Violation of GDPR "Data minimisation"
complete
Dominik 25kt
From the FAQ:
Do you have to submit an un-edited ID to Persona?
Yes, you must send your unedited, full ID to Persona. Obfuscating, blocking, blurring, or otherwise removing information from your ID will cause a failure to verify.
Is Persona subject to the GDPR?
Yes, it is. Any company or organization that processes data of users within the EU must comply with the GDPR, even if they aren’t based in the EU (GDPR Article 3).
Those 2 don't go together,
Art. 5 (1) (b) of the GDPR
> collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
Art. 5 (1) (c) of the GDPR
> adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
Art. 25 (2) of the GDPR
> The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed
meaning we are allowed to block out all information that is not needed (meaning pretty much everything except birth year (if the year alone makes it clear that we are 18+) and maybe the picture to verify that we are actually the owner of the ID)
Log In
Chirping_Cat
The real problem with all this kindergarten-lawyer analysis is that it completely misses how GDPR actually works.
If Persona or VRChat are collecting information, such as the details from an identity document, for the purpose of checking your age AND validating the authenticity of the document AND preventing document reuse, then they are fully compliant with GDPR, because they can't achieve those outcomes without collecting that information. The key is that the purpose of the data controller—Persona or VRChat in this case—is what matters, not how you want the interaction to work.
You may think you’re just validating your age and therefore age/DOB is only needed, but under GDPR, that’s irrelevant. The data controller’s purpose for collecting and processing the data is the determining factor, and they've very clearly explained the purpose and their reasons for it, which makes them fully compliant with GDPR.
Dominik 25kt
Chirping_Cat
Still for a pure age verification DoB and your picture is enough > think of when you buy alcohol or go into a club, all they check is your DoB and that its you on the picture.
Sure you could make the argument "but they can't verify the validity of the ID" which is correct (they could check for the holographs and other security measures that make it harder to fake an ID but lets ignore that since they could be fake) but that means they should provide a reasonable method to verify it that doesn't require the processing of too much data.
Recital (39) of the GDPR:
"Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means."
Using eID or at least using a service which supports eID is fully within reason.
Chirping_Cat
Dominik 25kt The GDPR does not require the use of eID (electronic identification) systems for compliance—let's be clear about that. Instead, it focuses on robust data protection measures, secure authentication methods, and clear processes for handling personal data.
Recitals in the GDPR are not legally binding; they exist to guide the interpretation of the Articles. The Articles themselves provide the legal framework, such as Article 25, which prioritises data minimisation while allowing for consideration of factors like implementation costs and the state of the art. Supporting eID would demand significant development costs for Persona, exceeding what is already an effective system based on ID recognition and Optical Character Recognition (OCR). Additionally, international entities rarely adopt eID, demonstrating it’s neither a universal standard nor a practical requirement.
Putting aside that the very start of Article 25 clearly states there is more to the picture then what you're putting forward, if you have genuine concerns about the processes used by Persona, the best course of action is to raise these directly with Persona or consult your country’s Data Protection Authority. Challenges regarding non-support of eID have likely been addressed and dismissed before—and will likely continue to be dismissed in the future.
It’s genuinely surprising that some people believe they’re raising a novel argument here, ignoring the fact that Persona is already used for age verification by some of the biggest games and entities in the world, including Roblox. This isn’t uncharted territory, and the arguments presented are neither new nor indicative of a GDPR violation—they’ve been thoroughly examined and discarded as anything more than optional best practice. Now if we want to talk about best practice, then let's do that, but let's have the common-sense decency to call it what it is.
Dominik 25kt
Chirping_Cat
since most parts of your answer is just AI written its not really worth my time, I could talk with ChatGPT myself but I'll still reply to one point since its the one that made me think its AI
> Recitals in the GDPR are not legally binding; they exist to guide the interpretation of the Articles.
If it tells you how you should interpret a law it kinda is part of the law.
for example:
I tell you every time I say blue I actually mean green, I ask you to get me something blue (I mean green as you know) and you decide to get me something actually blue > you got me the wrong thing because you interpreted it wrongly even though I specifically told you what I mean.
