The threat of a €20 million fine is enough to get anyone’s attention. That’s the potential penalty for failing to comply with the General Data Protection Regulation (GDPR), and its rules around children’s data are particularly strict. Many businesses believe a simple age-gate checkbox is sufficient, but this common misconception can lead to serious non-compliance. The regulation demands that you make “reasonable efforts” to confirm a user’s age, a standard that requires a much more thoughtful approach. To avoid costly penalties and protect your reputation, you must understand the nuances of the GDPR age verification requirements. We’ll break down what the law actually says and provide actionable steps to ensure your platform is compliant.
Key Takeaways
- Adapt to Varying Age of Consent Rules: The GDPR sets a default age of 16, but individual EU countries can lower it to 13, so a one-size-fits-all approach is not compliant and your system must adjust based on the user’s location.
- Prioritize Data Minimization to Reduce Risk: Only collect the absolute minimum information needed to confirm a user’s age. The goal is to verify eligibility, not to build a user profile, which protects user privacy and limits your company’s liability.
- Choose Verification Methods Wisely: Self-declaration checkboxes are often insufficient for compliance. Instead, consider privacy-preserving methods like trusted third-party services that confirm age without sharing sensitive user data back to your platform.
What Does GDPR Say About Age Verification?
If your platform is available to users in Europe, understanding the General Data Protection Regulation (GDPR) isn’t optional, especially when it comes to age verification. These rules are designed to protect children’s privacy online, and getting them right is essential for building trust and avoiding significant penalties. Let’s walk through what GDPR actually says about verifying a user’s age, why it’s so important, and the specific age thresholds you need to know.
What Is GDPR?
Let’s start with the basics. The General Data Protection Regulation, or GDPR, is a landmark data protection law from the European Union. Its main goal is to give individuals more control over their personal data and create a unified standard for data protection in the EU. While it’s an EU regulation, its reach is global. If your service processes the personal data of anyone residing in the EU, you need to comply with its rules. Think of it as the foundation for modern digital privacy, setting the standard for how companies should responsibly handle user information.
Why Age Verification Matters for Child Safety
So, why is age verification such a big deal under GDPR? The answer is simple: child safety. Protecting children in the digital world is a primary focus for major EU laws, including both the GDPR and the Digital Services Act (DSA). The goal is to ensure that platforms obtain proper consent before collecting and processing a child’s personal data. This isn’t just about legal compliance; it’s about creating a responsible online space. Effective age verification methods are the first line of defense in preventing minors from accessing age-inappropriate content and services, making the internet a safer place for everyone.
The Default Age of Consent Under GDPR
This is where things get specific. Under GDPR, the default age at which a person can legally consent to the processing of their personal data for online services is 16. If a user is younger than 16, you generally need to get consent from a parent or guardian. However, the regulation gives individual EU member states the flexibility to lower this age of consent, but no younger than 13. This is a critical detail because it means the age rules for GDPR can differ from one country to another. For any platform with a European user base, you must be aware of these local variations to ensure you’re obtaining valid consent everywhere you operate.
What Are the Specific GDPR Age Verification Requirements?
When you operate a service that collects user data, the GDPR views you as a “data controller.” This title comes with significant responsibilities, especially when your users might be children. The main goal is to protect young people online, a priority shared by other major EU laws like the Digital Services Act (DSA). To stay compliant, you need to make reasonable efforts to verify a user’s age before processing their personal data.
This doesn’t mean you need to collect a trove of sensitive information. In fact, the opposite is true. Regulators want you to practice data minimization, which means collecting the absolute least amount of information necessary to get the job done. The challenge is finding a method that is both effective at verifying age and respectful of user privacy. The GDPR sets the framework, but it leaves some of the finer details, like the exact age of consent, up to individual countries. This means your legal obligations can change depending on where your users are located. Getting this right isn’t just about avoiding fines; it’s about building a platform that users and their families can trust. Understanding these specific requirements is the first step toward creating a compliant and safe online environment.
Your Legal Obligations as a Data Controller
As a data controller, your primary duty is to protect children’s data. This means you must implement age verification measures for any “information society service” offered directly to a child. The GDPR is clear that you must make reasonable efforts, using available technology, to verify that the person providing consent is old enough to do so.
