Age verification promises to protect children, but in practice may create a new problem
Age verification on the internet is usually explained in simple terms: sites need to make sure that a child doesn't end up somewhere they shouldn't be. The idea is sound - to protect minors from adult content, dangerous services or inappropriate platforms.
But a new study shows the downside of this system. To prove that a user is old enough, age verification services can collect a facial photo, document data, IP address, digital fingerprint of the device and other sensitive information. And then some of that data can be shared with third-party companies. The Georgia Tech and UC Irvine study was presented at the IEEE Symposium on Security and Privacy 2026.
At the same time, the researchers found another problem: most sites subject to age verification laws, according to their observations, do not apply such checks. It's a moot point: the system may not work effectively enough, but where it is enabled, users pay for access to the site with their privacy.
Details
The authors of the paper studied how age verification works on websites in the US. There, 25 states have already passed laws that require age verification for access to certain types of online content, including adult content and certain social platforms. These states cover more than 40 per cent of the US population.
One of the main targets of the study is Yoti, a major provider of age verification services. According to the researchers, Yoti is used on more than 60% of the sites where they found age verification in states with such requirements. The company's customers include Meta, OnlyFans, Sony PlayStation and TikTok, among others, in various contexts.
The problem is that online age verification isn't like a situation where a bartender simply looks at a passport and returns it to the owner. On the internet, a user can hand over much more data to a third-party service: a facial image, a document, bank card details, an IP address, browser and device information. The researchers write that some of this information may go not only to third parties, but also to "fourth" parties - companies that are even less visible to the average user.
Such data aren't just dangerous in and of themselves. They can be used to track a device, re-identify a person, and link different user activities online. This is especially sensitive in situations where a person is trying to access legal but private content.
Why it matters
Protecting children online is really important. The problem is not the goal itself, but the way in which it is being tried to be achieved. If, for the sake of age verification, adult users are forced to upload documents, scan their face, or hand over digital footprints to third-party companies, there is a new risk: vast amounts of personal data could be stored, shared, leaked, or used in ways that are not what the user expected.
There's another problem: the fragmentation of the internet. If different states or countries have different rules, the same site may open differently depending on geography. Researchers call this the "balkanisation" of the web: a user in one region sees one version of the Internet, while in another region he sees another.
So the question is not just a choice of "to protect children or not to protect them". The real question is more complicated: can age verification be made in such a way that it does limit access to minors, but does not turn the Internet into a system of permanent identification of all users.
Background
Online age verifications are becoming more and more common. They are not only being discussed in the US: similar approaches are being considered or implemented in various countries for social networks, adult sites, gambling, user-generated content platforms, and other services.
There are also more private technical ideas - for example, systems where the site only receives confirmation of "the user is over the required age", but does not see the passport, face or full identity of the person. However, such solutions have yet to become a mass standard, and the legal, economic and technical hurdles remain serious.
That's why researchers warn: if age verification is implemented quickly and without strict privacy requirements, it could create more problems than it solves.
Source
The study "Papers, Please: A First Look at Age Verification on the Web" was prepared by experts from the Georgia Institute of Technology and the University of California, Irvine. The work was presented at the IEEE Symposium on Security and Privacy 2026.