LGBT Q&A: What Data Are Companies in the UK Collecting When Verifying My Age?
Summary
The UK's Online Safety Act, effective July 2025, mandates age verification for users accessing content deemed harmful by Ofcom, requiring users to be over 18. This process involves various data collection methods, each with distinct privacy implications. Companies like Yoti and Persona offer facial age estimation, often uploading photos to servers, though some, like k-ID and Private ID, process on-device. Photo-ID matching, using documents like driving licenses or passports, is highly sensitive, with providers like Incode sometimes retaining data unless explicitly requested for deletion. Other methods include Open Banking, which confirms age via bank data without sharing full date of birth; credit card checks; email verification, which aggregates online service usage; and mobile operator checks, confirming age based on phone number restrictions. The Electronic Frontier Foundation (EFF) highlights that no method is perfectly privacy-preserving, especially for LGBTQ+ individuals, whose shared data could lead to discrimination or harm.
Key takeaway
For UK residents navigating mandatory online age verification, carefully scrutinize each service's data practices. Understand what personal information, including location or identity documents, is collected, who accesses it, and how long it is retained. You should prioritize services that process data on-device or offer clear, immediate deletion policies. Be aware that even seemingly innocuous data can reveal sensitive details, particularly for LGBTQ+ individuals, increasing risks of discrimination or harassment.
Key insights
UK age verification mandates pose significant privacy risks due to diverse data collection methods and retention practices.
Principles
- Age verification methods vary widely in data disclosure.
- Data retention policies are often unclear or inconsistent.
- External audits are crucial for verifying privacy claims.
Method
To assess age verification privacy, investigate data required, access controls, retention policies, audit practices, and visibility of verification attempts by third parties.
In practice
- Use on-device facial age estimation if available.
- Take selfies without identifying background elements.
- Explicitly request data deletion from third-party providers.
Topics
- Age Verification
- Data Privacy
- Online Safety Act
- UK Regulation
- Facial Age Estimation
- Identity Verification
- LGBTQ+ Rights
Best for: CTO, VP of Engineering/Data, Executive, Legal Professional, Policy Maker, Security Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Deeplinks.