UK Online Safety Regulations and impact on Forums

Miyevan said:
In UK you must be at least 18 to have a credit card. You then charge 0.1£ for membership in certain areas of your forum where adults most likely will post not so nice content. You only need a platform that can force credit card payments only.
Click to expand...
Just curious... in the US banks can issue debit cards associated with Visa or MasterCard that can be used just like a regular credit card. Those types of debit cards are often issued to minors. Do UK banks not offer similar debit cards? 🤔
 
chillibear said:
Getting the Gov to do it wholesale is rather like asking for a Digital ID service - which putting politics to one side - you may or may not be keen on. That said they could have done a privacy conscious system, but I expect there would be a huge temptation to log which sites each person was age-checking with!

As an aside I just clarified with Shufti that they don't have a mechanism to offer an either/or type check - so you can't have a user choose between say Selfie estimation OR ID scan. You can only chain them. They also clarified that unless you delete a user's verification from the backend (where you see their selfie, ID scan, etc) they retain the data for seven years. So for now I think I'll stick with what I have and if time permits maybe do a proof of concept for OneID.
Click to expand...
When you say stick with what you have, what is that again please?

So if selfie fails then only then do they get the option to do an ID scan is that right? I would think that would be ok because the face scanning is supposed to be very accurate.

As for the data - so you're saying the data from the selfie (or ID) is stored in the forum's server unless we delete it? But if we delete it, it's not stored with Shufti, is that right? Or, regardless of whether we delete it, Shufti stores the date for seven years?! What data do the store? Just a photo and age? (Plus exif data maybe?) Or peoples driving licence data as well etc, if they end up doing manual ID?

I am really hoping Private ID get back next week as the selfie I did said no data is stored.

One ID definitely don't store any data then?
 
Kevin said:
Just curious... in the US banks can issue debit cards associated with Visa or MasterCard that can be used just like a regular credit card. Those types of debit cards are often issued to minors. Do UK banks not offer similar debit cards? 🤔
Click to expand...
Yes kids can have their own bank account and debit card from the age of 13 - which is why it's no good for age verification. Whereas the One ID bank check, the bank actually verifies their age as they have that info.

You have to be 18 to have a credit card though I think. But not everyone over 18 has a credit card.
 
Been running things by my members (former members in exile!) to see how they'd feel about a selfie or a bank check that only reveals their age. So far they seem fine with it.

But if One ID bank checking is looking the better option (and free) then I could do to work out how to distinguish between Uk and non uk members at the time of registration.......... so I might start a separate post about that.
 
chillibear said:
Getting the Gov to do it wholesale is rather like asking for a Digital ID service - which putting politics to one side - you may or may not be keen on. That said they could have done a privacy conscious system, but I expect there would be a huge temptation to log which sites each person was age-checking with!

As an aside I just clarified with Shufti that they don't have a mechanism to offer an either/or type check - so you can't have a user choose between say Selfie estimation OR ID scan. You can only chain them. They also clarified that unless you delete a user's verification from the backend (where you see their selfie, ID scan, etc) they retain the data for seven years. So for now I think I'll stick with what I have and if time permits maybe do a proof of concept for OneID.
Click to expand...
The Gov do have a kind of age checking system of their own - looked at it the other day - but it's only for .gov websites I think ,,,,, And I think they will already have data of everyone's age in the Uk anyway, via their National Insurance number .....
 
Alvin63 said:
When you say stick with what you have, what is that again please?
Click to expand...
The "Stores and Custom API" from https://docs.verifymyage.com/docs/age/stores/index.html
Requires me to supply the name/address for initial check, then falls back to "AI Selfie", "ID Scan" or "Credit Check". In the volumes I will be looking at £1/check. Pay as you go.

Alvin63 said:
So if selfie fails then only then do they get the option to do an ID scan is that right? I would think that would be ok because the face scanning is supposed to be very accurate.
Click to expand...
Nope. They don't support that verification flow. You can do Selfie and ID Scan, but not one or the other. You would have to offer them as two distinct verification flows (which is not impossible).

Alvin63 said:
As for the data - so you're saying the data from the selfie (or ID) is stored in the forum's server unless we delete it? But if we delete it, it's not stored with Shufti, is that right? Or, regardless of whether we delete it, Shufti stores the date for seven years?! What data do the store? Just a photo and age? (Plus exif data maybe?) Or peoples driving licence data as well etc, if they end up doing manual ID?
Click to expand...
I don't know exactly what data they store out of that they acquire, but unless you delete it yourself in the backend they will keep it. If you remove it in the backend then they remove their "own copy"

Alvin63 said:
One ID definitely don't store any data then?
Click to expand...
Nothing when doing the Banking App check as far as I understand it.

