compliant with global privacy regulations.

Get started free