Age‑Verification Provider Yoti Leaks Facial Data to Third Parties

*TL;DR: Researchers discovered that Yoti, used by roughly 60 % of age‑verification sites, transmits users' facial photos, IP addresses and device fingerprints to multiple third parties, while many sites required to verify age do not enforce the check at all.

Context Age‑verification laws now exist in 25 U.S. states, covering more than 40 % of the population. The statutes mandate digital checks before minors can access social media or adult content. Companies such as Meta, OnlyFans, Sony PlayStation and TikTok rely on Yoti, a London‑based service, to satisfy those requirements.

Key Facts - Yoti processes age checks for an estimated 60 % of compliant websites. - Field measurements showed that most sites subject to the laws fail to enforce any verification step. - When a verification occurs, Yoti forwards the user's facial image, IP address and a device fingerprint to credit‑card processors, IP‑geolocation services and data‑broker platforms. - The data flow mirrors a bartender who not only checks an ID but also photocopies it and distributes the copy to unrelated vendors. - Researchers presented these findings at the IEEE Symposium on Security and Privacy (SP 2026) in San Francisco.

What It Means The privacy promise embedded in state legislation—keeping minors' data private—collapses when the verification service itself becomes a data conduit. Users expecting a simple age check are instead exposing biometric and device identifiers to entities unrelated to the original service. The lack of enforcement on many sites further erodes the intended protective barrier, creating a false sense of security for both users and regulators.

Mitigations - Audit third‑party integrations: Organizations should review contracts with age‑verification providers and demand explicit data‑handling clauses. - Implement data minimization: Require that only the minimum necessary data (e.g., birth year) be transmitted; block image and fingerprint fields at the network edge. - Deploy TLS inspection with DLP: Use deep‑packet inspection to detect unauthorized outbound transfers of biometric data. - Adopt privacy‑preserving verification: Explore zero‑knowledge proofs or token‑based age attestations that confirm age without revealing personal identifiers. - Monitor compliance: Deploy automated checks to verify that age‑verification prompts appear only on regulated sites and that the verification flow adheres to policy.

Looking Ahead Watch for legislative updates that may tighten data‑sharing restrictions for age‑verification services and for emerging standards that enable privacy‑preserving age attestations.