The ID Shakedown

Alan Wright

Alan Wright

1 min read

Apple's age verification isn't a safety feature. I asked them to prove it.

When iOS 26.4 landed, it brought something new to UK users: mandatory age verification. Hand over a government ID scan to update your phone. The stated reason is child safety. The unstated reason is more interesting.

I’m a compliance consultant. When I see a major data processor collecting identity documents from millions of people, I ask questions. Specifically, I ask the five questions that any competent Data Protection Officer should be able to answer before a system like this goes live.

So I wrote to Apple’s Data Protection Officer and asked them.

The five questions:

  1. What is the lawful basis for processing government ID scans? GDPR Article 6 requires one. Which is it: contractual necessity, legal obligation, or legitimate interest? The answer matters because each carries different obligations.
  2. How long are the identity document scans, any derived biometric data, and age signals retained? Is this documented in a Data Retention Schedule?
  3. Can users exercise their Article 17 right to erasure? Does Apple retain hashed or derived values after a deletion request and if so, on what basis?
  4. Has a Data Protection Impact Assessment been conducted under Article 35? Age verification of this scale, collecting government ID from an entire national user base, almost certainly meets the threshold for mandatory DPIA. Are the findings on necessity and proportionality available?
  5. Which third-party processors are involved? Are Data Processing Agreements in place?

I referenced the March 2024 DPC decision (C-21-10-964), which found that Apple had not met its transparency obligations regarding data retention practices. That decision didn’t come from nowhere.

Apple’s response:

An autoresponse. In eight languages. Case ID: 19137322.

To be fair, they said a dedicated team is reviewing the inquiry and will respond as soon as possible. I’ll publish whatever they send.

But here’s the thing: these aren’t difficult questions. A well-governed data processing system has these answers documented before it goes live, not as a response to individual challenges filed after the fact. The fact that a compliance consultant on an island in the Irish Sea has to ask them at all tells you something.

Age verification is a legitimate policy goal. Identity harvesting dressed as age verification is something else entirely. The receipts are the point.

I’ll update this post when Apple responds. Case ID: 19137322, on the record.

— Alan

Read more