Age verification in the UK and EU must comply with the GDPR (and UK GDPR). That means a clear lawful basis, special care for biometric data, and data minimisation. Getting this wrong can lead to fines and reputational damage.
Choosing a lawful basis under GDPR
Processing for age verification will usually rest on legal obligation (where a law requires it) or legitimate interests (e.g. protecting minors and your service). Document which basis you use and why. If you rely on legitimate interests, run a balancing test and explain how you mitigate impact on individuals (e.g. by not storing IDs or faces).
Handling biometric data (special-category data)
Face images and any derived biometric templates are special-category data under the GDPR. You need both a lawful basis and an additional condition (e.g. substantial public interest, or explicit consent where appropriate). Even then, the principle of data minimisation applies: if you can verify age without storing the face or a reversible template, you should. Privacy-preserving age verification that processes the face in memory and keeps only a non-reversible representation or a token matches this bar.
Applying data minimisation in practice
Only collect and retain what is strictly necessary. Prefer solutions that return a simple outcome (e.g. "18+") and an audit ID rather than raw documents, birth dates, or face images. Retention periods should be defined and short where possible; many regulators expect verification data to be deleted or anonymised once the purpose is fulfilled.
ICO and EU DPA guidance you should review
The ICO (UK) and national DPAs in the EU have published guidance on age assurance. Review it, map your flows to the principles above, and choose providers that support minimal retention and clear documentation for audits.
Frequently asked questions
Usually legal obligation (where a law requires it) or legitimate interests (for example, protecting minors and your service). Document which basis you use and, if it is legitimate interests, run and record a balancing test.
Yes. Face images and any biometric templates derived from them are special-category data. You need a lawful basis plus an additional condition (for example, substantial public interest or explicit consent).
As short as possible. Retain only what you need to prove compliance, typically the verification outcome and an audit ID. Regulators expect raw documents and face images to be deleted or never stored in the first place.
Not always. Where age verification is required by law, consent is usually not the right basis. For biometric processing, consent may be needed as the additional condition, or you may rely on substantial public interest. Document your choice.
