Many countries have begun implementing laws around online age verification, with the goal of keeping youth safe from adult content. However, the lack of informed discussion about the risks to privacy and security could leave adults and youth alike in unexpectedly vulnerable positions. For example, Canada’s Bill S-209, “An Act to Restrict Young Persons’ Online Access to Pornographic Material,” claims that “age-verification and age-estimation technology […] can now effectively ascertain the age of users without breaching their privacy rights.” Unfortunately, user privacy is taken for granted in age-gating legislation without proper substantiation of the assumptions made about technological efficacy and privacy protection, and real-world implementation.

Where the risks arise

Internet users are increasingly expected to forego an expectation of privacy to access age-gated websites. These websites may collect personally identifiable information (PII), among other user-inputted data, to verify a user’s age. An effective age-verification system must both restrict website access to users below a predetermined age and maintain the privacy and security of all users’ PII.

When websites or third parties collect PII, it becomes a high-value target for cybercriminals. This tests the limits of the cybersecurity industry’s best practices for data privacy and security. User data may not only be compromised by cybersecurity attacks by malicious actors, but also through human error or infrastructure damage. Risk increases when data passes through additional processing steps, or it is stored in multiple locations, both of which are common features of age-verification systems.

The nature and severity of these risks depend on the verification methods used. There are generally three types of verification methods. The first is relying on government-issued or financial IDs, sometimes combined with a real-time photograph. Uploading scanned identity documents is fundamentally more risky than an in-person verification, as that data must be stored for a period of time. In the event of a breach, stolen copies of identification documents can significantly increase the risk of identity theft.

Biometric verification systems typically use facial scans and AI-based age estimation. If biometric data is compromised, the consequences are particularly severe since biometrics are a physical part of the person that cannot be replaced. These systems also raise concerns around accuracy. Facial hair, make-up, lighting, and camera quality can alter perceived age. Accuracy is lower for women, many racialized communities, and for those with certain medical conditions or scarring. The accuracy rates for age estimation introduce variation that could allow minors access or improperly exclude some adults.

Attribute-based verification presents a comparatively lower privacy risk by confirming only that a user meets an age threshold, such as being over 18, without transmitting identity data. This approach often relies on a secure medium, such as a mobile app on the user's device, reducing the number of parties with access to sensitive data.

Implementation and policy challenges

Like Canada’s Bill S-209, many countries require a third party to perform age authentication, rather than trusting the websites to do it directly. This opens up additional avenues for security breaches by adding another stakeholder responsible for data handling and user privacy. The digital age-verification industry is still emerging, and best practices haven’t been firmly established.

Audits of third-party authenticators are necessary to uphold data privacy and security, but auditing itself introduces new risks. Demonstrating compliance often requires retaining data or metadata, which keeps sensitive information in systems longer and increases exposure to breaches, errors, or cascading failures. If one part of the verification chain is compromised, it may be possible to trace and exploit connected systems, regardless of the original data source

Reliance on third-party verification also creates operational risks. If an authenticator fails to deliver, causes delays, or goes out of business, the primary website and its users are affected. These risks are heightened when certification of a provider comes from the government.

Aggregated PII is extremely valuable for cyber criminals, and less reputable websites may ignore age-verification requirements or data-handling best practices. Because pornography and adult content are often treated as secretive or taboo, normalizing the submission of ID prior to access may create new avenues for blackmail if the data is leaked.

Phishing scams are also likely to increase. The shift from long-standing advice, such as “avoid entering your credit card or PII” on the internet, especially to adult sites, to “you must give your PII” to access adult content is likely going to cause confusion and costly mistakes. Technological improvements alone won’t solve these issues, as bad actors adapt alongside advancements in security.

Finally, there is a broader policy challenge created by a patchwork of legislation. This fragmentation makes compliance more difficult for all stakeholders and accountability less clear for users. When breaches or non-compliance occur, the courts will be left to adjudicate jurisdiction, enforcement, and liability after a harm has already occurred.

While there are many conversations around what may be gained by implementing age verification, there also needs to be a meaningful conversation about what is at risk of being lost. Age-gating can drive users to less reputable sites or to alternate methods of access, such as through a VPN, creating a balancing act in which efforts to prevent harm to youth may open adults up to other privacy and security risks. Lawmakers should therefore reconsider the overall design of age-gating schemes by exploring viable alternatives, developing clear technological guidelines, and ensuring legislation includes enforceable provisions to protect user privacy, including harmonizing with existing privacy frameworks.