Thats why the Recitals exist, to make it clear what is meant.
Chirping_Cat
Dominik 25kt I am asserting that Recitals do not address the detail or the substance of legislation, and thus whilst it is possible to find relevant quotes in the Recital, the actual Articles will contain the detail that is omitted from a Recital and thus carry much more weight in any judicial sense.
Importantly, no one would ever be accused of violating a Recital, and a simple Google of 'Recital in Law' will give you numerous references to this point and the further point I was alluding to is that I won't debate a Recital when there is very clear specific provisions in Article 25 that allow a data controller to factor in 'cost of implementation' and 'state of the art' into decisions surrounding how and when they minimise data collected.
Unless you're countering that specific argument, you haven't really got much of a leg to stand on, and the laziness of your reply (Specifically the copying of MyFedora's ChatGPT accusation) shows you're grasping at straws.
Dominik 25kt
Chirping_Cat Are you actually arguing that sending a picture of my ID is state of the art? I dismissed that since its just AI slop and I though no one can actually believe that.
Whats next? sending my physical ID by mail is also "state of the art"?
And for "cost of implementation" countries have published apps so its easy for everyone to verify that the other person is 18+, I show you a QR code > you scan it > you get the info that I'm 18+ and a picture of me so you can verify that i didn't just steal the eID from someone aka most of the work is already done.
Chirping_Cat
Dominik 25kt No, I am not arguing that.
I am suggesting that supporting eID, or any Government-based digital identification platforms, to the full-extent required to deliver the privacy benefits they entail is uncommon at present, and not reflective of the current state of art used in age verification used by tech platforms. This is evidenced by the fact that only 41% of EU citizens used an eID in at least one of their online interactions in 2023... And this number does not imply exclusive eID use, meaning of that 41%, many would have also had non-eID interactions on the Internet, bringing the percentage of "exclusive eID users" down even more. (Source: https://ec.europa.eu/eurostat/statistics-explained/index.php?title=E-government_and_electronic_identification ) - Why does this matter? Because it demonstrates that non-support of eID for identification, whilst not adhering to what is obviously a best-practice, does not make a platform an outlier in terms of data handling practices such as to constitute a GDPR violation. Which explains why the world's major verification platforms (Like Persona) aren't forced to support it yet.
Cost of implementation exists because VRChat requires a scalable (Read: Automated) way to ingest and validate that information, which speaks to custom development effort above and beyond what is readily available given that mainstream identification platforms (Like Persona) are clearly not supporting it yet.
But please, keep mentioning the red herring of the AI boogeyman rather than addressing the arguments: It's probably the most sense you've made in everything you've stated so far, despite how factually flawed it is.
Edit: Also the lack of any rebuttal to my response concerning Recitals is noted. Thank you for conceding on that point.
Dominik 25kt
Chirping_Cat
> is uncommon and not reflective of the current state of art used in age verification used by tech platforms
Except they are common just not with US based ones. (you might also wanna look at the definition of "state of the art" because it does not mean "whatever is commonly used")
> Cost of implementation exists because VRChat requires a scalable way
So adding a platform which supports it is not scalable?
And to sum up the whole conversation, we went from "they need the full uncensored ID because there is no other way to verify that its legit" to "there are other ways they are just too lazy to implement them and thats ok because most other US company is also too lazy"
Chirping_Cat
Dominik 25k The fact that Non-EU organisations have not adopted eID is is still relevant on basis of the unique investment required to support eID, the extent their user base consists of European users covered by this process, the completely optional nature of the process, and the state of the art of Non-EU organisations. (Again, as per Article 25, all of these factors would counteract the argument that there has been violation of the GDPR.)
Let's be real for second: The reason that European entities support it is because they predominantly deal with and handle European customers. It makes sense for them to support this since it benefits more of their user base. Article 25 allows data controllers to make reasonable judgements on this basis and others, and again, no one is yet to argue the opposite.
