LGBT Q&A: What Data Are Companies in the UK Collecting When Verifying My Age?

· Source: Deeplinks · Field: Technology & Digital — Cybersecurity & Data Privacy · Depth: Intermediate, medium

Summary

The UK's Online Safety Act, effective July 2025, mandates age verification for users accessing content deemed harmful by Ofcom, requiring users to be over 18. This process involves various data collection methods, each with distinct privacy implications. Companies like Yoti and Persona offer facial age estimation, often uploading photos to servers, though some, like k-ID and Private ID, process on-device. Photo-ID matching, using documents like driving licenses or passports, is highly sensitive, with providers like Incode sometimes retaining data unless explicitly requested for deletion. Other methods include Open Banking, which confirms age via bank data without sharing full date of birth; credit card checks; email verification, which aggregates online service usage; and mobile operator checks, confirming age based on phone number restrictions. The Electronic Frontier Foundation (EFF) highlights that no method is perfectly privacy-preserving, especially for LGBTQ+ individuals, whose shared data could lead to discrimination or harm.

Key takeaway

For UK residents navigating mandatory online age verification, carefully scrutinize each service's data practices. Understand what personal information, including location or identity documents, is collected, who accesses it, and how long it is retained. You should prioritize services that process data on-device or offer clear, immediate deletion policies. Be aware that even seemingly innocuous data can reveal sensitive details, particularly for LGBTQ+ individuals, increasing risks of discrimination or harassment.

Key insights

UK age verification mandates pose significant privacy risks due to diverse data collection methods and retention practices.

Principles

Method

To assess age verification privacy, investigate data required, access controls, retention policies, audit practices, and visibility of verification attempts by third parties.

In practice

Topics

Best for: CTO, VP of Engineering/Data, Executive, Legal Professional, Policy Maker, Security Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Deeplinks.