App age verification in action: What you share and who gets your information

App age verification isn’t just a theoretical concept being debated in Congress. A number of laws have already passed that require platforms to verify age for users in select states.

For example, the Twitter/X alternative Bluesky went offline for me in August rather than comply with an age verification law where I live. This week, I can use the app again — as long as I share a bit of personal information with a third-party service I’ve never heard of.

This is likely a preview of what to expect for more apps in more places going forward.

VPN as a temporary bypass

For now, age verification is easily bypassed by using a VPN (virtual private network). This allows you to hide your real IP address and instead use one from another part of the country or world.

Some browsers offer free VPN service for website access. A paid service is usually required for an operating system-wide or wifi network-wide VPN. These broader solutions are required for use within apps.

A VPN works “for now” as long as age verification is siloed to a handful of states. Policy at the federal level would mean using a VPN to use an IP address from another country, which may have its own restrictive policies.

Actual age verification process

With that in mind, here’s what actual age verification looks like in practice.

On Monday, Bluesky stopped blocking access from where I live and instead started offering age verification that complies with state law. Here’s how that looks:

Selecting the “Verify now” button prompts you to confirm your email address and introduces KWS (Kids Web Services) as the third-party partner handling age verification. This is the first time I’ve heard of KWS, but perhaps those are three letters we’ll all see more of in the future.

KWS says it stores your “verified status with your hashed email address” so “other apps, games, and services powered by KWS technology” won’t require this process for this email address again.

Selecting the “Begin” button prompts Bluesky to email you a link to start age verification through KWS. The websites linked throughout this process take you here and here.

Bluesky says the age verification process is “designed with your data privacy in mind” and that it doesn’t have access to verification information shared with KWS.

Then there’s the actual age verification form from KWS. It requires your full legal name, home address, and one of three methods of age verification. You can provide the last four digits of your social security number, complete a temporary credit card transaction, or scan your driver’s license or passport.

In this example, Bluesky outsources age verification to KWS. KWS outsources SSN verification to Veratad, credit card verification to Stripe, and government-issued ID verification to Veriff.

9to5Mac’s Take

Because I already use and trust Stripe with online transactions, the credit card method seems most reasonable and least risky. I’m not familiar with Veratad and Veriff. The last four of your social security number and government-issued ID are more sensitive and harder to change than a credit card number.

All of this is in service of increasing online child safety, and it’s up to you to decide if sharing sensitive information with these companies is worth it.

For Bluesky, I’d guess that it’s restrictive enough to turn a lot of potential users away from the service. But when age verification becomes standard for more apps and services in more places, the concern over privacy and protecting sensitive information online will only increase.

For now, this is a practical example of how age verification already works in some places, not just a policy debate in Washington.

FTC: We use income earning auto affiliate links. More.