Age Verification Feedback

Share feedback about Age Verification. DO NOT POST YOUR ID OR INFORMATION HERE.
Persona requires too much sensitive data
The age verification service "Persona" requires an entirely unredacted government-issued identification to grant verified age status for VRChat. I find this unacceptable. In my case, in exchange for VRChat receiving verified age information, Persona receives my: Name, first and last, Address, Driver's License Number and class, Sex, Height, Weight, Eye colour, Hair colour, Signature, and barcodes that can be used to find the same or more information about me. All so VRChat can have the one data point on the card they care about: Date of Birth. I will make concessions for the use of Height, Weight, Eye colour, Hair colour, and the photo on the ID with an accompanying self photo for the sole purpose of verification. The balance of what is required versus what is ultimately used is egregiously skewed. And while VRChat's contract with Persona stipulates that any identification data obtained by Persona must be deleted upon completion, there is comparatively little risk to Persona keeping the wealth of information illegally. Should a breach occur, users that have had their personal data exposed would be left fighting for the rest of their lives against Identity theft and fraud, while Persona would likely only be served a monetary fine. The risk versus the reward is far too unbalanced against the user. As for how likely it may or may not be that Persona is holding such data illegally, I would like to make note that Persona is based in the United States of America, and you don't have to look very hard to find the state of professional accountability for wealthy companies backed by powerful people in that country. Suffice to say that I do not trust Persona with my identification information, and am upset that the age verified features will be unavailable to me due to this. I implore VRChat to consider other avenues of age verification that do not require such extreme overreach of personal data collection. Regards -Aranethon
0
Why is Persona deemed to be trustworthy?
VRChat has determined Persona can be trusted with a photo of your face and government ID. Persona is a VC-backed (arguably "tech bro") San Franciscan tech startup that's only existed since 2018. They operate out of a shared space behind a bar: https://maps.app.goo.gl/t5ebyhr9oTUhupMf9 Their privacy policy says (as I read it) that they explicitly have permission to take your personal information (selfie, photo of your government ID) and store it for years, and can and will send it to "vendors, agents...companies we've hired to provide customer service support..." and to "law enforcement [and] other government agencies." They say they'll use your personal information "to understand you and your preferences to enhance your experience and enjoyment" and for the purposes of "marketing, including to communicate with you about new services, offers, promotions, rewards, contests, upcoming events, and other information about our services and those of our selected partners..." and for "advertising, including display [sic] advertising to you..." Their privacy policy site also uses clickjacking to prevent you from copying the text of their privacy policy: https://withpersona.com/legal/privacy-policy These doesn't seem like the actions of a legitimate and trustworthy company, and there aren't enough guarantees that you won't be literally doxxing yourself. PII is extremely valuable and there's an entire industry of brokers that facilitate the sale and transfer of people's personal information--not to mention the risk of hacking, accidental disclosure, or a new and untrustworthy company being sloppy or reckless. These days AI can train off a photo of your face, and scams and identify fraud are extremely common. Personally, the only times I've had to provide a photo of myself holding an ID are for once-in-a-lifetime financial transactions. Never for a video game or social media. VRChat is willing to take the chance of making this de-facto-mandatory (i.e., the community normalizes it and it results in a greatly degraded experience if you don't comply)? The ask is a severe imposition and an invasion of privacy without adequate concern that the chosen data broker is trustworthy. Even the announcement incorrectly claimed your PII would be handled in accordance to the GDPR, but the company is actually based out of California, where regulations are far less strict, and fines far less burdensome.
36
[1865] Avatars you've uploaded which have been forcefully filtered by Content Gating may incentivize creators to remove content warnings for usability/discoverability
When your Uploaded avatars are filtered by Content Gating, these become unlisted from the "Uploaded" tab, the VRChat Home avatars list, and the Content Manager in the VRChat Avatars SDK. This may incorrectly incentivize creators to remove Content Warnings from avatars they've uploaded themself for usability reasons, to switch into those avatars more easily - unless you are Verified 18+ and can disable Gating. The issue comes from stifling creators who are not Verified 18+ (but may be older than 18 years old), have uploaded some of their avatars with "Sexually Suggestive" content warnings, and want to switch into those "Sexually Suggestive" avatars themselves. Functionally switching into these filtered self-uploaded/private avatars is plausible, but these avatars may become forcefully unlisted by Content Gating (per VRChat's blog post) and are only accessible directly by a known URL/avatar ID, from Recently Used, or from Favorite Avatars. This hurts discoverability and may incentivize these stifling creators to remove Content Warnings in order to switch into these avatars in app without obstacles, with the intent to avoid going through an Age Assurance process and the plausible associated costs incurred to the creator (e.g. a month of VRC+ to become age assured). Additional info: https://ask.vrchat.com/t/developer-update-25-june-2026/48618/35 https://hello.vrchat.com/blog/june-2026-safety-update Note: I'm Verified 18+ btw.
2
Submitting a retainable record of your government ID is not an acceptable method of age verification.
As your full government ID is retainable when sent as an image, this is not a safe method to age verify as seen by multiple leaks, as well as the leaks of source code from Persona which indicate their direct interfaces to send data to the US government and their potential retention of this data over a long period. Other services have had their databases leaked as well, for example IDMerit which has left an estimated billion people with their full name, address, face, and all other information on their ID now held by an unknown amount of strangers. Access to an image of your full ID is as extensive as a doxx can get, and upon any failing to secure this data this information will not be removable from the public internet. When these are found by malicious actors, the data can be sold to any interested party en masse without disclosing it publicly, or even shared around interested parties. Keeping data like this quietly is not new, as long as company databases have been valuable, the information has been as well. Copies cannot be removed. If the data is publicly released, archives will exist with data this valuable. It takes one person deciding they don't like you who knows the right place to look to try to find who you are in person. As with any ID verification company, Persona's internally stored data is a black box with no way of proving that they do not link the data back to your account, or any of the other data sources they use, as stated in the Privacy Policy: "We may verify personal data about you for age assurance purposes with our network of trusted third-party data sources, including the following: publicly available sources (such as open government databases), government and national ID registries, consumer credit bureaus, utility companies, mobile network providers and postal address databases. The types of this “Additional Age Assurance Data” we obtain from these sources will vary depending on the verification checks available in the particular country. " I also find it concerning due to the use of VRChat as a place to explore personal identity: multiple sources and definitions deem the current actions of the United States administration as a genocide against transgender people, linking this government ID with those exploring their gender identity is incredibly worrying to me as the actions of the United States administration are increasingly brazen. Matters of national security are free to have orders attached not to disclose that a company is cooperating for a specific purpose to the government, and the administration has already stated publicly their views of transgender activism as a threat to national security. The 2026 United States Counterterrorism Strategy specifically states that they will "prioritize the rapid identification and neutralization of violent secular political groups whose ideology is anti-American, radically pro-transgender, and anarchist." I am in Canada. With our degree of cooperation with the United States, I do not feel comfortable having a link between my current government ID and my behaviour online with the current United States' administrations actions. I do not feel safe sending such extensive personal data in a retainable form to any entity. I do not trust any entity with a potentially permanent record of such dangerous data to have. I oppose any link between my personal identity offline and online; should some form of ID be necessary, at MINIMUM significant redactions should be allowed if not mandatory in order to simply demonstrate that there exists someone somewhere who is the age shown. I especially take issue with gating all content of a category behind such an egregious violation of privacy. If your system is has significant risks for the user, it is not a system that can be an expectation to interact with certain content. Privacy matters, and such an expectation causes even further erosion then what we have already lost. Normalization and acceptance of this lost part of anonymization paves the road for further damage.
6
Load More