From face scans to credit checks: how UK age verification works and why it’s a privacy nightmare

Age verification’s arrival in the UK has raised the first blockade against harmful and adult content online, though not without serious risk.

As of July 25, 2025, adult sites, gaming services, and social media platforms, including Reddit, X, and Bluesky, all require users to prove they’re over the age of 18 to access such content. These proofs are anything from simple credit card checks to full face scans and mobile network operator checks, run by either the sites themselves or a third party.

The UK’s new age verification requirements fall under the Online Safety Act – the UK’s attempt to protect children from harmful online content. In an interview with the BBC, Labour MP Peter Kyle claimed that “verifying your age keeps a child safe.” However, for many, the concern is whether this comes at the cost of user privacy.

How providers verify your age

The UK’s new age checks cover a variety of sites online. Whether you’re using a dating site like Grindr, social media such as Reddit, or an instant messaging/VoIP platform like Discord, you’ll be required to prove your age so long as you’re in the UK.

Ofcom, the UK’s internet regulator, lists several ways in which UK internet users can confirm their age:

• Facial age estimation: One of the most commonly implemented checks, this involves uploading a photo or video of your face.
• Open banking: This grants permission to an age verification service to access your bank account information to confirm you’re over 18.
• Digital identity services: Such services include digital identity wallets, which allow you to store and share proof of age digitally.
• Credit card age checks: You have to be 18 or over to have a credit card. Providing your credit card details allows a payment processor to verify their validity.
• Email-based age estimation: Sharing your email address sees it cross-referenced with other online services you’ve used, such as banking or utility providers.
• Mobile network operator age checks: With your permission, an age-check service then verifies whether your mobile has any age-related restrictions. If none are present, this confirms you’re over 18.
• Photo-ID matching: You upload an image of a document with your face and age, along with a photo of yourself. The images are then compared to confirm that the document belongs to you.

Most sites with adult or harmful material are likely to offer multiple verification methods for users to choose from. Ofcom states that checks may be carried out by a website or app itself, or via a third-party company.

One concern is that users may not always fully understand the importance of the data they’re giving away, how it will be used, or, crucially, the consequences should that data fall into the wrong hands.

Verifying your age – compromising your data and privacy?

“Strong age checks can be done effectively, safely, and in a way that protects your privacy,” Ofcom claims – despite high-profile data breaches being a regular occurrence of late.

Needless to say, there are numerous security and privacy-related concerns regarding the UK’s age verification methods. This is evidenced by a petition to repeal the Online Safety Act, which, at the time of writing, has already garnered over 425,000 signatures.

Age verification requires users to submit sensitive personal information such as ID documents, and put their trust in the websites and third-party verification services that are collecting, storing, and processing this data.

Failure to properly secure this data increases the risk of data breaches and unauthorized access. The risk is even greater if data is retained longer than necessary.

Should data become compromised, it could be used to commit identity theft. Users may even be blackmailed based on their online activity, damaging their reputation in the process.

The internet has already found ways to circumvent the checks, with some even using Death Stranding’s photo mode to bypass them. A far more common method that UK internet users have used to get around the checks, however, is Virtual Private Networks (VPNs).

Can you secure your data?

In the wake of the UK’s mandatory age checks, VPN apps have shot to the top of app stores. Proton VPN, a privacy-first service among the best VPN apps, reported a 1,400% increase in signups in the days following the new law’s enactment.

Proton VPN Free was likely the biggest beneficiary of this boost. Several free VPNs have topped App Store charts in recent days, though not all are trustworthy.

Many free VPNs either offer vague, unaudited privacy policies, serve ads, which can result in unwanted data collection, or simply harvest your data for malicious purposes.

Proton VPN Free, however, is an exemplary free VPN. Offering a 'freemium' service, it gives a limited version of what you'd expect from its paid alternative, Proton VPN Plus, with only five server locations available, which you cannot choose from specifically, and none of Proton's wider features, though you can access its proprietary Stealth protocol.

If you want to secure your data with a free VPN. Make sure the provider has a detailed no-logs policy, ideally one that has been audited, and doesn't share any of your personal information with third parties.

Age verification: the EU's alternative method

The UK isn't the only region bringing in new age verification technology. The EU is also introducing age verification – though via means that, at least initially, appear far more secure and trustworthy.

The EU's solution is a singular whitelabel app which, while identifying to a provider that you're over 18, gives no further details. Proving someone's age is undertaken by an issuer and given to the provider by a separate presenter. The proof provider never finds out which services the proof was used for, and each proof is only used once to prevent cross-service tracking.

The EU is also working to further this with zero-knowledge proofs, though currently the timeline for this isn't concrete.

Introducing a centralized, universally usable app solution solves several of the issues presented by the UK solution. Firstly, it means you only need to use a select number of issuers and presenters, all of which can be properly secured. Secondly, by making the issued proof single-use, you reduce the risk of tracking and consequently the risk of your data being used maliciously.

Proton VPN – from $4.49/£3.59 per month

Proton VPN comfortably ranks among the best VPNs. Despite being among the more expensive VPNs, Proton VPN gives you:

- 950 Mbps download speeds
- Servers in over 120 countries
- Stellar unblocking across global streaming platforms
- Ad, tracker, and malware blocking

For many, however, it's Proton's Swiss home that sells it. Being based in Switzerland means Proton isn't subject to any intelligence-sharing pacts by organisations such as the EU, NATO, or Five Eyes. What's more, it has a strict no-logs policy, meaning that should any requests be granted, there's no data to be found anyway.

We love that Proton not only has supremely simple apps, but that you can also access these apps across almost any platform. This means you can use up to 10 devices of any kind without being bogged down by complicated menus or lack of app support. Plus, if you're not impressed, Proton has a 30-day money-back guarantee.

View Deal