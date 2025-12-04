(Credit:Zain bin Awais/PCMag Composite;RichVintage/PhotoAlto/PhotoAlto/Matthieu Spohn/via Getty Images)

By Zephin Livingston

Since the internet began, there has been debate about how websites can ensure that explicit content is only accessed by consenting adults. Whether it’s explicit songs on Spotify or outright violence on TikTok, much of this content has been accessible to anyone.

With recent legislation such as the UK’s Online Safety Act and similar laws in the US, major internet platforms, including Reddit, Spotify, and YouTube, have introduced AI-powered age verification and estimation tools. Pornhub, whose parent company Aylo owns and operates a number of studios and streaming platforms, has also begun reassessing whether to comply with the age verification laws that have seen it banned in over a dozen US states.

The processes for both age verification and estimation involve sending sensitive personal information to the platform you’re trying to access. Age estimation requires a photo or photos of your face; your age will be estimated based on those pictures. Age verification is more precise, but it requires submitting a photo of your government-issued ID, one of the most sensitive documents you can provide to anyone, to the platform.

These tools typically use AI for automated facial recognition. And as we’ve seen with other AI tools, this can have harmful effects for users when there’s no human oversight or a reasonable appeals process. If the AI tool estimates your age incorrectly, it can prevent you from accessing content—or worse. Technology similar to this has been used by law enforcement and apps like Google Photos for years.

You can’t just opt out, either. These age estimation tools also typically come with a penalty for not using them. Most platforms will simply prevent an account from viewing 18+ content, but some, like Spotify, will also delete or deactivate your account if your age is estimated incorrectly and if you refuse to use age estimation or verification in a market where Spotify has a minimum age requirement.

A Spotify spokesperson tells us that users are given “a 90-day period to allow sufficient time for those who are over the minimum age to take the steps required to pass the ID check. If they do not participate in the age check during this time, their account may be deleted.”

As with any tools that gate people off from certain content, it’s hard not to wonder how far these companies could or would take these tools, which are ostensibly used for child safety. Currently, companies like Spotify promise to delete photos or IDs their users upload for age estimation or verification purposes, but will this always be the case? Can you really trust these companies to always keep your data safe?

Should You Trust AI With Your Face?

It may sound like paranoia, but it is a fair question. Your government ID and selfies definitely count as sensitive data. Platforms come and go, and they don’t always tidy up after themselves when they leave. The internet is littered with defunct websites that are an expired license or misconfigured bucket away from spilling all of their users’ personally identifiable information. When 23andMe filed for bankruptcy, it left many users concerned for the safety of their genetic data for this exact reason.

So if, for instance, Reddit is committed to keeping its users’ data safe now as an active website, will it be as conscientious of its users’ data security if it shuts down? When good intentions are not backed up with action, the results can be disastrous. The Tea app, which was ostensibly created to help keep women safer during the dating process, ended up doing the exact opposite when 72,000 of its users’ selfies and photos for identification were leaked in a hack.

Even when companies claim to delete sensitive data or never retain it, this data can still be at risk. For example, the recent Discord hack exposed age verification information, including 70,000 government IDs. The hack was accomplished by breaching a third-party company, 5CA, which Discord contracted to bolster its customer service.

