How Persona supports age verification and privacy online
Addressing these potentially competing priorities is difficult with today’s technology, and it's an active area of work for government agencies and private organizations alike. But we think there’s a potential path forward if regulations and organizations limit what you have to share, who you have to share data with, and how your data can be used.
Editor’s note: Although we use age assurance and age verification interchangeably for simplicity, there are important differences. For example, some laws require companies to verify a user’s age, which might require the company to know the person’s identity and verify their date of birth with a government-issued ID or authoritative database. Others require companies to assess a user's age, which may include inferring or estimating whether the user is below an age threshold. The company may only need to “step up” to a verification request if the user is likely below or near the age threshold. Learn more about the differences between age assurance and age verification.
Age assurance and age verification laws generally target one of two goals.
Taking a step back, many questions about online privacy stem from a new wave of age assurance laws that often have similar, but not identical, goals:
Restrict access to adult content and services: Some laws limit access to adult or age-restricted content and products, such as pornography, online gambling, and alcohol or tobacco sales. For example, over 25 states have laws requiring people to verify they’re over 18 (and not just click a box saying they are) to access pornographic websites.
Gate internet content for children: Some laws approach online safety from the angle of limiting what children can see or access on the internet. For example, Australia requires children to be at least 16 to access social media. In the UK, residents have to be at least 18 to access content that might be harmful to minors, including content promoting suicide or self-harm.
It often falls to the company running the website to enforce these restrictions and pay the penalties if it doesn’t. As a result, by definition, age assurance and verification laws require organizations to know whether a user is above or below a certain age threshold.
You shouldn’t have to share personal information with every website.
You may be asked to share some personal information with companies that are complying with age verification laws, but that doesn’t mean you should have to share more than is necessary. After all, companies don’t need to know your precise age, or even your name, to know whether you’re above a specific age threshold. And there are many ways to infer, estimate, and verify age.
We think one of the best options to protect your privacy is a “double-blind” approach to age assurance, combined with data minimization principles.
Essentially, the double-blind approach creates a structural guardrail against blanket surveillance and centralized data storage. The specifics may vary depending on local regulations, but they all involve separating responsibilities and access. For example:
Companies ask users about their age to comply with age verification laws, which they can often do without knowing the user’s identity.
Identity providers like Persona determine whether a user is over a certain age or is submitting their genuine documents.
In other words, if an organization has to know how old you are, it shouldn’t need access to other identifying information. And if an age assurance vendor has to know who you are, it shouldn’t know what site or app you’re accessing or what you’re doing.
Data minimization essentially means that companies should collect, use, and store the minimum amount of personal data needed. For instance, the identity provider should automatically redact unnecessary information from documents it collects. Then, it should automatically delete data as quickly as possible once the result is confirmed.
Minimizing what’s collected and stored is important for privacy and safety. Hackers have breached numerous private companies and public agencies, exposing sensitive data about millions of people. We can’t just cross our fingers and hope it won’t happen again.
How can privacy-preserving age verification work?
Some age assurance methods are more private than others, and organizations ideally (and sometimes are legally required to) assess age with the least amount of data possible. We help facilitate that in different ways, including selfie age estimation and email-based age inference.
We’re also actively working on even more privacy-preserving options. For example, we recently launched Persona Relay, which gives companies a new way to assess claims, including age. If you visit a website using Persona Relay, here’s what happens:
Give consent: You agree to use Relay to verify your age.
Verification: You’re sent to a Persona verification page, and Persona collects the minimum amount of information required to verify that you’re above a certain age. Persona doesn’t know what website or page you’re coming from to complete the verification.
Yes/no result: Relay sends a yes/no result to the website without sending any underlying identity information.
Relay uses the IETF’s Privacy Pass, which uses blind signatures to help enforce this separation. The privacy-focused search engine Kagi has a clear explanation of how the Privacy Pass works. You can also learn more about Persona’s verifications and approach to privacy on our privacy page.
FAQs
How can age verification work without sharing specific age data?
Toggle description visibility
There are many privacy-preserving methods for verifying whether a person is above an age threshold. For example, in some countries, banks, credit card issuers, and telephone companies can help verify age without sharing a date of birth. It’s also possible to infer or estimate whether someone is older than a specific age based on their selfie, email account, and how they interact with a website.
How can age verification work without storing personal data?
Toggle description visibility
To avoid storing personal data, organizations that verify a user’s age can delete personal information immediately after verification. Additionally, many companies use third-party age verification providers. If the provider only shares whether a person meets an age requirement (such as over 16 or over 18), the organization won’t receive or need to store other personal data.
How do age verification and Know Your Customer (KYC) checks differ?
Toggle description visibility
A Know Your Customer (KYC) check is a regulatory requirement related to anti-money laundering (AML) and counter-terrorism financing (CTF). Among other things, it requires financial institutions to verify a new customer’s name, date of birth, address, and tax identification number.
Age verification laws generally require companies to verify that users are over a certain age. Many laws don’t require companies to use specific methods or collect other personal information by default. However, some laws or situations lead companies to run a database check or ask for a government-issued ID to verify age with more certainty.
What data does Persona collect during age verification?
Toggle description visibility
The specific data Persona collects depends on the organization, regulatory requirements, and situation.
For example, a social media platform in Australia could use Persona to assess a user’s age with ConnectID®, which creates a secure private identity exchange between the platform and the user’s bank. Persona and ConnectID only see the final age result, such as “over 16,” and don’t see or store any other personal or banking information.
But there are also times when companies use Persona to verify age through other means, such as collecting a government ID to verify your date of birth.
What happens to the age verification data that Persona collects?
Toggle description visibility
By default, Persona automatically deletes all your personal data as soon as we complete the processing and determine an outcome. However, Persona’s customers may retain certain data for longer periods to comply with regulations or detect, investigate, and prevent suspicious or fraudulent activity.
Persona uses secure, automated systems to analyze the data collected during an age assurance or verification request. We use industry-standard safeguards, including encryption, secure storage, and access controls, to protect your information during the verification process.
Does Persona sell or share data collected during age verification?
Toggle description visibility
No, Persona never sells people’s personal data, doesn’t act as a broker for personal data, and never uses personal data for marketing or any purpose other than providing age assurance services. Sharing or selling data has never been part of Persona’s business model.
Do age verification companies have any certifications or standards?
Toggle description visibility
Yes, there are standards and certifications that are specific to age assurance, privacy, and data security. These include the ISO 27566-1 age assurance framework, IEEE 2089.1-2024 international age assurance standards, ACCS 1:2020 requirements for age estimation technology, and ISO 27001 for data security.