TL;DR
The Electronic Frontier Foundation published a guide for people facing mandatory online age checks, urging users to minimize the data they share and to evaluate verification methods carefully. It outlines types of checks, known vendor practices, and practical questions to ask about data handling and retention.
What happened
The EFF published a resource explaining how users can navigate mandatory age-verification prompts that many sites now require. The guide stresses submitting the minimum possible personal data, walks through common verification approaches (inferred age, facial age estimation, document-based checks, and other signals like credit-card or email-based proofs), and offers a list of questions users should ask about any method: what data is collected, who can access it, how long it’s retained, whether there are independent audits, and who learns you attempted verification. The post highlights specific vendor and platform practices: some facial checks run on-device while others (for example, Yoti) upload images to servers; document checks can reveal full legal identity and have historically led to breaches (Discord’s routing error exposed tens of thousands of ID photos). The EFF also notes accuracy and accessibility problems for facial estimation among marginalized groups and that cryptographic digital-ID solutions exist but aren’t broadly available.
Why it matters
- Age verification can expose highly sensitive personal data—IDs and face images—that link online accounts to real-world identities.
- Data retention and third-party processing increase the risk of breaches, long-term tracking, and loss of anonymity.
- Some verification methods are less accurate for people of color, trans and nonbinary people, and people with disabilities, risking false denials or extra exposure.
- Even well-intentioned technical controls (e.g., claimed immediate deletion) can fail in practice through bugs, process oversights, or inadequate audits.
Key facts
- The EFF opposes mandated age verification and published guidance to help people minimize privacy harm while mandates remain in effect.
- Users are advised to submit the least amount of data possible when forced to verify age.
- Platforms commonly try to infer age using existing account signals before asking for explicit verification.
- Facial age estimation can run on-device (reducing some leakage risk) or send images to vendor servers; vendors mentioned include Private ID, k-ID (on-device) and Yoti (server-side uploads).
- Document-based verification requires government IDs and therefore proves both age and identity; routing or retention errors can expose those documents.
- Discord previously exposed nearly 70,000 ID photos after routing verification data through a general support workflow that wasn’t deleted.
- Some document-verification vendors retain images for long periods by default; Incode was cited as holding images indefinitely unless deletion is triggered by the platform.
- Meta may infer age from posted content and, when asking for verification, can route face checks and ID uploads through Yoti; Meta says it retains uploaded ID images for 30 days while Yoti claims immediate deletion.
- Security researchers (Mint Secure) found trackers in Yoti’s app and site, raising concerns that verification attempts could leak to third-party data brokers.
What to watch next
- Whether cryptographic, on-device digital-ID systems become more widely available across platforms: not confirmed in the source.
- Whether verification vendors and platforms begin publishing independent, in-depth security audits by specialized firms such as NCC Group or Trail of Bits: not confirmed in the source.
- Whether platforms shorten retention periods or change workflows to reduce risk of routing verification data into general support systems after prior breaches: not confirmed in the source.
Quick glossary
- Age gate: A website or app checkpoint that asks users to confirm they meet an age requirement before accessing certain content or features.
- Facial age estimation: A method that assesses a person’s likely age from an image of their face, performed either on-device or by sending the image to a remote service.
- Document-based verification: An approach that requires a government-issued ID or similar document to prove age, which also reveals legal identity details.
- Digital ID (cryptographic): A digitally stored credential that can prove attributes (like being over a certain age) without revealing other personal details, using cryptographic techniques.
- Data retention: The length of time a platform or vendor keeps collected information, which affects exposure risk in breaches or legal requests.
Reader FAQ
If I must verify, which method is safest?
The EFF recommends providing the least possible data; on-device age checks limit server uploads, but availability and accuracy vary—choose based on the specific vendor and your comfort with their stated practices.
Will platforms delete my uploaded ID?
Practices differ: Meta says it retains uploaded ID images for 30 days and Yoti claims to delete facial images after estimating age, but bugs and process errors can still lead to exposures.
Are facial scans reliable for everyone?
No. The guide notes facial age estimation works less well for people of color, trans and nonbinary people, and people with disabilities, creating accuracy and equity concerns.
Are universal digital IDs widely available to avoid sharing IDs?
Not confirmed in the source.
This blog also appears in our Age Verification Resource Hub: our one-stop shop for users seeking to understand what age-gating laws actually do, what’s at stake, how to protect yourself, and…
Sources
- So, you've hit an age gate. what now?
- So, You've Hit an Age Gate. What Now?
- Age Verification Is Coming: ID Gates Threaten Privacy Online
- How to Add An Age Verification Popup to Your Website
Related posts
- String Theory Hype Persists Despite Criticism and New Publicity in 2026
- Wind power cut Spanish electricity bills by €4.6bn in 2024, study finds
- Scientists Pinpoint Brain Circuit Tied to Procrastination; Drug Can Disrupt It