Atlas21
  • ‎
No Result
View All Result
Atlas21
No Result
View All Result
Atlas21
Home Industry

EFF maps the data collected by age verification in the UK

Newsroom by Newsroom
July 1, 2026
in Industry
Share on FacebookShare on TwitterShare on Linkedin

The UK’s Online Safety Act requires platforms to identify their users: behind every age check lies a surveillance system with opaque rules on data collection, access and retention.

From July 2025, all platforms operating in the UK that host content classified as harmful by Ofcom – the UK telecommunications regulator – are legally required to verify that their users are at least 18 years old. Reddit, adult content services and, more recently, iPhone devices already fall within scope. The question few are asking is: what data do companies actually collect during this process?

The Electronic Frontier Foundation has an answer. In its Deeplinks blog, it published a detailed analysis of the main age verification methods in use in the UK, mapping four variables for each: the data requested, who has access to it during the process, how long it is retained, and whether independent audits exist to verify providers’ claims.

The most widespread method is facial age estimation – a selfie or short video analysed by a third-party provider such as Yoti or Persona. Yoti states that it deletes the image immediately after the estimate, but the photo is still uploaded to its servers. Some alternative operators such as k-ID and Private ID process the data directly on the device, limiting what leaves the smartphone to a binary result only. EFF notes that, in the event of a data breach, even the background of a selfie can reveal the user’s current location.

Photo-ID matching – comparing an identity document against a real-time photo – is considered the most invasive method. One case cited in the analysis concerns Incode, a provider used by TikTok: its privacy policy includes no automatic data deletion at the end of the process. TikTok states that it initiates the deletion procedure on its own account, but the user has no direct guarantees. EFF recalls the Discord case, in which identity documents were previously collected in a general support forum: left there indefinitely, they were exposed in a large-scale data breach. Discord later abandoned that system, according to EFF.

Open banking and credit card verification offer a smaller exposure surface in theory: the service receives only a binary confirmation of majority age, without the full date of birth. Credit cards are used mainly for adult content services, where card ownership serves as an age proxy. Here too, EFF warns that the third-party verification provider knows both the platform being accessed and the banking data, which enables the construction of behavioural profiles over time.

The thread running through the analysis is that every age verification system is, by design, a surveillance system. The data collected varies from provider to provider, retention policies are often opaque, and independent audits – where they exist – address compliance with standards more than actual security. EFF cites specialist auditors such as NCC Group and Trail of Bits as qualitative benchmarks, but notes that very few services rely on verification of that standard. The fact that the law mandates the check without specifying minimum data protection standards places the entire informational burden on the user – as already happens with other mandatory online identification regimes, from KYC for AI services to private biometric databases.

Previous Post

UK publishes definitive digital asset framework with 2027 deadline

Next Post

Trump discloses over $1.4 billion in digital asset income for 2025

Latest News

Raccontare Bitcoin tramite l’arte
Feature

The Fed’s independence is a legal fiction

by Federico Rivi
July 1, 2026
0

The SCOTUS rulings of 29 June 2026 on independent agencies reveal that the American central bank has always been, in...

Read moreDetails
trump
Industry

Trump discloses over $1.4 billion in digital asset income for 2025

by Newsroom
July 1, 2026
0

The president's financial disclosures show a structural overlap between executive power and the digital asset sector that Congress cannot ignore.

Read moreDetails
Industry

EFF maps the data collected by age verification in the UK

by Newsroom
July 1, 2026
0

The UK's Online Safety Act requires platforms to identify their users: behind every age check lies a surveillance system with...

Read moreDetails
documents-papers-licence-permits
Crypto

UK publishes definitive digital asset framework with 2027 deadline

by Newsroom
June 30, 2026
0

The UK is building a regulatory framework more detailed than Europe's MiCA: mandatory licences, capital stress tests and stablecoins under...

Read moreDetails
geolocalization-geo-localization-maps
Industry

SCOTUS: warrant required for geofence location data

by Newsroom
June 30, 2026
0

The US Supreme Court extends the Fourth Amendment to location history held by third parties: law enforcement access now requires...

Read moreDetails
Atlas21

© 2026 Atlas21

Navigate Site

  • Editorial Policy
  • Cookie Policy
  • Privacy Policy
  • Team

Follow Us

No Result
View All Result
  • Bitcoin 101
    • What Is Bitcoin? A Complete Guide
    • Bitcoin Security: A Complete Guide
    • Bitcoin Privacy: A Complete Guide
    • Lightning Network: A Complete Guide
    • Bitcoin Mining: A Complete Guide
    • Advanced Bitcoin: A Technical Guide
  • Learn
  • Latest News
  • Interviews
  • Opinion
  • Feature
  • B2B Services
  • About Us
  • Contacts

© 2026 Atlas21

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site, we will assume that you are happy with it.