The most important principle to follow here is data minimization. You should only collect the information you absolutely need to confirm a user’s age and nothing more. For example, asking for a full birth date and a copy of a government ID to access age-restricted content is likely excessive. Regulators expect you to find the least intrusive method possible to meet your obligation, protecting user privacy while ensuring children are kept safe.
How Member States Adjust the Age Threshold
The GDPR establishes a default age of 16 for a user to consent to data processing without needing parental permission. However, the regulation also gives individual EU member states the flexibility to lower this age, though it cannot go below 13. This has created a varied landscape across Europe, where the age of digital consent can be 13, 14, 15, or 16, depending on the country.
For businesses operating across the EU, this means a one-size-fits-all approach won’t work. You need to be aware of the age rules for GDPR in each country where you have users. For instance, the age of consent is 16 in Germany and the Netherlands, but it’s 13 in Spain and Sweden. Your age verification system must be sophisticated enough to adapt to these local regulations to remain compliant.
When Is Parental Consent Required?
If a user is below the established age of consent in their country, you are required to obtain and verify parental permission before processing their personal data. The GDPR specifies that this consent must be “verifiable,” meaning you have to take reasonable steps to confirm that the person giving permission is actually the child’s parent or guardian. Simply having a checkbox that says “My parent agrees” is not enough.
This part of the regulation, often called GDPR-K, also grants parents and children more control over their data. They have the right to access, correct, or even delete the information you’ve collected. Understanding these children’s online privacy rules is essential for building a system that not only complies with the law but also builds trust with your users and their families.
What Are GDPR-Compliant Age Verification Methods?
When it comes to verifying age under GDPR, there isn’t a one-size-fits-all answer. The right method depends on your specific context, particularly the level of risk involved with your content or service. A social media platform for teens has different needs than a site selling lottery tickets, for example. The key is to choose a method that is both effective and respects user privacy. Let’s walk through some of the most common approaches and see how they stack up against GDPR’s strict standards.
The Limits of Self-Declaration
You’ve seen it a million times: a simple dropdown menu asking for your date of birth or a checkbox confirming you’re over 18. This is self-declaration, and while it’s the easiest method to implement, it’s also the least reliable. Regulators are clear that for any service with real risks to children, simply asking users their age isn’t enough. This method is too easy to bypass and is generally only considered acceptable for very low-risk scenarios. Think of it as the honor system, which works until it doesn’t. For most businesses needing to comply with GDPR, a more dependable solution is necessary to truly protect young users.
Using Age Estimation Technology
Another option is age estimation technology, which often uses a device’s camera to analyze a person’s face and estimate their age. While it sounds futuristic, this approach comes with serious privacy considerations under GDPR. The goal is to verify age without collecting identifiable biometric data, which is a special category of sensitive information. If you use this method, it should be part of a broader strategy and designed to be as non-invasive as possible. The system should not uniquely identify users or store their data. It’s a promising tool, but it must be implemented carefully to avoid crossing a line into excessive data collection.
Working with Third-Party Verification Services
A more robust and privacy-friendly approach involves partnering with a third-party verification service. In this model, a user is directed to a trusted, independent service to verify their age using an ID document or other reliable method. The service then simply tells your website “yes” or “no” without sharing any of the underlying personal data. This creates what some experts call a “double anonymity” system, where your website never sees the user’s sensitive documents, and the verification service doesn’t know which site the user is accessing. This separation is a great way to minimize the data you handle directly.
A Look at the EU Digital Identity Wallet
Looking to the future, the European Union is developing a streamlined solution that could become the gold standard for age verification. The EU Digital Identity Wallet, expected to roll out around 2026, will allow citizens to store official identity documents on their phones. Users will be able to present a verifiable, government-backed credential to prove their age without revealing their name, date of birth, or any other unnecessary information. This initiative promises a secure and privacy-preserving way to handle age checks, simplifying compliance for businesses and giving users more control over their data.
What Are the Main Privacy Concerns with Age Verification?
Implementing age verification isn’t just a technical hurdle; it’s a massive responsibility. When you ask users to prove their age, you’re handling sensitive information that, if mishandled, can lead to serious privacy violations and erode the trust you’ve worked so hard to build. The core of the issue is finding a way to confirm age without overstepping boundaries or putting your users at risk.