Personally I would sum up the conversation as "VRChat has implemented the age-verification option that, on the whole, and having consideration for all the competing considerations (Such as global coverage, cost per verification, privacy and security, support team costs, ease of use, cost of implementation etc.) that best suits their business case. They have a clear rationale for collecting the information given the industry standard age verification process they are following, they have clearly communicated what the information collected is and what they do with it, will discard the information at the earliest possible opportunity, and in so doing are completely compliant with the GDPR. There is nothing in the GDPR that compels companies to spend money they may or may not have on every single data minimisation initiative in existence, there is nothing that mandates support of eID, and the start of Article 25 goes to great lengths to make clear that data minimisation isn't everything; There are other factors that must be considered."
That being said, I completely agree supporting eID would be excellent. It's a best practice, and I hope more platforms adopt it. However, this Canny post accuses VRChat of violating the GDPR. Hence my comments are focused on the accuracy of the that accusation, rather than whether eID adoption is a good practice. If the post had simply been titled "Support eID for Better Privacy," I would have supported it and moved on. Unfortunately, the phrasing used by the original poster and many respondents has brought us into this broader debate, and made the Canny more difficult to support.
Dominik 25kt
Chirping_Cat
I don't want to drag it on forever but just to point it out
> they have clearly communicated what the information collected is and what they do with it, will discard the information at the earliest possible opportunity, and in so doing are completely compliant with the GDPR.
They are not clear what not clear which data VRChat is collecting/processing, we know Persona collects everything on the ID you provide and "some" data is being passed on to VRChat to create the hash.
Also when I initially created the post they did not "discard the information at the earliest" the initial plan was to let Persona keep it forever (unless you request them to delete it).
Chirping_Cat
Dominik 25kt It is safe to say from the FAQ and Tupper's video that:
1) The Full Name, DOB and the Unique Document Type (License, Passport etc) and Document Holder Identifier (Such as Passport Number or License Number) is being used to generate the hash. I can't see any more or less information than that being stored based on the information available, simply because this is the only information that would appear on every type of ID, and because adding further information makes it easier to re-use IDs across multiple accounts. (You have to keep in mind that VRChat has a vested interest to include as little information as possible in the Hash to help prevent dodging by country and address changes etc.) - In theory they could replace Full Name with Document Country, and that would be even better from a privacy perspective.
2) That the data is pulled from Persona via the API via HTTPs for the purposes of generating the Hash, and that this Hash is then stored in the database against the user.
3) That the raw data is discarded from Persona's systems at the completion of the verification process.
Whilst I accept your last point, given that this is a Beta system, I'm only going to debate what the system is currently not what it was, simply because there's no benefit contemplating what might have been given that... well... this is part of what Beta's are for, VRChat specifically invited this kind of feedback, and should be commended for listening to community feedback where that feedback is reasonable... not lambasted.
Dominik 25kt
Chirping_Cat
1) While I agree with you that no more data would be needed VRChat is not transparent about it, quite the opposite actually, they don't want to tell us > to quote Tupper "We don’t disclose the exact methods and data we use"
3) no, VRChat requests the deletion of the data after the process is done, which means in theory they could keep it for days or weeks (depending of which laws apply) and during that time they (Persona) could do whatever they want with that data.
Chirping_Cat
Dominik 25kt
1) If that is indeed the case then I agree it is superfluous, have you got a source to link to that I can read? Obviously people will very easily figure out what is in the hash when they attempt to their ID on alts... both successfully and unsuccessfully, so it is completely pointless hiding what goes into it since the mere act of trying to verify multiple accounts will result in users reverse engineering what they're recording. (Tupper - VRChat Head of Community - Can you please provide some clarity on this point? Since there really is no apparent reason to hide that information)
2) They've stated in writing that the data is deleted at the end of the process, which is post-generating the Hash. The request is made via the Persona API, so it should be instant.
Dominik 25kt
Chirping_Cat
> have you got a source to link to that I can read?
its in his reply from Dec 18 2024 that marked this thread as "complete", idk if i can directly link to it
Tupper - VRChat Head of Community
complete
Thanks for raising these concerns.