Alvin63 said:
But if One ID bank checking is looking the better option (and free) then I could do to work out how to distinguish between Uk and non uk members at the time of registration.......... so I might start a separate post about that.
Click to expand...
There are a few add-ons that do "geographical checks" at registration and so forth. I don't think there are any that would quite work out of the box for you, but the code may help. Whilst you'll probably always need a XF add-on element you can do "geo location" of their IP address outside of XF - some systems like Cloudflare provide geographical information in the headers they send back to your origin servers. Otherwise webservers like Nginx have optional modules that can be compiled in to supply similar information in the headers to XF. Needless to say setting all that up whilst not complex isn't typically a "one click" operation.

I've been pondering what approach I might take for identifying UK traffic and how I'd then tie that over to needing to do an Age Check. I've not quite worked out an optimal solution yet. The main decision would seem to be if you do the location check with registration and do the age-check then or if you want to "keep an eye out" for any UK users and when you spot one send them off to do an age-check!

Obviously noting that VPNs make it all a bit of a moot point anyway!
 
Nope. They don't support that verification flow. You can do Selfie and ID Scan, but not one or the other. You would have to offer them as two distinct verification flows (which is not impossible).
Click to expand...
Hmm - I had been given the impression I was being quoted solely for a selfie option. I'll need to double check that .........
 
Thinking about it. The very fact that people can use VPN's means a UK only age check isn't really viable - as some Uk people could slip through by using a VPN (despite the fact a child is highly unlikely to use or know about VPN's but teens might). So then I wouldn't have reliable age verification....This is frustrating when there's a free option - but for uk members only.
 
Alvin63 said:
Hmm - I had been given the impression I was being quoted solely for a selfie option. I'll need to double check that .........
Click to expand...
You pay for what you (with Shufti) use so Selfie checks are $0.20. ID Scan checks are $0.50. So if you were to only do Selfies then you'll just be using your banked cred at $0.20 a go. If you were doing a a verification that included a Selfie and an ID Scan you'd pay $0.70 each time, etc. You can use your credit however you like - so you have full access to all of Shufti's other tools - the digital signatures, business verifications and so forth. That was one appealing thing - that there might be other elements I might find useful in addition to the age-verification.
 
I had just been looking at the selfie option. Any fails would have to contact. Which hopefully would not happen if people are over 18. What I'd like to know is if it's as good and reliable as the Private ID one I did the other day.

I'm hanging out in the hope Private ID get back to me for a third possible option. Doubt it will be free though.

Technically I guess I could have both One ID free and Shufti for non uk - my Shufti credits would last a lot longer then! But presumably that would mean two different API implementations - and have them work together .........

When you talk about data in the back end - what does that mean exactly? ie where is the data stored and how easy is it to delete?
 
I'd forgotten about Luciditi - tried their online demo and selected selfie option. Not as streamlined as the Private Id one but it was ok - a bit slower (and let you keep your glasses on). Initially they offered me a meeting but I've emailed back asking about costs.
 
Last edited:
The "Stores and Custom API" from https://docs.verifymyage.com/docs/age/stores/index.html
Requires me to supply the name/address for initial check, then falls back to "AI Selfie", "ID Scan" or "Credit Check". In the volumes I will be looking at £1/check. Pay as you go.
Click to expand...
They have quite a few options - there is this one as well - scanning government ID (Eg driving licence). Do you know the cost of that one?

verifymy.io

Government-issued ID

An age verification method that uses ID scanning to determine a user's exact age.
verifymy.io verifymy.io

Also I'm wondering if it's just a Uk check again..........

Also according to AI - all users need to be age verified - not just uk ones.
 
Alvin63 said:
They have quite a few options - there is this one as well - scanning government ID (Eg driving licence). Do you know the cost of that one?
Click to expand...
No idea, I expect most of their other options will have the on-boarding fee if their email one did. However that is speculation on my part.

Alvin63 said:
Also according to AI - all users need to be age verified - not just uk ones.
Click to expand...
Well we must do as our AI overloads demand ;) Seriously however I do rather feel even if it was a get-out on a technicality it rather breaks the spirit of the legislation which in turn probably wouldn't look good if you ever did have a run-in with the regulator! I guess asking Ofcom themselves would be sensible.
 
As posts are typed it sends the contents of those posts off to the Perspective API (see https://developers.perspectiveapi.com/s/about-the-api-faqs).
diagram_1.webp
They are then rated against various criteria and those scores returned, the addon then displays some information to the user based off this (and probably other things like moderation, etc). They have a demo linked to from the add-on page. Essentially the aim is to discourage you from typing nasty posts or posts containing profanity. So for instance a test I did a moment ago:

perspectiveapi.webp

Never used the product myself so I have no idea how effective it is.
 
