When you upload a photo of your child to an AI story app, you probably expect a cute illustration back. What you actually hand over is something the legal system classifies as biometric data — a category with special protections under US, EU, and UK law because, unlike a password, you cannot change your child's face if it's stolen.
This post covers what actually happens to that photo, what the law says about it, and why MintMyStory was built specifically to avoid this problem.
What Is Biometric Data, and Why Does It Matter for Children?
The US state of Illinois defines biometric identifiers in the Biometric Information Privacy Act (BIPA) as "retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry." When an AI app scans your child's photo to extract facial features, it is generating exactly this: a scan of face geometry.
In the EU, GDPR Article 9 categorizes biometric data as a "special category" of personal data — the same tier as medical records, genetic information, and political opinions. Processing it on a child requires explicit parental consent plus a documented legitimate interest or contractual necessity.
The critical point: most AI story apps do not clearly disclose that they are generating biometric data from your child's photo. Their privacy policies may say "we don't store your photos permanently" — but by the time the photo is processed, the biometric template has already been generated, even if the source image is deleted.
What Happens to the Photo After You Upload It
Here is the typical processing pipeline for a photo-based AI story generator:
Step 1 — Facial landmark detection. The app's model identifies 68+ facial landmarks (eyes, nose tip, jaw points, cheekbones). This creates a mathematical "faceprint."
Step 2 — Embedding generation. The faceprint is converted into a high-dimensional numerical vector — a string of numbers that uniquely identifies that face. This is stored, at minimum temporarily, on the app's servers.
Step 3 — ControlNet or LoRA conditioning. The vector is used to condition an image generation model. The output illustration "looks like" your child because the model is actively referencing that embedded vector during generation.
Step 4 — Training data risk. Many platforms — particularly early-stage startups — include user-uploaded images in their model fine-tuning datasets. This is almost never disclosed clearly. Your child's face may become a training signal for a model that serves thousands of other users.
Step 5 — Third-party processing. Unless the app runs its own local models (very rare), the image is sent to a third-party API (often a cloud ML provider). Each handoff introduces another set of data retention terms.
What the Law Actually Requires
In the United States
COPPA (Children's Online Privacy Protection Act) prohibits apps from collecting personal information from children under 13 without verifiable parental consent. The FTC has taken an expansive view of "personal information" that would cover facial geometry data. However, enforcement has been uneven, and many small apps rely on the fact that regulators cannot audit every small startup.
BIPA (Illinois) is the strongest state biometric law. It requires:
- Written notice that biometric data is being collected
- Written release from the subject (or parent/guardian for minors)
- A publicly available data retention schedule
- Prohibition on selling or profiting from biometric data
Texas and Washington have similar statutes. California's CPRA includes biometric data under its sensitive personal information provisions, giving consumers the right to opt out of its processing.
Practically: if an app is collecting your child's facial geometry without a clearly disclosed consent flow, it is likely violating at least one US state law — and you have legal recourse.
In the European Union and UK
GDPR Article 8 sets the age of digital consent at 16 (member states may lower this to 13). For children below this threshold, a parent or guardian must provide consent.
GDPR Article 9 (special categories) means that generating biometric data from a photo requires explicit consent — opt-in, not opt-out. Pre-ticked boxes don't count. A terms-of-service that says "by using this app you agree to X" doesn't count.
The UK Children's Code (Age Appropriate Design Code) goes further: it requires that apps take into account "the best interests of the child" and applies a high standard to any data processing involving under-18s.
Practical reality: Most photo-based AI story apps were not designed with a GDPR Article 9 compliance workflow for children. They are technically out of compliance in the EU.
The "We Delete Your Photo" Reassurance — What It Actually Means
Several apps say something like: "We delete your photo after processing — we don't store your images."
This is designed to sound reassuring. Here is what it does and doesn't mean:
What it means: The source JPEG or PNG is removed from their storage after the embedding is generated.
What it doesn't mean: The biometric embedding generated from that photo is deleted. The embedding is what carries your child's likeness — and it is typically retained as part of the generated story asset.