Getting this right means balancing legal requirements with user expectations for privacy. People are more aware than ever of their digital footprint and are hesitant to share personal data unless absolutely necessary. A clunky or invasive age check can send users running. The best approach is one that respects user privacy from the start, collecting only what is essential and protecting that information rigorously. Let’s walk through the main privacy concerns you need to address.
The Challenge of Data Minimization
Data minimization is a cornerstone of GDPR, and it’s exactly what it sounds like: collecting the least amount of personal data necessary to get the job done. When it comes to age verification, this means you shouldn’t ask for a user’s full name, address, and a copy of their passport if all you need is a simple “yes” or “no” on whether they are over 16. Regulators want to see that you’re making a real effort to check ages without collecting excessive information. Your goal should be to confirm age, not to build a detailed profile of every user who lands on your site.
Avoiding Biometric and Sensitive Data Collection
Certain types of data get extra protection under GDPR because they are particularly sensitive. This includes biometric data, like face scans or fingerprints, which are considered “special category data.” Using these methods for something as routine as an age check is generally discouraged, especially when children are involved. Collecting this kind of personal information is risky. A data breach could expose deeply private details about your users or even lead to identity theft, creating a nightmare for both your users and your company. It’s far better to use methods that don’t rely on collecting and storing such high-risk information.
Preventing Security Risks and Identity Theft
Every piece of personal data you collect is a potential liability. Asking users to upload a driver’s license or another form of government ID directly to your system creates a tempting target for hackers. If your database is breached, that information can be used for all sorts of malicious activities. This is why directly collecting personal details for age checks is such a privacy risk. A much safer approach involves using a trusted third-party service that can confirm a user’s age without your platform ever needing to see or store the underlying identity documents. This keeps sensitive data out of your hands and reduces your risk profile significantly.
What Challenges Will You Face with Age Verification?
Implementing a GDPR-compliant age verification system isn’t as simple as adding a pop-up to your website. You’ll encounter several hurdles that require careful thought to protect both your users and your business. The main goal is to create a process that is effective, respects privacy, and provides a smooth user experience. Getting this right means understanding the common pitfalls, from flimsy methods that users can easily sidestep to overly invasive checks that collect far too much personal information. The core of the problem is a fundamental tension: you need to be accurate enough to genuinely protect minors, but you also have a legal and ethical duty to protect the privacy of all your users.
This balancing act is where many businesses stumble. Simple solutions, like a self-declaration checkbox, are often not compliant with regulations because they are so easily bypassed. On the other hand, highly accurate methods, such as requesting a government ID, can introduce significant privacy risks and create a clunky, off-putting experience for your users. Navigating this landscape requires a strategic approach. You have to think about the user journey, the data you’re collecting (and for how long), and the partners you trust. Let’s walk through the biggest challenges you’ll likely face and how to think about them.
Balancing Accuracy with User Privacy
The biggest challenge is walking the fine line between verifying age accurately and protecting user privacy. Your primary objective is to protect children online, a key focus of regulations like the GDPR and the Digital Services Act. However, you have to achieve this without collecting a trove of personal data. Asking for a government ID might be accurate, but it’s also a significant privacy risk and can feel invasive to the user. The key is to find a method that confirms age with reasonable certainty while keeping the user’s personal information secure and confidential. This tension is at the heart of every decision you’ll make about your age verification process.
When Users Bypass Self-Declaration
Many platforms rely on a simple self-declaration checkbox where users confirm they are over a certain age. While easy to implement, this method is just as easy for users to bypass. Let’s be honest, a determined minor will not hesitate to click “Yes, I’m over 18.” Regulators are increasingly aware that this approach offers little real protection. Relying on self-declaration alone leaves your platform vulnerable to non-compliance because it doesn’t meet the standard of “reasonable effort” required by GDPR. It’s a significant liability, as it fails to effectively prevent underage users from accessing age-restricted content or services.
The Risks of Relying on Third-Party Services
Partnering with a third-party verification service can seem like a straightforward solution, but it comes with its own set of risks. You are entrusting another company with sensitive user data, making their security and privacy practices an extension of your own. If they have a data breach, your users are affected, and your reputation is on the line. A better approach involves working with a trusted partner that can verify age without ever sharing the user’s personal identity back to your website. This concept of “double anonymity” is a powerful way to protect privacy while still achieving reliable verification.
