That 10-Second Age Check on Your Kid's Game? It Keeps Their Face Forever.

Here's something that should stop you mid-scroll: age verification software used by PlayStation and Meta was recently found to be collecting detailed device data — things like your CPU architecture, available RAM, operating system version, and connection type — that have absolutely nothing to do with figuring out how old you are.

That's the part nobody tells you. The user-facing flow is fast, friendly, maybe even reassuring. You hold up your face or your ID, a little checkmark appears, and you're in. Done. But behind that checkmark, a very different thing just happened — and it involves more of your personal data than you probably realize.

The "Quick Check" That Isn't Quick to Disappear

Age verification has been quietly spreading beyond adult websites. It's now showing up in mainstream gaming platforms, social apps, and online spaces that millions of families use every single day. The safety argument is real — nobody wants 10-year-olds accessing content built for adults. But the privacy question is just as real, and it's the one that's not getting nearly enough attention.

So let's actually walk through what happens when one of these checks runs.

In many systems, you're asked to either upload a government ID paired with a selfie, or let your camera take a short video so the software can estimate your age from your face. That second method — facial age estimation — sounds less invasive because you're not handing over a document. But here's the catch: it replaces document certainty with a probability score, and the data that gets logged in the process doesn't vanish after the check passes.

According to a report covered by Kotaku, the age verification software in question wasn't just collecting age-related signals. It was pulling high-resolution device data — the kind of information that can uniquely identify your phone or computer like a fingerprint — and sharing some of it with fourth parties (companies once removed from the verification vendor itself), including payment processors. That data was then potentially usable for tracking your device across services, completely unrelated to whether you're old enough to play a video game. This article is part of a series — start with Age Verification Identity Data Security Risks.

The Vendor You Never Agreed To

Here's the part that makes this tricky to understand — and also the part that explains why so many people get it wrong.

When PlayStation or Meta runs an age check, they're not usually doing it themselves. They hire a third-party verification vendor to handle it. That vendor does the actual data collection, the facial analysis, the document matching. And that vendor operates under its own privacy policy — not the platform's. So when you read Meta's privacy page, you might not realize that a different company's rules apply to the age-check data.

Think of it this way. Imagine a nightclub hires an outside security firm to check IDs at the door. The club promises on its website that it only collects your ticket information. But the security firm — the people actually doing the checking — is also photographing your shoes, timing how long you pause before answering questions, and quietly passing all of that to a shoe retailer and a behavioral analytics company you've never heard of. The club isn't lying, exactly. But the architecture of the arrangement means the club's promises don't fully cover what's happening at the door.

That's exactly the structural problem with delegated age verification. The platform makes promises. The vendor operates independently. And the data flows from there.

"Most players assume that when platforms ask them to verify age, that process lives within those companies' own privacy frameworks — but the reality is that a third-party vendor is doing the actual verification work, and that vendor operates under its own data policies." — Analysis via GAMES.GG

Why the Data Doesn't Just Disappear

Here's the misconception almost everyone carries: "It's just a quick check — the data disappears once it's done." It makes sense that people think this. The whole experience is designed to feel momentary. A few seconds, a checkmark, move on.

But think about it from the vendor's perspective. If a regulator later questions whether a 14-year-old got through the check, the vendor needs to prove the system worked. That means keeping records. Verification logs, facial image data, device information, timestamps — all of it needs to be stored long enough to defend decisions to authorities. Every one of those stored records is then a potential target if the vendor ever gets breached. You didn't just complete a check. You added your family's data to a database that has real-world risk attached to it. Previously in this series: He Wired 25m After A Video Call With His Boss His Boss Wasnt.

And the retention policies? According to Freezenet.ca's technical breakdown, those policies are often vague, user consent flows are confusing, and there's limited clarity on how long information is kept or who else can access it down the line. "We may retain data as required by law" is doing a lot of heavy lifting in a lot of privacy agreements.

Here's another wrinkle. When the ID-plus-selfie method is used, a face template gets created — basically, a mathematical map of your facial features converted into a string of numbers. That template and your document image leave your device and sit with the vendor. Even if the vendor later deletes the selfie, the mathematical representation of your face may still exist in a log. And face templates, unlike passwords, cannot be changed if they're ever exposed.

The Bigger Shift Nobody's Announcing

What's worth paying attention to here isn't one bad vendor or one privacy report. It's the direction of travel.

Age verification started on adult websites. It was niche, and most people could reasonably opt out of those spaces. But now it's spreading into gaming platforms, social media, streaming services — places that are just part of daily life for families. The compliance pressure is real: governments in multiple countries are passing laws requiring platforms to keep minors away from certain content. Platforms have to respond. So they're building age-verification infrastructure fast, and that infrastructure is becoming a permanent part of how online identity works.

That's a significant shift. We're not talking about a one-time birthday check anymore. We're talking about a layer of identity verification that will sit underneath more and more of ordinary online life — and that layer is currently being built with unclear data retention rules, fragmented vendor accountability, and consent flows that most users click through without reading.

As people who study how biometric data (your face, fingerprints, voice — the body stuff that's uniquely you) flows through systems, this is exactly the kind of architecture worth examining closely. The data collected for a safety purpose in one context — verifying a child's age — can end up stored, shared, and retained in ways that serve entirely different purposes. That's not a conspiracy. It's just what happens when the infrastructure gets built faster than the safeguards do. Up next: Your Face Cant Be Reset The Hidden Cost Of Proving Youre Ove.

Only roughly 14% of sites that are supposed to be doing age verification in states with legal mandates are actually doing it — yet the systems being built to close that gap are collecting far more data than a simple yes/no check requires. The stated goal and the actual data footprint don't match.

The safety goal behind age verification is genuine. Nobody's arguing children should have unrestricted access to harmful content. But "we're doing this for the kids" doesn't automatically mean the data handling is trustworthy — and those two things need to be evaluated separately.

Next time an app asks your family for an age check, picture that nightclub door. The question isn't just whether the guard lets you in. It's what they're writing down while they do it, who they're sending it to, and whether any of that stops when you walk away.

Because right now, for a lot of these services? It doesn't.