Your Kid Scanned Their Face for TikTok. A Stranger Kept It for 3 Years.

Picture this: your teenager signs up for a new app. The app asks them to prove their age — maybe a photo of an ID, maybe a face scan. Fine. But then what? Who keeps that photo? For how long? And what happens to it if that company gets hacked, sold, or just decides your kid's face is worth more as data than as a privacy-protected record?

Malaysia just answered that question — loudly — and the answer is: nobody keeps it. Delete it when you're done.

The Rule That Sounds Obvious — But Isn't

On June 1, 2026, Malaysia's Online Safety Act 2025 kicked in with teeth. Under the Child Protection Code — issued on May 22 by the country's communications regulator, the MCMC — social media platforms are now legally required to stop anyone under 16 from creating an account. That part you've probably heard before. Lots of countries are trying to do that.

But here's the part nobody's really talking about: platforms cannot keep the age-verification data once they've used it. They check your age, they delete the proof. Done.

The technical phrase for this is "data minimization and purpose limitation" — which basically means only collect what you need, use it only for the reason you said you would, then get rid of it. Malaysia isn't just recommending this as good practice. It's law. Ignore it, and you're looking at enforcement action including financial penalties.

That distinction — between checking age and keeping age-verification files — is the whole story. And it's one that most governments, tech companies, and parents haven't fully separated in their heads yet. This article is part of a series — start with 1 In 3 Teens Now Hit By Fake Ai Nudes Heres What To Do Tonig.

What Platforms Have Been Doing Instead

Here's where it gets uncomfortable. When you or your kid uploads a photo of a government ID, a selfie, or goes through a face-scanning check to prove age on a platform, that data doesn't just evaporate. Platforms often hand that verification job off to third-party vendors — specialized companies whose entire business is checking identities.

And those vendors? They hold onto your data. For a long time.

Let that land for a second. Your 14-year-old scans their face to prove they're old enough for TikTok. A vendor stores that face scan, their name, and their ID number — for three years. That data is now sitting somewhere, waiting to be hacked, sold, or subpoenaed. All so a social media app could confirm a birthday.

Malaysia is saying: that's not the deal. The deal is one check, then delete the file. One use. Not a permanent dossier.

Why This Is Actually a Hard Problem

Nobody's pretending this is simple. There's a real tension here, and it's worth naming it honestly.

On one side: parents and governments are genuinely worried about kids on social media. Roughly half of all U.S. states now require some kind of age-gating for social media or adult content, according to Agemin's global age-verification tracker. The Philippines just passed legislation mandating age checks on social platforms. The pressure to verify is real, coming from real places, for real reasons.

On the other side: every time a platform checks your age, it creates a privacy risk. The more data collected, the bigger the target. And the longer it's kept, the more ways it can go wrong. Previously in this series: That Urgent Call From Your Boss Its Costing Companies 35 Mil.

"Implementing a blanket ban on social media using age verification through government-issued documents is disproportionate, not rights-respecting, and endangers sensitive personal data — a user uploading their biometric data and government-issued documents cannot be certain it will never be further shared or sold." — ARTICLE 19, international freedom of expression organization

That's a legitimate concern. In March 2026, more than 400 experts from around the world called for a full moratorium — a pause — on age-verification technologies until their effectiveness could actually be proven. Their core argument: we're rushing to collect sensitive data without knowing if it even works to keep kids safer.

Malaysia's answer isn't to stop verifying. It's to verify, then erase. Whether that's technically workable at the scale of a platform with hundreds of millions of users — that's the open question nobody has fully answered yet.

The Communications Minister's Clear Line

Malaysia's Communications Minister Fahmi laid out the government's position plainly: social media age checks are specifically aimed at keeping under-16s off platforms — not at building government-readable profiles of everyone who uses the internet. According to Malay Mail, the framework is grounded in data minimization and purpose limitation principles — meaning collect only what you need, use it only for that purpose, then get rid of it.

That's a careful legal distinction. It's the difference between a bouncer checking your ID at the door and then handing it back to you — versus the bouncer photocopying your ID, filing it, and selling the copy to a marketing firm three years later.

The full framework, reported by Biometric Update, includes Malaysia's own MyDigital ID system as a verification tool — and notably, the rules cover not just users but also advertisers on social platforms, who face their own identity-verification requirements. The scope here is larger than just protecting teens. It's a statement about what kind of data infrastructure the country wants social media to build on its soil.

The analysis at TechPolicy.Press puts the challenge well: the design question is whether you can confirm that someone is "over a certain age" without keeping their full document images. Malaysia is legislating that you cannot retain any of it after the purpose is served. Whether platforms can technically architect that — check and instantly destroy — at scale remains the engineering puzzle sitting behind this clean policy language.

What You Can Actually Do Right Now

You can't control what Malaysia's regulators enforce. But you can change how you think about age-verification prompts — for yourself and your kids. Up next: Government Login Identity Verification Malta What It Means F.

When any app or platform asks you to verify age, the right questions to ask are: Does this app have a privacy policy that says what it does with verification data? Does it name the third-party vendor it uses? Does that vendor have a data retention policy you can actually read?

If those answers are buried in legalese or don't exist at all, that's information. Apps that can't explain their data deletion process haven't thought about it — or don't want you thinking about it.

If you've ever looked at a platform and wondered whether your face, your ID, or your kid's personal details are really as "temporary" as they claimed — that's the exact instinct this kind of policy exists to protect. The technical tools for verifying a company's real data practices are getting better, and they matter most in exactly this situation: when the check feels quick and harmless, but the file lives on somewhere for years.

The original reporting from BusinessToday Malaysia makes the stakes clear: platforms that fail to comply face enforcement action and financial penalties. That's not a gentle nudge. That's a government saying this is a real obligation, not a suggestion.

Here's the uncomfortable question we're all going to be sitting with for the next few years: if a platform can verify your age in seconds and then delete the evidence — why have so many of them been choosing not to?