PrivacyJuly 9, 20267 min read

What Does Online Age Verification Actually Do With Your Face and ID?

By Scott, Clearfront founder

When a website asks you to prove your age, you rarely give the site itself anything. You hand a third-party verification company a photo of your face, a scan of your government ID, or both, along with your device and network details. What that company does with the data next is the real question, and a 2026 controversy over one of the largest providers, Persona, brought it into focus. Here is what age-check systems collect, how long they can keep it, what the Persona disclosure did and did not show, and how to expose less.

What does online age verification actually collect?

It depends on the method, but most checks capture more than an age. A facial age estimate takes a selfie, an ID check takes a photo of your passport or driving licence, and both usually record your IP address and a device or browser fingerprint at the same time. Some verifiers run wider identity checks on top of the age question.

The common age-check methods, from least to most data-hungry:

  • -Self-declaration: you tick a box. Almost no data, and regulators no longer accept it as effective.
  • -Facial age estimation: a selfie is analysed to estimate your age range, without necessarily identifying you.
  • -ID document upload: you photograph a government ID, which ties the check to your full identity.
  • -Digital ID or reusable identity: a third party holds your verified identity and vouches for you across sites.

How long do age verification companies keep your data?

That varies by vendor and by law, and it is where the risk sits. A regulator's demand for a highly effective age check, as Ofcom requires in the UK, sets a bar for accuracy but does not fix a deletion deadline. Some vendors say they delete an image within minutes, others retain identity records for months or years.

In the Persona case, chief executive Rick Song said the company retains identity data only as long as necessary, while researchers who reviewed its exposed code said the system could hold some data for up to three years. Read any age-check vendor's retention policy before you upload anything, because the copy of your ID outlives the moment you use it.

What was the Persona controversy?

In February 2026 a security researcher found an exposed non-production frontend for Persona, a US identity-verification firm used by large online platforms, sitting on a public subdomain. The exposed files were a copy of the software's interface, not a customer database.

Reviewing that code, researchers and outlets including Malwarebytes and Cybernews reported that the software supports up to 269 verification checks, can match faces against watchlists and politically exposed persons, screens adverse media, and contains modules capable of filing suspicious-activity reports to US and Canadian financial-crime agencies. The reporting framed this as age verification shading into broader identity screening.

Persona pushed back. The company said the exposed environment was isolated from production and that no personal data was exposed, that no single customer uses all 269 possible checks, that it is not partnered with the Department of Homeland Security or ICE, and that it does not want its technology used for government surveillance. It published a post-incident review setting out its account.

So is your age verification data safe?

The honest answer is that the biggest risk is not one dramatic hack, it is scope and retention. Even when a check works exactly as sold, you are handing identity data to a company whose other products may do far more than confirm you are over 18, and that record then sits somewhere, able to leak, be subpoenaed, or be repurposed later. A face and an ID are not passwords: you cannot reset them, and a face can be searched back to you across the web.

How to expose less in an age check

  1. 1.Prefer facial age estimation over a full ID upload where a site offers the choice, since an age range reveals less than your passport.
  2. 2.Use a platform-native check over a broad third-party identity service when you can.
  3. 3.Read the retention policy: look for how long the image and any ID copy are kept and whether they are deleted after the check.
  4. 4.Do not reuse a throwaway account that already links to the rest of your identity.
  5. 5.Decide if the service is worth it at all, because the most private ID is the one you never upload.

You often cannot avoid an age check, but you can control how much of the rest of your identity is already sitting in public for anyone to pull together. Clearfront scans your digital footprint in one sweep on your own machine, the accounts, breaches, and records tied to your name, so you can see and shrink what is exposed. Install Clearfront free to check your own footprint, or get the free removal guide to start clearing it.

Frequently asked questions

Does online age verification store my ID or my face?
It can. Facial age estimation may delete the selfie quickly, but an ID upload creates a copy of your document, and retention varies by vendor and by law. Check each provider's policy for how long it keeps the image.
What did the Persona leak actually expose?
Researchers found an exposed non-production copy of Persona's software interface, not a customer database. Persona says no personal data was exposed and that the environment was isolated from production. Reporting and the company disagree on how far its capabilities reach.
Can I do age verification without uploading my ID?
Sometimes. Many services now offer facial age estimation, which estimates your age range from a selfie without a document. Where only ID upload is offered, your options are to accept it or not use the service.
Is facial age estimation the same as facial recognition?
No. Age estimation guesses an age range from a face without identifying you. Facial recognition matches a face to a named identity. Some systems can do both, which is why it is worth knowing which one a service uses.

I believe your personal data is yours to own and protect. I built Clearfront, a free, open-source tool for scanning and scrubbing your own digital footprint from public data, and I write here about OSINT, breach exposure, and personal privacy.

Scott

Clearfront founder