Thanks. So it's automoderation then - but it just gives a warning at the bottom and doesn't actually remove or censor things? Read the link and it says it can be set to auto-remove things it's assessed as toxic, but still needs a human element.
 
Shufti replied to my query about data. They said nothing is saved on my site. It's saved on Shufti's servers. And to delete data on Shufti's servers there are two options: API based deletion (initiating a request). Or manual request with reference ID of the data you want deleting.

However, this does mean needing to tell users that their data is stored somewhere, unlike other solutions where no data is stored. This is really annoying actually. But I wonder if it's possible to have included in a contract that they will delete all data once verification has taken place. ie a permanent request for data deletion.

More about their data storing here

shuftipro.com

GDPR - Compliance Guide

Shufti GDPR Compliance a Complete Security Solution For Your Data and Give Your Customers a Better Services to Increase.
shuftipro.com shuftipro.com

Their privacy policy talks about sharing data. The third parties sound like people who work with them on the software - so maybe not too bad. But I think users could be put off by knowing their data is stored somewhere. For a selfie presumably that would be their photo and exif data?

"1. We share the personal and anonymised information that we collect with you and to such other parties as instructed and agreed with you.


2. We also use third-party service providers to help us deliver, manage, and constantly improve our Services. These service providers may collect and/or use your personal information or anonymised information to assist us in achieving the purposes stated.


3. We may also share your personal information with other third parties when necessary to fulfil your requests for services, to complete a transaction that you initiate, to meet the terms of any agreement that you have with us or our partners, etc.


4. We partner with certain other third parties to collect anonymised information and engage in analysis, auditing, research, and reporting.


5. We may also use or share your personal information with third parties when we have reason to believe that doing so is necessary; to comply with applicable law or court order, subpoena, or other legal process; to investigate, prevent, or take action regarding illegal activities; suspected fraud, violations of our terms and conditions, or situations involving threats to our property or the property or physical safety of any person or third party; to establish, protect, or exercise our legal rights or defend against legal claims; or to facilitate the financing, securitisation, insuring, sale, assignment, bankruptcy, or other disposal of all or part of our business or assets.

shuftipro.com

Privacy Policy

Shufti privacy policy provides detail about the data of end-users and our website visitors, your rights, data protection features, etc.
shuftipro.com shuftipro.com

Which is why I am hoping to hear back from Private ID as they don't store any data and neither does One ID - but still waiting to hear back if their banking option works for people who don't generally do online banking ..........
 
Last edited:
Just had an offbeat thought as well. How about implementing one of the AI things into the forum, to verify someone's age. Obviously it would need to be visual. Can something like Chat GPT or Gemini be integrated into a site?

Edit - sorry - silly idea. That;s what the age verification apps are doing, using AI and it would be like trying to create your own I guess.
 
Last edited:
Chat GPT is quite useful sometimes. So VPN would be the issue. If you have to say you're only age checking Uk users in privacy policy. If you don't say that then they won't know to circumvent it. But it is a flaw in the plan.....

"

✅ Your Setup Idea:​


UK-based website, mostly UK users
✅ Use IP geolocation at registration

  • 🇬🇧 UK IP → trigger age check (e.g. via OneID)
  • 🌍 Non-UK IP → standard registration without age check
Click to expand...


⚖️ Legally — Is This Compliant with the OSA?​


Yes, this setup is compliant, as long as:


  1. You reliably identify UK users (e.g., IP geolocation at registration is acceptable).
  2. You ensure UK users do not access adult content before completing age verification.
  3. You only apply the OSA's duties to UK users — you’re not required to check non-UK users unless local laws in their country say otherwise (which they usually don’t).

📌 Ofcom guidance explicitly says services must “take or use proportionate and effective measures to prevent children in the UK from encountering pornographic content.”
Click to expand...


⚙️ Technical Tip:​


If you're using IP geolocation:


  • Consider a reputable service like MaxMind GeoIP, IPStack, or Cloudflare's Geo header.
  • You can use this to redirect or conditionally show the age check screen.

Example logic (simplified):

if (user.country === "GB") {
redirectToAgeVerification(); // e.g., OneID age check
} else {
continueStandardRegistration();
}

🔐 Optional Safeguards:​


To strengthen compliance and protect yourself:


  • Keep logs (anonymized is fine) showing who passed age checks (just store a verified flag, not PII).
  • Mention clearly in your privacy/terms that age checks apply only to UK users, per law.
  • Block or warn VPN users or proxy traffic if you want to prevent circumvention.


Final Take:​


✅ Your plan — UK IPs go through OneID, others skip it — is aligned with the law, efficient, and user-friendly.
You’re checking all the right boxes here.


Want help writing the age check flow or geo-checking logic? Or integrating OneID’s widget/API?
 
You must log in or register to reply here.
Back
Top Bottom