UK’s Online Safety Act Forces Age Verification—But Discord’s Rollout Exposes Major Privacy Risks

The UK has become the first major market to enforce mandatory age verification for online platforms under its Online Safety Act, but the implementation is already sparking backlash over privacy, security flaws, and the potential for overreach. While the law aims to protect children from harmful content, the methods being deployed—particularly by Discord—reveal a fragmented, often opaque system that could erode trust in digital identity verification altogether.

Starting this month, UK users accessing platforms like Discord, Reddit, and Xbox must submit to age verification checks. The process varies: some platforms rely on third-party vendors like KWS or Persona to scan IDs or facial features, while others use existing account data. Discord, for instance, initially tested facial recognition via Persona but has since shifted to K-ID’s on-device processing, though even this approach has faced criticism after a recent security breach exposed 70,000 age-verification ID photos—including names, usernames, emails, and credit card details.

Who does this affect?

The immediate impact is felt by UK residents, but the ripple effects could extend globally. The UK’s model is being watched closely by other governments, including the US, where similar laws are in development. For now, non-UK users are largely unaffected, though platforms may eventually adopt these measures worldwide if they prove effective—or if regulators demand it.

How is it rolling out—and what’s going wrong?

• Discord’s mixed approach: The platform first partnered with Persona, a vendor with ties to Palantir (a company linked to US immigration enforcement). Persona’s servers were reportedly exposed online, raising alarms about data security. Discord now uses K-ID, but the shift doesn’t resolve deeper issues—such as the fact that age verification data is still being collected and processed, even if temporarily.
• Workarounds are already emerging: Security researchers and users have bypassed Discord’s facial scans using 3D models or manipulated photos, exposing flaws in the system. Discord has acknowledged these vulnerabilities but has not yet confirmed whether it will patch them.
• Privacy concerns dominate: Beyond the risk of data leaks, the use of third-party vendors introduces new risks. KWS, for example, has faced scrutiny over its handling of biometric data, while Persona’s involvement—even in a limited test—highlighted the blurred line between age verification and surveillance infrastructure.

The UK’s experiment is far from over. If the current rollout proves unstable—whether due to technical failures, privacy backlash, or regulatory pressure—other countries may hesitate to adopt similar measures. Meanwhile, platforms are caught in a bind: comply with increasingly strict laws or risk fines, but at the cost of user trust. For now, UK users have few alternatives—even free Discord competitors are likely to implement their own age checks to remain operational.

One thing is clear: the UK’s approach to online safety is setting a precedent, but the trade-offs between protection and privacy remain unresolved. As more platforms scramble to comply, the question isn’t just whether these systems work—but whether they can be trusted.