New cybersecurity research indicates that one of the world's leading age verification providers collects and shares highly sensitive personal data—including facial photos and device fingerprints—with third parties. The research also reveals that most websites that require age verification don't enforce the policy.
The findings come from a new study, "Papers Please: A First Look at Age Verification on the Web," that researchers from the Georgia Institute of Technology and the University of California, Irvine (UC Irvine) presented on May 20 at the IEEE Symposium on Security and Privacy (SP 2026) conference in San Francisco.
The research team examined Yoti, a London-based company that provides age-verification services for an estimated 60% of websites that require it. Its client list includes Meta, OnlyFans, Sony PlayStation, and TikTok.
The research team determined that the process Yoti uses to verify a person's age broadcasts the person's personal information to third- and fourth-party companies.
When a bartender checks an ID, they quickly verify a customer's date of birth and identity before serving them. Companies like Yoti that employ digital age verification claim their products function the same way, but in a completely private manner.
