What is age verification? The privacy nightmare facing millions of UK internet users

A person using a mobile device to verify their age via a facial scan
(Image credit: Getty Images)

Millions of Britons woke up to a dramatic change in how they use the internet on July 25, as internet users must now verify their age in order to access online content deemed 'adult' or 'harmful'.

The new measures are designed to prevent children from accessing inappropriate content online, but many adult web users are less than happy about the new barriers that have been erected between them and their usual digital landscape – including social media feeds and instant messaging apps.

The introduction of age checks has privacy advocates questioning just how safe it is to hand over so much identifiable data to an ever-growing number of sites, and has prompted a spike in interest in both the best VPNs and best free VPNs.

Here’s everything you need to know about the new rules.

What is age verification?

Age verification checks were rolled out as part of the UK's Online Safety Act, a collection of laws introduced from 2023 that are designed to protect internet users, and in particular children, online.

From 25 July, 2025, any site that hosts adult content must have reliable age checks in place to keep minors from accessing their content. As a result, adult web users will need to prove their age to access a site.

The new rules impact more than just adult sites, too. Any platform that allows user-generated content and interactions will need to enforce the same age checks. This includes social media sites like X, Bluesky, and Reddit, dating apps, instant messaging services, video-sharing platforms, and even cloud-sharing services.

The privacy problem

The growing privacy concerns around age verification stem from how UK citizens are being asked to prove their age. Ofcom, the UK’s communications regulator, has made it clear that simply manually inputting a date of birth is no longer sufficient proof of age.

Instead, Ofcom has highlighted a number of ways that sites can verify the age of their users. These include:

  • Facial age estimation. Users are asked to upload a photo or video, and image analysis technology is use to estimate the apparent age of the user.
  • Digital identity services. These services share age-proving information in a digital format, like digital wallets.
  • Photo-ID matching. The user uploads two pieces of evidence: a document with a picture and statement of age, and a current photo. The two are compared to confirm the user’s age.
  • Bank verification. The user allows the site to access information from a bank account to verify whether they’re over 18.
  • Credit card verification. Credit cards are only available to those over 18. A user can provide their card details and allow a payment processor to check the card's validity.
  • Email age estimation. Estimation technology uses an email address to determine where it has been used, for banking or utilities, to analyze the user’s age.

While some websites and platforms carry out these checks themselves, others are delegating the task to third parties, and Ofcom has worked with the UK's Information Commissioner’s Office (ICO) to create guidance for any platform handling user-submitted data in a privacy-friendly way.

These guidelines state that any user data must be kept solely for the purpose of age verification, and not stored for longer than necessary, as per the European Union's General Data Protection Regulation (GDPR) rules.

The data cannot be used for anything else, like targeted advertising, and only the bare minimum should be collected – just enough to answer “yes” or “no” to the question of whether the user is an adult or not.

While this is a solid foundation, guidelines are only guidelines, and third-party verification services may not adhere to them. This is a worry considering that these services will be responsible for collecting, storing, and deleting all sorts of personal data, including passports, credit card details, and biometrics.

What happens to your data?

Many third-party verification services are based in the US, where individuals' person data can be subject to intrusive official scrutiny. Notably, the Patriot Act can require a verification service to share data they've collected with the government.

Ultimately, the passport scan you upload in a hurry to regain access to X could end up in a database across the world, and millions of Britons will now be handing over similarly personal details on an unprecedented scale.

Data leaves a trace wherever it goes, even if it’s only stored for a short time. The normalization of age verification, and the subsequent huge increase in the amount of identifiable data being transmitted online, contradicts the principle of data minimization and supports a growing trend of de-anonymization, leaving us all more vulnerable to tracking, surveillance, and instances of fraud (and worse).

Who’s watching you?

A dart that has landed in the middle of a bullseye on a red target

(Image credit: Getty Images)

Noticing an influx of eerie, personalized pop-ups and banners? Check out our jargon-free guide to the murky world of targeted ads.

A particularly unscrupulous third-party verification service could take note of users based on the content they’re attempting to access. Given that the age verification checks apply to LGBTQ content and mental health resources, potential de-anonymization becomes even more of an issue.

Another concern is the sheer volume of data that will be passing through the hands of these verification services. Buying and selling data is big business on the shadier parts of the internet, and a single data breach could impact millions of Britons, who could suddenly find that their personal data is for sale on the dark web.

Whether a bad actor scoops up a deal on the dark web or a hacker pierces the verification platform, any cybercriminal targeting these services will be keen to use the personal information to launch new, more realistic phishing campaigns, or even go on to commit identity theft – armed with the user’s image, personal details, and even their credit card information.

What can you do to protect your data?

Whether you go ahead with age verification or not is up to you. If you're concerned about your digital privacy, however, the best, most cost-effective way to boost your security is with a robust virtual private network (VPN). See our guide to the most secure VPNs we've tested.

Despite a somewhat techy reputation, VPNs are super-easy to use and work with pretty much every device out there. Think desktops, mobile devices, tablets, consoles, and more.

Here's how a VPN works: when you connect to a VPN server, the VPN masks your original IP address and assigns you a new, temporary one. This makes it a lot harder for snooping third parties to track your activity, reducing the risk of falling foul of phishing scams and other cyberattacks. It also prevents advertisers from building up detailed profiles based on your search history, which could be used to generate invasive targeted ads.

VPN encryption is just as valuable. If a bad actor did manage to intercept your data, for example, the VPN encryption would render it unreadable and useless to them, thwarting any plans they might have. This is especially important for folks who rely on insecure public Wi-Fi hotspots – infamous hotbeds of cybercriminal activity – at home, during the commute, or on vacation.

River Hart
Tech Software Editor

River is a Tech Software Editor and VPN expert, helping take care of cybersecurity content on TechRadar, ranging from reviews, buying guides, and must-have VPN deals. River's expertise in the cybersecurity field opened their eyes to the startling amount of online snooping we accept into our daily lives. Now, River is committed to fighting for your right to digital privacy by shining a light on its biggest threats – and helping readers safeguard their data with the help of a VPN. Surfshark is River's favorite VPN, and they use it every day to keep their most sensitive details out of the hands of third-party trackers.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.