We understand your desire to minimize what data you share. However, it is important to remember that our verification process must ensure IDs are both valid and legitimate. As required under GDPR Article 5, we collect and process ID data solely for the legitimate purpose of verification, and our practices are designed to meet the principles of adequacy, relevance, and limitation. Once the data is processed, we retain the bare minimum (e.g. a hash and birth date) to maintain security and regulatory compliance. All other ID data is deleted.
A blurred ID with a birthday is not sufficient to confirm an ID’s legitimacy. We don’t disclose the exact methods and data we use for verification as doing so could make the process easier to circumvent. Rest assured that we continually review our policies and practices to keep data use as minimal and transparent as possible.
Geckσ
Tupper - VRChat Head of Community Sure, you cann assure something in your philosophy and company's policy, but the fact that Persona is currently in 2 class action lawsuits does not help with privacy + trust related issues in a positive way. I will refrain from using that system, entirely, and many others will too.
SaphiGoat
Tupper - VRChat Head of Community A unblurred ID activly put people at danger.
There is no way to be sure, that persona will handle it correctly.
There should be other ways to confirm that I'm an adult. Like a code inside a transaction (bank account, creditcard, paypal). Age of linked steam account.
MyFedora
Tupper - VRChat Head of Community Oh, great, security through obscurity. Exactly what I want to hear when handing over my unredacted ID and selfie to Persona.
Look, be glad that most people online misinterpreted the privacy update video as a good thing. The video comes across more like, "Hey, we hear your concerns, we'll make a few changes to protect your privacy. We really do care, trust us." instead of "We've been prioritizing privacy from the start. As for age verification, we already do X, Y and Z, and are planning to do A, B and C to protect your privacy. Here's how we've proactively restructured our development processes and trained our engineers to bake privacy into everything we do."
The fact that hashing data only came up now is concerning. As a developer who values privacy, this should've been a given from the start. Hashing sensitive data is basic practice, not some advanced concept. It being introduced at this stage feels more like a reaction to public pressure than a genuinely thought-out design decision, which is extremely unsettling.
I've worked at startups where privacy wasn't even on the radar, where collecting unnecessary data was the norm and pushing back against violations was met with hostility. But out in public? They'd preach about privacy like saints. I'm getting that vibe here with VRChat, especially after the public announcement.
Also, let's be clear: Providing an unredacted ID and a selfie is textbook definition identity verification, not age verification. It's enough personal data to pass a bank's identity check in my country.
Utami Hasegawa
Tupper - VRChat Head of Community To be fair, I don't think the issue here is "desire to minimize what data you share."
I think the issue is whether or not Persona (and presumably VRChat as well in their role as data controller) is following the law with regard to only collecting information that's specifically necessary for verifying a user's age.
If VRChat doesn't disclose the methods it uses for age verification and why it necessitates an unredacted ID, how does that comply with the GDPR requirement that the purpose for collecting the data be specified?
Dominik 25kt
MyFedora
> Also, let's be clear: Providing an unredacted ID and a selfie is textbook definition identity verification, not age verification.
Pretty much yea, I don't wanna accuse the VRC team as being malicious but it feels a bit like the name "Age Verification" was chosen because "Identify Verification" would have made too many people angry.
Dominik 25kt
Tupper - VRChat Head of Community
> A blurred ID with a birthday is not sufficient to confirm an ID’s legitimacy. We don’t disclose the exact methods and data we use for verification as doing so could make the process easier to circumvent. Rest assured that we continually review our policies and practices to keep data use as minimal and transparent as possible.
Keeping as little data as possible is great and a step forward compared to the original system but GDPR Article 5 also says processing the minimum amount of data and since you practice "security through obscurity" and are not telling us what kind of data you're processing I assume you process everything which is quite excessive for a simple Age Verification especially considering that digital IDs with age verification function are a thing which depending on the implementation of the country provides you as little data at "yes the person is 18+" and a picture so you can verify that the digital ID actually belongs the person verifying (and you can just hash the picture provided by the digital ID to make sure only 1 person is using it).
The best way to care about privacy as a company is collecting as little data as possible.
