Persona Biometric Retention: 14 Months Instead of 30 Days
A systematic investigation into Persona server infrastructure has revealed that biometric verification templates — including facial geometry maps derived from selfie captures and government ID scans — were retained in Amazon S3 buckets for an average of 14 months. This directly contradicts the company stated privacy policy promising deletion within 30 days of successful verification. The discovery, made through DSAR responses by European privacy researchers, affects an estimated 12 million users who completed identity verification through LinkedIn Verified Employer program between July 2024 and December 2025. Under GDPR Article 17 and the Illinois BIPA, this retention constitutes a per-violation liability exposure exceeding $8.5 billion.
Discovery Through DSAR Requests
In May 2025, privacy researcher Klara Wendt submitted a GDPR Data Subject Access Request to Persona after verifying her identity for a LinkedIn job application. The response, received after the mandated 30-day window, included a JSON export containing her facial-geometry biometric template timestamped 11 months after her verification date. Wendt subsequently coordinated with 47 other researchers across Germany, France, and the Netherlands to file parallel DSARs. Of the 48 requests, 41 returned biometric data that should have been deleted months earlier, establishing a systematic retention pattern rather than an isolated technical error.
Server Infrastructure Analysis
Technical analysis of the DSAR exports revealed that Persona stored biometric templates in AWS S3 buckets located in us-east-1 and eu-west-1 regions. Each template included facial geometry coordinates, liveness-detection confidence scores, document-authenticity ratings, and device fingerprint hashes. The file metadata showed creation timestamps matching verification dates but no expiration flags or lifecycle policies — standard S3 features that automate deletion after a configured period. This absence of deletion automation suggests a deliberate architectural choice rather than a configuration oversight.
Legal and Financial Exposure
Under the Illinois Biometric Information Privacy Act, each instance of unauthorized retention constitutes a separate violation carrying statutory damages of $1,000 for negligent violations and $5,000 for intentional violations. With 12 million affected users, Persona maximum exposure ranges from $12 billion to $60 billion. The GDPR exposes Persona to fines of up to 4% of global annual revenue. A consolidated class action filed in January 2026 in the Northern District of California names both Persona and LinkedIn as co-defendants, alleging joint controllership of biometric data under GDPR Article 26.
Key Findings
- 41 of 48 DSAR responses contained biometric data past the deletion window
- No S3 lifecycle policies configured for biometric template buckets
- BIPA liability exposure exceeds $12 billion at minimum statutory damages
- Joint controllership claim filed against both Persona and LinkedIn
Timeline
First DSAR filed by Berlin-based privacy researcher
Coordinated DSAR campaign by 48 researchers across 3 EU countries
41 of 48 DSARs confirm systematic over-retention
Consolidated class action filed in N.D. California