Avoiding Intrusive Data Collection
GDPR is built on the principle of data minimization, which means you should only collect the absolute minimum information necessary for a specific task. When it comes to age verification, this principle is critical. You should not ask for personal details like names, addresses, or copies of official IDs just to check an age. This level of data collection is often disproportionate to the goal and creates unnecessary privacy risks for your users. The most compliant and user-friendly systems verify age without ever needing to know who the person is, focusing solely on confirming they meet the age requirement.
Common Misconceptions That Lead to Non-Compliance
When it comes to GDPR age verification, what you don’t know can definitely hurt you. Many businesses operate on assumptions that feel like common sense but are actually at odds with regulatory expectations. These misunderstandings can lead to significant compliance gaps, putting both your users and your company at risk. It’s easy to think you’re doing enough by taking a user at their word or that collecting more data makes your verification process stronger.
The reality is that GDPR demands a much more thoughtful and privacy-conscious approach. Regulators are focused on protecting children from online risks, and they expect businesses to implement systems that are both effective and respectful of user data. This isn’t just about checking a box for compliance; it’s about demonstrating a genuine commitment to user safety and privacy, which is the foundation of online trust. Getting it wrong can result in steep fines, but perhaps more damaging is the erosion of that trust with your user base. Let’s clear up a few of the most common myths that can trip companies up, so you can build a verification process that is truly compliant.
Myth: Self-Declaration Is Enough
It’s tempting to think that a simple pop-up asking, “Are you over 16?” is all you need. It’s easy for you and frictionless for the user. Unfortunately, regulators see this method as far too easy to bypass. For any service that poses a genuine risk to children, self-declaration just doesn’t cut it. This approach is only considered acceptable in very low-risk situations where the potential for harm is minimal. For most platforms and online services, you need more robust age verification methods to demonstrate due diligence and effectively protect younger users. Relying on a simple checkbox is one of the fastest ways to fall out of compliance.
Myth: You Can Collect Any Data You Want
Another common mistake is assuming that for the sake of security, you can ask for whatever personal data you think will confirm a user’s age. Many platforms request details like a full name, date of birth, or even a copy of an ID. However, this directly contradicts the GDPR’s core principle of data minimization. You should only collect the absolute minimum information required to verify age and nothing more. The Information Commissioner’s Office (ICO) and other EU regulators have made it clear that age verification and data protection must go hand-in-hand. Asking for excessive personal data creates unnecessary privacy risks for your users and compliance risks for your business.
Myth: One-Time Verification Is Sufficient
So you’ve verified a user’s age. Does that mean you can store their date of birth or age range in their user profile forever? Absolutely not. Storing this kind of personal data long-term is a major privacy concern and goes against GDPR guidance. Instead of holding onto the user’s exact age, your system should simply record a confirmation that the user has met the required age threshold. This “yes/no” approach is much more privacy-friendly. The goal is to confirm eligibility without creating a permanent record of sensitive information. Your verification system must be both accurate enough to be effective and proportionate enough to avoid being overly intrusive, striking a careful balance between safety and privacy.
How to Build a Privacy-First Age Verification System
Building an age verification system that respects user privacy isn’t just about meeting legal requirements; it’s about building trust. When users feel their data is handled responsibly, they are more likely to engage with your platform. A privacy-first approach means designing your system from the ground up with data protection as a core principle, not an afterthought. Here’s how you can create a system that is both effective and trustworthy.
Conduct a Data Protection Impact Assessment (DPIA)
Before you write a single line of code, your first step should be to conduct a Data Protection Impact Assessment, or DPIA. This is a formal process for identifying and minimizing the risks associated with processing personal data. If you plan to use methods like biometric facial analysis or ID scanning for age checks, a DPIA is mandatory under GDPR. This assessment forces you to think critically about the data you’re collecting, why you need it, and what could go wrong. It’s your roadmap for building a system that is compliant and secure from the start.
Design a Compliant Verification Flow
Your verification flow is the series of steps a user takes to prove their age. The primary goal is to protect children from accessing harmful content, but this often involves collecting more personal data, which can create privacy risks for all users. Design your flow around the principle of data minimization. Ask yourself: what is the absolute least amount of information I need to verify age? Be transparent with users at every step, explaining why you need certain information and how it will be used. A smooth, clear, and minimal process shows users you value their privacy as much as their safety.