Chirping_Cat
MyFedora A lot of countries require 100 points of ID and specifically an address so.... use a form of ID that hasn't got the address on it.
Further, to reliably perform age verification you have to confirm the veracity of the ID document used.
SaphiGoat
Chirping_Cat identity theft is far more worse then just a leaked Address or payment info.
Someone can create Bank Accounts in your name for example, or use it for all other sorts of crimes.
MyFedora
Chirping_Cat Or, hear me out, use an age verification method that respects my privacy instead.
We have a government app for digital age verification. We have e-banking apps with digital age verification. We have post offices with in-person age verification.
There's no excuse for sticking with outdated, easily bypassed systems when we've got infrastructure in place to verify age reliably and securely.
Instead, they're opting for these expensive, unreliable and privacy-invasive solutions. They're begging for criticism.
Chirping_Cat
MyFedora Welcome to the new era—more and more companies are rolling out age and identity verification systems, and this approach seems to be the industry standard. Have you ever wondered why that is?
A team with limited resources, like VRChat, isn’t equipped to manually integrate every nation’s digital ID service. That’s why they partnered with Persona, an organisation specialising in these solutions. While it’s unfortunate that many of these services don’t support the systems you’ve referenced, that doesn’t make the decision flawed or indicate it wasn’t the best choice for VRChat.
Their decision to work with Persona was clearly grounded in risk management and commercial strategy. Claiming they would opt for a more expensive solution without reason overlooks the fundamental balance of operational costs, capital investment, and risk mitigation. If you’re going to critique this, it might be worth familiarising yourself with how successful businesses operate and make decisions. (Hint: anything developed in-house carries significant real-world costs, beyond the time needed, which is why companies only do it when it’s absolutely core to their operations and there isn't any other way.)
Personally, I’ve found their solution to be reliable, and I’ve yet to see negative feedback from anyone who’s used it. In fact, it seems you’ve successfully verified as 18+, which does call into question your concerns about reliability and privacy. After all, you’ve willingly shared the required information—if privacy was a grave concern, wouldn’t you have avoided the process altogether?
MyFedora
Chirping_Cat If you can't even be bothered to make your own argument and need ChatGPT to do it for you, don't expect me to waste my time debating you.
Chirping_Cat
MyFedora Well, that's a debating win if I've ever seen one. Not only did this devolve into an ad hominem attack from the get go, every point made was glossed over as if it were too hard to respond. Though I’m genuinely amused by the claims of ChatGPT creating my arguments, so let’s hone in on that for a moment by reviewing what I actually wrote after the leading question:
Paragraph 2: I highlighted that VRChat is making the best decisions it can for its platform which is a sentiment that’s hardly controversial. The idea of including this was to illicit something short of implacable opposition prior to launching into Paragraph 3 (Where I address a possible bias toward the cost of internal development) and Paragraph 4 (Where I address the paradox of already being verified despite holding significant concerns.)
Paragraph 3: I noticed your occupation as a software developer (as per your bio) and in an attempt to anticipate your perspective, went on in this paragraph to ensure you fully grasp the significant costs associated with developing in-house systems, which would be required for VRChat to collect less information given that major platforms don't work like that. The reason I anticipated this to be relevant is because, as someone who helps guide these kinds of decisions in the workplace, I often find that software developers forget that internally developed software carries more costs than just the initial time-investment required to write the solution. (And often more risk also...)
Paragraph 4: I pointed out your verified account status (also from your bio), which undermined your claims about privacy concerns and reliability. It did so because you voluntarily opted into a Beta system for verification, knowing how it worked, and without waiting to see if privacy-related enhancements would be made later. You also successfully verified as a result of your decision to participate. This seems at odds with the behaviour of someone who has significant privacy concerns, and also with your assertion that the system is somehow unreliable. (Given your own experience.)
Now, if you genuinely expect ChatGPT to generate these very specific arguments, then you've probably misunderstood the current state of AI - ChatGPT doesn't find you that interesting, yet. x3
Geckσ
As NiniNia said, blurring everything which is NOT a necessity for the process itself (verifying the age via birthdate (even the year itself should be enough), and the face for the actual visual validation) should be mandatory, and that shouldn't be exclusive to the EU.
