Starting July 14, 2025, Reddit will enforce age verification for UK users to restrict under-18s from accessing mature content, complying with the UK’s Online Safety Act1. The platform partners with third-party firm Persona to verify ages via government ID or selfie uploads, retaining only verification status and date of birth—not raw data2. Non-compliance risks fines up to £18 million or 10% of global revenue3.
Implementation and Technical Details
Reddit’s verification process leverages Persona’s identity validation system, which deletes uploaded photos after seven days2. Users must submit a passport, driver’s license, or a live selfie for analysis. The platform emphasizes that it stores only a binary verification flag and age bracket, not identifiable documents3. This approach mirrors Pornhub’s upcoming UK measures, mandated by the same legislation1.
Privacy concerns have emerged, particularly around anonymity. Reddit’s announcement clarifies that identity verification is not required—only age3. However, discussions on r/privacy speculate law enforcement could cross-reference verification timestamps with IP logs4. The platform’s 53.9 million UK monthly users10 now face a trade-off between access and data exposure.
Regulatory Context and Industry Impact
The UK’s Online Safety Act, enforceable from July 25, 2025, targets platforms hosting adult content1. Reddit’s preemptive rollout avoids penalties and sets a precedent for other platforms. Ofcom expects broader adoption, including Pornhub’s pending system2. Similar laws may emerge under the EU’s Digital Services Act, amplifying global compliance demands.
Reddit explored biometric alternatives, including Worldcoin’s iris-scanning World ID, which surged 14.7% in value post-announcement8. This method promises anonymous age checks but introduces new privacy debates. Texas’ age-verification laws, cited in r/LinusTechTips threads, suggest parallel challenges in other jurisdictions5.
Security Considerations for Professionals
For security teams, Reddit’s move highlights evolving compliance risks. The integration of third-party validators like Persona introduces supply-chain vulnerabilities—ensuring their API security is critical2. Monitoring for fake verification services or phishing scams mimicking Reddit’s prompts is advised.
Reddit’s transparency about data retention (7-day deletion for Persona’s files) provides a template for audit trails3. However, the lack of open-source verification tools limits independent scrutiny. Organizations should assess:
- Data flow maps for third-party age-check systems
- GDPR alignment for UK-EU data transfers
- User education to prevent credential phishing under the guise of age verification
Future developments may include decentralized solutions like Worldcoin, though iris-scanning adoption remains niche8. Reddit’s approach balances regulatory compliance with minimal data retention—a model likely to influence other platforms facing similar laws.
Conclusion
Reddit’s UK age verification reflects broader shifts in online safety regulation, with technical and privacy trade-offs. While the platform mitigates risks by limiting stored data, the precedent may spur global adoption of similar measures. Security professionals should track verification system integrations and associated threat vectors, from API abuses to social engineering.
References
- “Reddit to verify UK users’ ages under new online safety laws,” BBC News, 2025.
- “Reddit starts verifying ages of UK users to comply with child safety law,” Ars Technica, 2025.
- “Verifying the age (but not the identity) of UK users,” Reddit Announcement, 2025.
- “UK Reddit now performing age verification with Persona,” r/privacy Discussion, 2025.
- “Reddit’s rolling out age verification to the UK,” r/LinusTechTips Thread, 2025.
- “Reddit and Worldcoin’s iris-scanning authentication,” CoinCu, 2025.
- “Reddit User Statistics (2025), Backlinko, 2025.
