The Online Safety Act is Forcing Brits to Hand Over Personal Data to ‘Unregulated’ Overseas Corporations With Questionable Privacy Records

Privacy campaigners have told Byline Times of their concern that millions of Britons are being forced to hand over sensitive personal data to opaque overseas firms with questionable privacy records, due to the new Online Safety Act.

From 25 July 2025, social media companies operating in the UK have been compelled to block under‑18s from content deemed unsuitable for children – a process known as age‑gating. The Government claims that the measures will make children safer online, preventing them from accessing pornography, self-harm and eating disorder-related content. 

However, social media companies and dating apps often outsource the age-gating process to third‑party providers. These firms collect biometric data (facial scans), passport and personal identification documents, and even banking and credit card information to verify users’ identities. 

The third party age verification companies used by leading social media platforms, include a firm tied to Trump-supporting billionaire Peter Thiel, and another firm set up by former Israeli intelligence officers.

Some of the firms used by the social media companies have been criticised in the past for presiding over privacy breaches.

Campaigners say that the lack of regulation and oversight of these third party companies could be putting the public’s data privacy at risk.

Digital rights activists at Open Rights Group called on the Government to further regulate the age verification industry.  

“Thanks to the Online Safety Act, people in Britain are being compelled to use unregulated age verification tools in order to access content online,” Platform Power Programme Manager James Baker told Byline Times. 

“Many of these providers are based outside of the UK and have questionable privacy policies. But users don’t have a choice if they want to have full access to social media sites such as X, Reddit, and Bluesky, or to use dating apps like Grindr. 

“The risks from handing over sensitive data are real and people are understandably worried about what could happen. The government needs to take these privacy concerns seriously by regulating the age verification industry and ensuring that providers have high standards of privacy and security. But they also need to limit the scope of the Act so that people aren’t forced to risk their privacy whenever they go online.”

Who Are the Age Verifiers?

Several of the companies involved in age verification have chequered histories, including data breaches and controversial ties.

AU10TIX (Used by ‘X’)

Elon Musk’s X (formerly Twitter) has used Israeli firm AU10TIX for ID document and selfie‑based checks since 2023 – originally to verify premium ‘blue check’ users, and now to comply with age assurance requirements. The company, spun out of ICTS International – founded by former Shin Bet (Israeli domestic intelligence) officers – also employs engineers with backgrounds in Israel’s military cyber‑intelligence unit, Unit 8200.

In 2023, digital rights activist and MENA specialist Mona Shtaya described the partnership as “alarming.” 

“Hiring a company with ties to former secret intelligence, Shin Bet, puts us all at risk,” Shtaya said. “This move threatens to fortify and weaponise our digital realms. A fate Palestinians already endure due to the ongoing military occupation. It’s a disaster in the making for all its users.” 

AU10TIX’s privacy policy lets it process data under the broad umbrella of  “legitimate interests,” potentially allowing reuse or sharing beyond age checks. 

In 2024, 404 Media revealed a major data breach: administrative credentials were left exposed online for over a year, giving hackers potential access to sensitive user data. The company says there’s no evidence that the exposed data was used maliciously.

Kids Web Services (Used by Bluesky)

Bluesky, generally viewed as more privacy-oriented than other legacy social media platforms, uses an age verification service called Kids Web Services (KWS). KWS is owned by US company EpicGames, known for producing the popular game Fortnite – and paying out $520 million to the US Federal Trade Commission in 2022 for manipulating users and violating children’s privacy laws. 

EpicGames offers KWS’ age assurance services to clients like BlueSky free of charge, but they don’t come out of it completely empty-handed. KWS gets access to some combination of email addresses, names, dates of birth, mailing addresses, national identity numbers, cell phone numbers, device identifiers, IP addresses, login data, site navigation data and more. 

Open Rights Group notes that KWS employs browser fingerprinting – a surveillance technique that tracks users based on unique characteristics of their browser and device. The group claims that KWS is also known for refusing to respect ‘Do Not Track’ signals, browser settings that let websites know you don’t want to be tracked online.

Data compliance lawyer and writer Simon McGraw points out that KWS – not Bluesky – is ultimately the legal entity responsible for the data collected. KWS explicitly states in a data control agreement with BlueSky that: “If we [KWS] are involved in a merger, acquisition, or sale of assets, we may share your personal information with the acquiring or receiving entity.”

“We’ve legislated for a new kind of surveillance capitalism,” McGraw writes. “As always, if a service on the web is being offered for free, it just means that you (in this case the adult wishing to participate in social media) are not the customer. You are the product.”

Persona Identities Inc (Used by Reddit)

The popular forum Reddit uses the San Francisco‑based firm Persona for age checks. In 2025, Persona raised $200m in a round led by the Founders Fund, the venture capital group run by data magnate Peter Thiel.

Thiel’s company, Palantir, has been widely criticised for its ties to the Trump administration and its US surveillance, security, and immigration enforcement contracts.

Persona has faced lawsuits in the US alleging that it retained the biometric data of food delivery drivers and that it used users’ selfies to train AI models – claims it denies. Its privacy policy promises to delete face scans after seven days, but vaguely allows data use for “service improvement” and, since 2025, requires users to waive their right to join class‑action lawsuits.

Spokesperson Evelyn Ju stated that the company always takes a “privacy- and compliance‑first approach.”

Your Privacy, Your Problem

Ministers have warned users about downloading Virtual Private Networks (VPNs) in order to fake a device’s location outside of the UK and skirt the new rules entirely. VPNs have seen a major spike in downloads in the UK since age assurance went into effect.

Science, Technology and Innovation Secretary Peter Kyle urged the public to just embrace the new system, amidst a significant public backlash.

“Just prove your age, make the internet safer for children, make it a better experience for everyone. That’s surely what we should aspire to in this country.” Kyle told BBC One.

Regulators stressed that age‑verification vendors must already comply with existing UK data protection laws, which are enforced by the Information Commissioner’s Office (ICO). The Government has claimed that existing data protection law is sufficient to protect users’ privacy.

Officials pointed to the Children’s Code and called age assurance a “priority area”, noting that further guidance is expected in January 2026. Neither regulator has clarified whether overseas third‑party vendors will face any additional scrutiny, leaving campaigners’ concerns about oversight largely unresolved.

“Protecting people’s privacy is central to the Online Safety Act,” a Government spokesperson said. “Platforms must use secure methods to confirm a user’s age, without collecting or storing personal data, unless absolutely necessary. Many third-party tools already do this.”

“Robust safeguards are essential to protect users while ensuring children are kept safe online. The Information Commission’s Office has strong enforcement powers to act against any service that misuses personal data, including substantial fines. All services – including those based overseas – must also comply with UK data protection law,” they added.

Open Rights Group have pointed out that there is “no public register of approved age assurance providers, no requirement for age assurance providers to meet any specific privacy or security standards, and no requirement for platforms to choose trusted or certified providers.”

“Breaches of data protection law are rarely if ever enforced against by the UK’s Information Commissioner, with the exception of action against spam and cold calling,” the group added.

“This means that companies are not running a financial risk even if they seriously break data protection rules. Therefore, they may prioritise cost and convenience over users’ privacy and security when choosing an age assurance provider.”

For now, the burden falls on users: pass over your biometrics, your passport, and financial details to these companies, or accept a child-proof version of the web.