LGBT Q&A: What Data Are Companies in the UK Collecting When Verifying My Age?

Deeplinks 2026-06-30

Summary:

This Pride, we’re answering all your digital rights questions in season two of our initiative, LGBT Q&A

You Asked: I live in the UK, and we have age verification now on a bunch of websites (including Reddit) and now on iPhones. Can you explain what sort of data companies are actually collecting when they check for age and whether there are any real threats to my safety? 

EFF’s Answer: Age verification is a process where a website or service checks your age to determine whether a user is over a certain age, in the UK this age is 18. 

As of July 2025, all platforms in the UK that host content considered by the UK government and the country’s telecommunications regulator Ofcom to be harmful are legally obligated to check that their users are over the age of 18. If not, users cannot access the content. 

There are various privacy implications for data sharing with age verification. Unfortunately, because services may use different methods to verify users’ ages, you’ll usually have to do a little digging to learn how each provider you have verifies their users, and consider what information might be harmful to your personal safety: 

  • The data itself: What info does each method require users to disclose?
  • Access: Who can see the data during the course of the verification process? Does anything other than the age result leave your phone or device? Is the provider told your date of birth, or just if you’re over 18? Which third party services see the information you send?
  • Retention: Who will hold onto that data after the verification process, and for how long? Sometimes it’s deleted immediately. Sometimes it hangs around forever, waiting for a data breach.
  • Audits: How sure are we that the provider’s stated claims around data access and retention will happen in practice? For example, are there external audits confirming that data is not accidentally leaked to another site along the way? Ideally these will be in-depth, security-focused audits by specialized auditors like NCC Group or Trail of Bits, instead of audits that merely certify adherence to standards. 
  • Visibility: Who will be aware that you’re attempting to verify your age, and will a third party provider know which platform you’re trying to verify for? Will they hang onto that data to build a profile of you?

Last year, Ofcom outlined a number of methods for online services and platforms to check users' ages. Let's look at some methods in more detail. 

Facial Age Estimation 

First up we have facial age estimation, where you show your face via photo or video, and a technology provided by a company like Yoti or Persona analyses it to estimate your age. Most of these third-party verification services upload your photo to their servers during this process. Yoti claims that “as soon as an age has been estimated, the facial image is immediately and permanently deleted.” 

You might not want to use facial age estimation if you’re worried about a current picture of your face accidentally leaking—for example, if elements in the background of your selfie might reveal your current location. Some services like k-ID and Private ID

Link:

https://www.eff.org/deeplinks/2026/06/lgbt-qa-what-data-are-companies-uk-collecting-when-verifying-my-age

From feeds:

Fair Use Tracker » Deeplinks
CLS / ROC » Deeplinks

Tags:

privacy

Authors:

Paige Collings, Erica Portnoy

Date tagged:

06/30/2026, 06:39

Date published:

06/30/2026, 04:08