The UK’s Online Safety Act requires platforms to identify their users: behind every age check lies a surveillance system with opaque rules on data collection, access and retention.
From July 2025, all platforms operating in the UK that host content classified as harmful by Ofcom – the UK telecommunications regulator – are legally required to verify that their users are at least 18 years old. Reddit, adult content services and, more recently, iPhone devices already fall within scope. The question few are asking is: what data do companies actually collect during this process?
The Electronic Frontier Foundation has an answer. In its Deeplinks blog, it published a detailed analysis of the main age verification methods in use in the UK, mapping four variables for each: the data requested, who has access to it during the process, how long it is retained, and whether independent audits exist to verify providers’ claims.
The most widespread method is facial age estimation – a selfie or short video analysed by a third-party provider such as Yoti or Persona. Yoti states that it deletes the image immediately after the estimate, but the photo is still uploaded to its servers. Some alternative operators such as k-ID and Private ID process the data directly on the device, limiting what leaves the smartphone to a binary result only. EFF notes that, in the event of a data breach, even the background of a selfie can reveal the user’s current location.
Photo-ID matching – comparing an identity document against a real-time photo – is considered the most invasive method. One case cited in the analysis concerns Incode, a provider used by TikTok: its privacy policy includes no automatic data deletion at the end of the process. TikTok states that it initiates the deletion procedure on its own account, but the user has no direct guarantees. EFF recalls the Discord case, in which identity documents were previously collected in a general support forum: left there indefinitely, they were exposed in a large-scale data breach. Discord later abandoned that system, according to EFF.
Open banking and credit card verification offer a smaller exposure surface in theory: the service receives only a binary confirmation of majority age, without the full date of birth. Credit cards are used mainly for adult content services, where card ownership serves as an age proxy. Here too, EFF warns that the third-party verification provider knows both the platform being accessed and the banking data, which enables the construction of behavioural profiles over time.
The thread running through the analysis is that every age verification system is, by design, a surveillance system. The data collected varies from provider to provider, retention policies are often opaque, and independent audits – where they exist – address compliance with standards more than actual security. EFF cites specialist auditors such as NCC Group and Trail of Bits as qualitative benchmarks, but notes that very few services rely on verification of that standard. The fact that the law mandates the check without specifying minimum data protection standards places the entire informational burden on the user – as already happens with other mandatory online identification regimes, from KYC for AI services to private biometric databases.





