ORG calls for age assurance industry to be regulated

Open Rights Group has warned of serious privacy and security risks for people in the UK as online platforms start to ask users to verify their age, as required by the Online Safety Act. There are also freedom of expression harms as platforms require age verification to access features and content.

From 25 July 2025, many websites and online services must verify that their users are over 18. These checks are not only being introduced to restrict access to pornography services but to any platforms that allow the sharing of content that could be ‘harmful’ for under 18s. Services that have implemented age assurance so far include social media platforms, Reddit and Bluesky, and the dating app Grindr.

As the law comes into effect, there is:

• No public register of approved age assurance providers.

• No requirement for age assurance providers to meet any specific privacy or security standards, instead relying on data protection alone

• No requirement for platforms to choose trusted or certified providers.

James Baker, Programme Manager at Open Rights Group said:

“The British public is being forced to hand over sensitive personal data to unregulated age assurance providers if they want to have full access to platforms such as Reddit and Bluesky or to use dating apps such as Grindr.

“The threats and harms of phishing and hacking are very real, and will cause people online harms. The government needs to act to protect the public’s privacy and security.”

Privacy and security risks

ORG has long warned that age assurance carries privacy and security risks to users including:

• Phishing and sextortion scams
  Without official verification, it is easy for scammers to mimic these checks to steal personal data and use them in sextortion and blackmail scams.

• Weak security
  Many age assurance systems process extremely sensitive data – from official documents or facial scans – yet often follow fewer cybersecurity standards than UK banks.

• Reuse of data
  Some companies are using age assurance checks to collect extra data for advertising and profiling, such as users’ age and location.

Lack of consumer choice

Users don’t have a choice about which age verification provider they use; they must use the methods offered by the platform they are trying to access.

ORG is calling for age assurance methods to be interoperable so users can choose which age assurance providers they trust.

Data protection law is rarely enforced in the UK

The government has said that data protection law is sufficient to keep users’ data safe and secure. But breaches of data protection law are rarely if ever enforced against by the UK’s Information Commissioner, with the exception of action against spam and cold calling. This means that companies are not running a financial risk even if they seriously break data protection rules. Therefore, they may prioritise cost and convenience over users’ privacy and security when choosing an age assurance provider.

Freedom of expression harms

Platforms are deciding to restrict access to types of content and to features of their services. For example, users of Bluesky most not only prove they are 18 to access adult content but also to use features such as direct messaging.

Some of the definitions of harmful content are open to interpretation. For example, Reddit is introducing age assurance for a number of categories that could be very broadly interpreted, including ‘”content that promotes or romanticizes depression, hopelessness and despair.”

Baker added: ‘These definitions could be open to broad interpretation – will we see content relating to Goths, Emos, the Brontes and Sylvia Plath being inaccessible to under 18s?”

ORG is calling on Ofcom to be more specific about when and where third party age assurance tools are actually needed, to keep their use to a minimum, and for the ICO to engage with the policy and practice of the industry.

What the platforms are doing so far

Our report shows that new AV/AA technologies are already reaching beyond what was intended and taking privacy risks

Grindr

• Using Facetec based in the US
• Facetec claims the right to track users via Cookies for ad purposes

BlueSky

• BlueSky use Kid Web Services for age verification
• Services are restricted including not using direct messaging without being age verified first
• KWS employs browser fingerprinting and refuses to respect Do Not Track signals

Reddit

• Reddit use US-based Persona.
• Persona claims the right to use information for business research which might include AI training, for example.
• Persona state they may retain information handed to them for up to three years.
• Reddit are collecting birth dates, in order to target their advertising.
• Reddit are restricting content for users who are not age verified.