Age verification in the UK and EU must comply with the GDPR (and UK GDPR). That means a clear lawful basis, special care for biometric data, and data minimisation. Getting this wrong can lead to fines and reputational damage.

Lawful basis. Processing for age verification will usually rest on legal obligation (where a law requires it) or legitimate interests (e.g. protecting minors and your service). Document which basis you use and why. If you rely on legitimate interests, run a balancing test and explain how you mitigate impact on individuals (e.g. by not storing IDs or faces).

Biometric data. Face images and any derived biometric templates are special-category data under the GDPR. You need both a lawful basis and an additional condition (e.g. substantial public interest, or explicit consent where appropriate). Even then, the principle of data minimisation applies: if you can verify age without storing the face or a reversible template, you should. Privacy-preserving age verification that processes the face in memory and keeps only a non-reversible representation or a token is strongly aligned with this.

Data minimisation. Only collect and retain what is strictly necessary. Prefer solutions that return a simple outcome (e.g. "18+") and an audit ID rather than raw documents, birth dates, or face images. Retention periods should be defined and short where possible; many regulators expect verification data to be deleted or anonymised once the purpose is fulfilled.

The ICO (UK) and national DPAs in the EU have published guidance on age assurance. Review it, map your flows to the principles above, and choose providers that support minimal retention and clear documentation for audits.