Store Data Only Temporarily
A core tenet of data privacy is to not hold onto information for longer than necessary. When it comes to age verification, this is especially important. You should only ask for the personal information that is absolutely essential to confirm a user’s age, and you should not keep identifying data longer than you need it. For example, if your system scans an ID, it should verify the date of birth and then immediately and permanently delete the image and any other personal data from the document. Your system should only retain a simple, anonymized token confirming that the user has been verified.
Maintain User Anonymity with Trusted Services
One of the most effective ways to protect user privacy is to separate the act of verification from the user’s identity on your platform. A great approach involves using a separate, trusted service that checks a user’s age without revealing their identity to your website. This concept of “double anonymity” ensures that you, the platform owner, get the confirmation you need without ever handling the sensitive data yourself. The verification provider confirms the user meets the age requirement, and that’s it. This protects your users’ privacy and reduces your own data liability.
Best Practices for GDPR-Compliant Age Verification
Building an age verification system that respects user privacy isn’t just about following the rules; it’s about building trust. When users feel their data is handled responsibly, they’re more likely to engage with your platform. A thoughtful, privacy-first approach shows you value their safety as much as your own compliance.
The key is to balance robust verification with a seamless user experience. You can achieve this by focusing on a few core principles that keep privacy at the forefront. These practices will help you create a system that is effective, compliant, and worthy of your users’ confidence.
Adopt a Data Minimization Strategy
Think of data minimization as the golden rule of GDPR: collect only what you absolutely need and nothing more. When verifying a user’s age, your goal is to confirm they meet the threshold, not to build a detailed profile of them. Avoid asking for exact birth dates, government IDs, or other sensitive information unless it’s strictly necessary for the level of risk involved. Regulators want to see that you’re taking a lean approach to data collection. This practice isn’t just about compliance; it’s also smart security. The less data you hold, the lower the risk if a breach ever occurs.
Be Transparent in Your Privacy Notices
Trust begins with honesty. Your users have a right to know exactly what information you’re collecting, why you need it, and how you plan to use it. This is where clear, straightforward communication comes in. You should always provide clear privacy notices that are easy to find and understand. Avoid burying these details in long, complicated legal documents. Instead, use plain language to explain the process. Being upfront about your data practices shows respect for your users and helps them feel secure, making them more comfortable completing the age verification process.
Use a Layered Approach to Verification
Not all content or services carry the same level of risk, so your age verification methods shouldn’t be one-size-fits-all. A better strategy is to use layered solutions that match the verification method to the specific context. For lower-risk situations, a simple self-declaration age gate might be enough. For access to high-risk content or services, you might need a more robust method, like age estimation technology. This risk-based approach allows you to protect minors effectively without creating unnecessary friction for your adult users, ensuring the user experience remains as smooth as possible.
Conduct Regular Compliance Audits
The digital landscape is constantly changing, and so are the regulations that govern it. Staying compliant with GDPR is an ongoing process, not a one-time task. The rules and technologies for age verification are still evolving, so it’s crucial to keep up with new guidance and technology. Schedule regular audits of your age verification systems to ensure they still meet legal requirements and align with current best practices. These check-ins help you identify any potential gaps in your process and adapt to new developments, keeping your platform and your users protected over the long term.
The Technical Side: Implementation and Enforcement
Putting a GDPR-compliant age verification system into practice involves more than just understanding the rules. You have to think about how the technology will fit into your current setup, what happens if you get it wrong, and how to keep your users from getting frustrated and leaving. It’s a balancing act. On one hand, you need a robust system that meets legal standards. On the other, you need a process that feels seamless to your users and doesn’t create unnecessary hurdles.
Getting the technical details right is where your compliance strategy becomes real. This means choosing the right tools, understanding the potential financial risks of non-compliance, and designing a user experience that respects privacy while effectively verifying age. Let’s walk through how to handle the integration, what you need to know about penalties, and how to keep your users happy through the process.
Integrating with Your Existing Systems
Adding age verification to your platform shouldn’t require a complete overhaul of your existing infrastructure. Modern verification services are typically designed for easy integration, often using APIs that can plug directly into your website or app. The key is to find a solution that is flexible enough to work with your current systems while being scalable enough to grow with you. As you evaluate options, look for clear documentation and developer support to make the implementation process smoother for your technical team.
The good news is that regulators are also thinking about simplifying this process. For instance, the European Commission is working on a single, EU-wide approach to age verification that aims to be both user-friendly and privacy-preserving. This move toward standardization signals a future where integration could become even more straightforward for businesses operating across Europe.