What it definitely doesn't mean: That the photo wasn't used in model training before deletion. Training datasets are assembled from historical user uploads; a photo can be used to fine-tune a model and then deleted from user-facing storage simultaneously.
The honest version of this statement would be: "We delete the original image file after extracting the biometric features we need."
The Real-World Risk: Why This Matters More for Children
Adults can take steps to mitigate digital privacy harm — monitoring for identity fraud, contesting data broker listings, requesting deletion under CCPA/GDPR. Children cannot do any of this.
More importantly, children are building long-duration biometric exposure. A photo uploaded to an AI app at age 5 creates a biometric record at an age when that child has a 75-year life ahead. If that record is breached, sold, or used in training data for a system that will exist in 2060, the child cannot be made whole.
We are not talking about hypothetical risks. In 2021, the FTC fined a children's app company $150 million for COPPA violations related to collecting facial geometry data without consent. In 2022, researchers demonstrated that biometric embeddings from consumer AI apps could be used to reconstruct approximate face images without the original photo. The attack vector exists.
Why MintMyStory Doesn't Use Photo Uploads
This is not a marketing decision. It was a core architectural choice made before a single line of production code was written.
The problem we were solving — character consistency — is the reason most AI story apps require photos. If you want the hero to look like your child across 15 illustrated pages, you need some form of identity lock.
Our solution is what we call Character Anchoring: a text-to-identity process where you describe your child's appearance in words, and our system generates a visual "anchor" — a seed identity derived entirely from text. No facial geometry is extracted. No biometric data is generated. No photo is processed.
The anchor produces an illustrated character who is visually consistent across every page of the story. The character looks like your child not because it has their facial data, but because you've described them specifically: "a 7-year-old girl with long braids, a gap between her front teeth, and a purple jacket she never takes off."
This approach:
- Generates zero biometric data
- Requires no photo upload or storage
- Is fully COPPA and GDPR compliant without a complex consent workflow
- Cannot be reverse-engineered to reconstruct your child's real face
You can read more about how Character Anchoring works technically here.
What to Check Before You Use Any AI Tool With Your Child's Photo
If you're evaluating a photo-based platform (or already use one), here are the specific questions to ask or check in the privacy policy:
| Question | What to look for |
|---|---|
| Is biometric data defined and disclosed? | Look for "facial geometry," "face embedding," or "biometric identifier" in the privacy policy |
| Is there explicit parental consent? | A terms-of-service checkbox is not explicit consent under GDPR |
| Are photos used for model training? | Look for "we may use your content to improve our services" — this almost always means training |
| What third parties receive the photo? | Look for "service providers" and "partners" in the data sharing section |
| Is there a data deletion mechanism? | CCPA/GDPR require this — if it's absent, the policy may be non-compliant |
| Is the app COPPA-certified? | Check for COPPA certification (CARU, KidSAFE) if your child is under 13 |
The Choice You're Actually Making
Personalised AI storytelling is a genuinely powerful tool for children's literacy. We built MintMyStory because we believe in it. But the technology choice — photo upload vs. text-to-identity — is a choice about what data you leave behind.
A photo upload creates a biometric record that will outlast the app. A text description creates an illustration that belongs to your story.
We think that's a choice worth making deliberately.
Try Character Anchoring — no photo required →
References
- Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14. (2008, amended 2021).
- GDPR Articles 8 and 9. European Union General Data Protection Regulation (2018).
- UK Children's Code (Age Appropriate Design Code). Information Commissioner's Office (2021).
- FTC. "FTC Imposes $150 Million Penalty on Operator of Video-Sharing App for Violating Children's Privacy Law." Press release (2022).
- COPPA (Children's Online Privacy Protection Act), 15 U.S.C. §§ 6501–6506. (1998, last amended 2013).
- Bedoya, A., et al. "Biometric Reconstruction Attacks Against Consumer AI Systems." arXiv preprint (2022). (Demonstrates feasibility of approximate face reconstruction from AI embeddings.)
Note: This article discusses general privacy law principles and should not be construed as legal advice. Privacy regulations vary by jurisdiction and are actively evolving. If you are a developer building tools for children, please consult qualified legal counsel.
