Age Verification Collects More Than Age

SurveillanceUKAustraliaMarch 2026~6 min read

Age checks now gate legal content in the UK, Australia, Germany, France, and parts of North America. They do not just ask for your birth date. They pull biometrics, document data, payment records, and device data. The UK's Online Safety Act and Australia's social media minimum age law push hardest.

Key points

Biometric data from age checks does not come back clean. Once it enters a third-party database, the link to your identity sticks. Those databases already leak.
Age verification tokens can tie to your device. The same provider can track you across sites and build a browsing record under your legal identity.
Age checks feed national digital ID systems. The UK and Australia both point that way in plain text.

JURISDICTIONS MANDATING AV

UK, AU, DE, FR, TX, EU

2025

OFCOM ENFORCEMENT START

UK Online Safety Act

GDPR-COMPLIANT AV SYSTEMS

UK ICO acknowledgement

BREACH INCIDENTS DOCUMENTED

AgeID 2019, Veriff 2022

The Laws Push the Capture

Age verification laws by jurisdiction

Country	Law	Status	Scope
United Kingdom	Online Safety Act 2023	Active. Ofcom enforcement from 2025	Adult content, social media, user-generated platforms
Australia	Online Safety Act (age assurance standards 2025)	Active. Trials underway	Social media (16+ ban), adult content
Germany	JuSchG (Youth Protection Act) Amendment	Active	Adult content, gaming, gambling
France	ARCOM age verification decree 2023	Active	Adult content
Texas / Utah (US)	HB 1181 / SB 287	Active (ongoing litigation)	Adult content platforms
EU (proposed)	Digital Services Act (AV provisions)	Under development	Large platforms, adult content

What the Tech Actually Takes

Three methods dominate. None stay small.

1. Facial Age Estimation

Providers may say they delete your image after processing. They still send it to remote servers first. The token they issue after the scan can tie to your device and follow you across sites that use the same vendor. Some systems also track eye movement and micro-expressions for liveness checks. Many generate a risk score that can send your session to a human reviewer.

2. Credit Card / Financial Verification

The card number is not the main problem. The merchant category code is. It tells the processor what kind of site you touched. That leaves your legal name, billing address, and card linked to a category of browsing. The record sits with your bank or card network and can outlive the site itself.

3. Government ID / Digital ID

This is the hardest one to unwind. Systems like Experian OneID, GBG, and Jumio scan your document, extract your name, date of birth, ID number, and nationality, then log which sites asked for the check. That data lands with a private identity company. Fraud flags and document scores from one check can follow you into later checks in totally different contexts.

The aggregation problem: One provider can sit under hundreds or thousands of sites. Use the same one twice and it can map your browsing to your verified identity.

Breaches Hit Harder Here

Age verification databases are ugly breach targets because they join legal identity to sensitive browsing. In 2019, AgeID drew criticism over exposed user verification data before the UK rollout collapsed. In 2022, Veriff exposed internal records tied to identity checks.

The UK's ICO (Information Commissioner's Office) has said no current age verification system fully preserves privacy under GDPR. The mandates keep coming anyway.

How to Avoid the Capture

Use a VPN with an exit node outside the mandate. Age checks depend on IP geolocation. With Mullvad or IVPN, pick Switzerland, Iceland, or parts of Eastern Europe. The platform sees a non-UK or non-AU IP and often never shows the gate.

Use Tor Browser. Tor routes traffic through three relays and exits from a different IP. The site sees the exit country, not you. Use the full Tor Browser, not just the proxy, so you also cut browser fingerprinting.

Use GrapheneOS for mobile. Mobile age checks often look at advertising ID, carrier data, and installed apps with the IP. GrapheneOS strips much of that and lets you sandbox network access per app. Pair it with a VPN.

Use private DNS. UK ISPs now lean on DNS-level age blocks. Mullvad DNS or Quad9 bypass ISP DNS filtering. Set them over DoH to cut ISP-level blocking.

Refuse the selfie. If a site asks for your face, stop there. Facial geometry is not a password. Once the database links it to you, that link stays.

Age Checks Feed Digital ID

This is not just about minors finding porn. Governments are building identity gates for the wider internet. The UK roadmap ties age verification to its "One Login for Government" digital identity system. Australia's Digital ID Act 2024 builds a federated identity frame that age checks can feed.

Once verified identity becomes the price of access, the same stack can gate political speech, health information, finance, or anything else the state wants to meter. Age verification and general internet censorship use the same machinery.

VPNs, Tor, and private DNS are not convenience hacks. They block a growing identity log.

Cunicula receives no funding from any government body, age verification company, or internet service provider.

Follow the Money

Age verification is an industry with state support. Yoti took UK government backing. AgeID was run by MindGeek. Entrust bought Onfido to move deeper into biometrics. The biometric data is not a side effect. It is the asset.

$Age verification vendors: government-backed biometric collection at scale

UK government: DSIT AV contracts. OFCOM enforcement mandate (2025). Yoti: UK-backed, facial biometrics retained, cross-site token tracking.
AgeID / MindGeek: Pornhub parent. User data exposure in 2019. UK rollout dropped after backlash.
Biometric vendors: Entrust (acquired Onfido). VerifyMe. Jumio. GBG. Biometrics are the most permanent form of identity capture.
Net result: Age check becomes identity database. Government-backed. Privately run.

← PreviousWhat AI Companies Know About You: The Prompt Surveillance Problem Next →Privacy on Mainstream Socials: Reducing Damage Without Going Dark