Understanding GDPR Enforcement and Penalties
Ignoring GDPR’s age verification rules comes with serious financial consequences. The regulation gives authorities the power to issue significant fines for non-compliance. Specifically, companies can be fined up to €20 million or 4% of their annual global revenue, whichever is higher. These aren’t just idle threats; regulators are actively enforcing these rules to protect children’s data online.
Beyond the financial risk, non-compliance can damage your brand’s reputation and erode user trust. Properly handling children’s online privacy rules is a critical part of demonstrating your company’s commitment to ethical data practices and protecting your most vulnerable users.
Reducing User Friction While Staying Compliant
One of the biggest challenges with age verification is implementing it without frustrating your users. A clunky or invasive process can lead to high drop-off rates. The key to a smooth experience is data minimization, a core principle of GDPR. You should only collect the absolute minimum information needed to verify age. Instead of asking for a full birthdate or a copy of an ID, the system should simply confirm whether the user is old enough.
The most effective way to achieve this is often by working with a specialized third-party service. These services can confirm a user’s age without your company ever having to see or store the sensitive data behind the verification. This approach not only reduces friction for the user but also minimizes your own data liability, creating a safer and more trustworthy experience for everyone involved.
Build Trust with Better Age Verification
Age verification is more than a checkbox on your compliance list; it’s one of the first trust signals you send to your users. When people are asked to prove their age, they are often hesitant, worrying about where their personal data is going and how it will be used. A clunky or invasive process can make them abandon your service altogether, which is why a privacy-first approach is essential for building confidence.
The key is to treat user data with respect. This starts with the principle of data minimization. Your goal isn’t to know a user’s exact birthday, but simply to confirm they meet the necessary age requirement. As regulators emphasize, platforms should collect as little personal data as possible to get the job done. Instead of storing a user’s specific age, your system should only record a simple “yes” or “no” confirmation.
So, how do you verify age without over-collecting data? Working with a trusted third-party service is often the most effective and secure method. These services act as a neutral intermediary, confirming a user’s age without passing sensitive identity documents or personal details back to your platform. This creates a protective buffer that some experts call “double anonymity,” safeguarding user privacy while helping you meet your legal obligations. By prioritizing a seamless and respectful verification experience, you show users that you value their privacy, building a stronger, more trustworthy relationship from the very first interaction.
Related Articles
- 5 Methods for Age Verification Without an ID
- Age Verification Without an ID: The Ultimate Guide
- Anonymous Age Verification: How It Works & Why It Matters
Frequently Asked Questions
Why isn’t a simple age checkbox enough for GDPR? A simple checkbox or self-declaration form is often seen by regulators as too easy for a child to bypass. The GDPR requires you to make “reasonable efforts” to verify a user’s age, and for most services, especially those with any potential risk, an honor system just doesn’t meet that standard. It fails to provide any real protection and can leave your platform non-compliant.
Do I need a different age verification process for every EU country? Not necessarily a different process, but your system does need to be smart enough to handle different rules. The GDPR sets a default age of consent at 16, but it allows individual countries to lower it to as young as 13. This means the age you need to verify can change depending on where your user is located. A flexible, risk-based approach is your best bet to stay compliant across the EU.
How can I verify a user’s age without creating privacy risks? The key is data minimization, which means collecting the absolute least amount of information needed. Instead of asking for and storing a user’s full birth date or a copy of their ID, you should use a method that provides a simple “yes” or “no” answer about whether they meet the age requirement. Working with a trusted third-party service that confirms age without sharing the user’s personal data back to you is an excellent way to achieve this.
What are the real consequences of failing to comply with GDPR’s age rules? The financial penalties can be severe, with fines reaching up to 4% of your company’s global annual revenue or €20 million, whichever is higher. Beyond the fines, non-compliance can seriously damage your brand’s reputation. Failing to protect children’s data erodes the trust you have with your users and their families, which can be much harder to recover from than a financial penalty.
What is the safest way to handle the data for age verification? The safest approach is to handle as little sensitive data as possible. You should never store copies of identity documents or other personal details used for a one-time age check. The best practice is to have a system that verifies the user’s age and then immediately discards the data used for the check, retaining only an anonymized confirmation that the user passed the verification. This greatly reduces your liability and protects your users’ privacy.