Yoti Shares Sensitive Data While Most Age‑Check Sites Skip Verification

*TL;DR: Yoti, the dominant age‑verification provider, transmits users' facial images, IP addresses and device fingerprints to multiple third parties, while the majority of sites subject to age‑verification statutes fail to enforce any check.

Context The IEEE Symposium on Security and Privacy (May 20, 2026) featured a study by Georgia Tech and UC Irvine researchers titled *Papers Please: A First Look at Age Verification on the Web*. The work examined digital age‑verification practices in the United States, where 25 states have enacted laws requiring online platforms to verify a user’s age before granting access to social media or adult content.

Key Facts - Yoti, a London‑based service, powers age checks for roughly 60 % of compliant websites, including Meta, OnlyFans, Sony PlayStation and TikTok. - The researchers observed that a single verification request can expose a user’s facial photograph, IP address and a device fingerprint to credit‑card processors, IP‑geolocation providers and data‑broker networks. - Assistant Professor Michael A. Specter noted that legislation promises data privacy, yet Yoti’s implementation openly shares the data with fourth‑party entities. - Field measurements revealed that most sites covered by state laws do not actually present an age‑verification gate; many operate without any check at all. - Some sites in states without legal requirements still deploy verification, suggesting a trend toward broader liability avoidance.

What It Means The findings expose a paradox: laws intended to protect minors create a new privacy risk by forcing users to surrender biometric and device data to a supply chain of third parties. For security teams, the data flow expands the attack surface; any breach at a downstream broker could reveal a user’s identity and location. Moreover, the uneven enforcement across states threatens a fragmented U.S. web, where users in one state may face stricter barriers than those in another, complicating compliance and user‑experience strategies.

Mitigations - Conduct a data‑flow audit to identify any third‑party age‑verification services in use and map the information they receive. - Where possible, replace Yoti with in‑house verification that stores only the minimum required data (e.g., date of birth hash) and discards biometric images after validation. - Implement network‑level monitoring for outbound connections to known credit‑card, geolocation and data‑broker domains during verification flows; block unnecessary transmissions. - Update privacy policies to reflect the actual data shared and obtain explicit consent for biometric collection. - Follow emerging guidance from the National Institute of Standards and Technology (NIST) on privacy‑preserving identity verification, and stay alert for any CVEs related to SDKs used by age‑verification vendors.

What to Watch Next Legislators are drafting similar age‑verification rules in additional states and at the federal level. Track upcoming bills and any regulatory guidance that may mandate stricter data‑handling standards for verification providers.