I am an EU citizen, and I will not use this service, especially with the class action lawsuits (data abuse) currently running against Persona.
If the majority of the worlds switching over to +18 (group settings), resulting into blocking any regular unverified +18 user from accessing the social aspect of this whole purpose, I will leave VRC for good. I am not here to hang around with minors.
Tupper - VRChat Head of Community
Merged in a post:
Age verify changes from 11.12.24
Scribble Clash
First, thank you for trying to adress the issues. But the changes do little to alleviate the main issue - that being you asking for a full, unobfuscated ID. This stays a high security risk and is completly unnecessary for age verification.
The only reason to keep this is identity verification (what the hash is necessary for). Everyones guess is as good as mine as to why this is so important to VRC.
If Persona can't, or VRC wont, allow obfuscation, then this is remains unusable to me.
Tupper - VRChat Head of Community
Merged in a post:
Laws might be more complicated than you think
EinDev
As per Art. 5 GDPR you are required to store as minimal data as needed.
In your FAQ you mention that only requesting to delete _all_ data will affect the verification status. This does not comply with the data minimization section.
Besides that - storing a photocopy of an ID is illegal in Germany for non-financial reasons. Wether or not you need to comply with those laws depends on wether or not you target german customers. As you implemented a german translation for your software, offer most payment methods used in germany and even explicitly invite EU-based customers by having seperate servers, i think it is clear that this means you are targeting german customers.
I am not a lawyer, but i hope you have got it checked by a lawyer with a decent knowledge about international rights. Cause i will.
And just to clarify: This is nothing personal, I was really looking forward towards age verification. We have all this technology, with IDs with a digital chip in them. I honestly do not understand why international companies still prefer visual verification of IDs. It is so much easier to use the features german IDs provide.... This way you don't even have to involve a human, you can fully automate this. Just like the government does.
Tupper - VRChat Head of Community
Merged in a post:
Blur unnecessary information
NiniNia
As a German citizen it's my right to only show the needed relevant information, in this case that's my face, ID photo and my birthdate on the ID, since the whole purpose is to 1. confirm my age and for this matter 2. confirm I am the ID holder
It's not in compliance with GDPR to request the whole ID data
ByteByte-Baxi
They sadly don't care about your rights. Time to move to other platforms. Everyone to resonate
Chirping_Cat
ByteByte-Baxi When Easy Anti-Cheat (EAC) rolled out, there were skeptics who swore it would ruin everything and threatened boycotts. But guess what? The vast majority of players adapted, those who threatened boycotts got over it, and many came to like the change because it meant fewer clients and a better experience overall.
The same logic applies here despite the fire and brimstone you're painting out: Adults want spaces free of minors, and robust age verification is the way to get there... I wouldn't be investing money in Resonite or CVR on the assumption they're going to suddenly take off anytime soon.
ByteByte-Baxi
Chirping_Cat EAC was not asking for your full un modified government documents get out of my face with this bullshit comparison
Chirping_Cat
ByteByte-Baxi I don't think you understood my point. What you're saying is I reckon you're overestimating how many people are against this. If VRChat survived the EAC drama, it'll breeze through this without losing any real value.
I mean, only 52 people bothered upvoting this Canny in 15 days—that’s practically nothing. Compare that to over 20,000 responses on day one of the EAC rollout. Meanwhile, Resonite is still a ghost town, and VRChat’s going strong.
But hey, no need to worry about age verification when you’re playing solo on Resonite, right?
ByteByte-Baxi
The devs will just keep lieing and hideing this until nobody sees it. So im going to try and upvote you. You get ban from the discord and reddit for this now though. So bringing it up there is likely not a good idea.
ღ KΛΣƬΉΣ ღ
As a duchy we are by law prohibited to send full copies of or id to any company that is not permitted by the Dutch government.
Besides that persona is already in multiple lawsuits for distributing the id information to there partners who train ai.
Dominik 25kt
It's not just german citizens, its all EU citizens, GDPR Art. 5 requires companies to allow that
Load More
→