
Age checks are becoming law worldwide. The question is no longer whether platforms verify age, but what happens to the faces they collect -- and whether they need to collect them at all.
By Ricardo Amper, Founder & CEO, Incode Technologies
More than 30 age assurance laws are now in force worldwide. The UK is enforcing the Online Safety Act's "highly effective" age check requirement, with restrictions on under-16 access to social media planned for spring 2027.
Australia's under-16 rules took effect in December, and the government has signaled its intent to double maximum fines to $99 million after early waves of non-compliance. Brazil's Digital ECA became enforceable in March 2026, now half of U.S. states now mandate some form of age verification.
Facial age estimation has emerged as one of the most accessible ways to comply. It needs no government ID and no database lookup, which makes it workable for users of all age groups, including those with no documents to show.
In regulated markets, Incode's data shows users choose it eight out of ten times over other age assurance methods. But it asks people for one of the things they feel least comfortable sharing: their face. And until now, nearly every implementation has worked the same way -- capture the face, send it to a server, run the estimate there.
The problem with server-based age estimation
The record shows why that is a growing liability, especially for vendors relying on third party tech stack. According to the Identity Theft Resource Center's 2025 Annual Data Breach Report, the U.S. recorded 3,322 data compromises last year -- a record high and a 79% increase over five years -- while supply-chain breaches doubled over the same period.
The same organization found that 63% of consumers have expressed serious concern over biometric data collection.
Meanwhile, the attacks are scaling faster than the defenses. Across more than 7 billion identity verifications processed on its platform, Incode has tracked the rise of agentic fraud -- fraud attempts carried out with the help of AI agents.
In 2024, agentic fraud made up 3% of fraud attempts. By the first quarter of 2026 it had reached 40%, and Incode estimates it will exceed 90% within the next 18 months.
Privacy by policy vs. privacy by architecture
The industry's standard answer has been a privacy policy: a written promise that biometric data will be handled with care and deleted after the check happens.
A policy is a legal document. It is not a security control. It cannot stop a breach, an insider, or a compromised vendor; it can only assign responsibility afterward.
Privacy by architecture is a different proposition: build the system so the sensitive data never becomes accessible in the first place. If a face is never transmitted, it cannot be intercepted.
If it is never stored, it cannot be breached. Users do not have to trust anyone's word. Privacy stops being a promise and becomes a fact of the architecture.
A $100 million commitment, in two parts
Last month, Incode Technologies, a leader in AI-powered identity verification and fraud prevention, announced a $100 million commitment to advancing privacy-preserving identity infrastructure, alongside its acquisition of Identiq, a company specializing in privacy-enhancing cryptographic solutions for peer-to-peer anti-fraud collaboration.
The funds are directed at on-device processing capabilities, continued R&D in privacy-enhancing technologies, and expanded engineering resources and global footprint.
Two weeks later, the first product was made public. On-Device Age Estimation, launched in July, the first time Incode's proprietary models run fully on the user's own device.
Both trace back to architectural decisions made at the company's founding: verification driven by AI rather than by human access to biometric data, processing pushed to the user's own device, and fraud collaboration designed to work without exposing data.
Part one: age checks where the face never leaves the device
On-Device Age Estimation runs two of Incode's models directly inside the user's phone, tablet, or laptop: facial age estimation and passive liveness detection, which confirms that a real, live person -- not a photo, a deepfake, or a replayed clip -- is in front of the camera. The face is analyzed locally and is not transmitted or stored.
What travels onward is the outcome: whether the user meets the platform's required age threshold. If the check cannot be completed for any reason, the user is automatically offered another verification method selected by the platform.
Making that possible meant shrinking the models. Incode compressed both to roughly a tenth of their original size using knowledge distillation -- a technique in which a compact model is trained to reproduce the judgments of a much larger, more accurate one.
The resulting models are small enough to run inside an ordinary browser or app, across a wide range of devices, with no special hardware required.
Because the face is analyzed on the user's own device, there is no technical way for Incode or any client platform to access a biometric or face image. In plain terms: the user proves their age. The face stays on the device.
Why does anything reach a server at all?
An age check that is easy to cheat protects no one. What the device alone cannot fully rule out is tampering with the session itself -- an injected camera feed, for example, or a manipulated device. Incode's server-side layer analyzes session metadata -- when and how the session happened, and the characteristics of the device and connection -- to detect injection attacks and tampering.
That data contains no facial or biometric information; it exists for fraud detection and session integrity.
Without it, minors could appear as adults and adults as minors, and the result would be worthless for safety and compliance.
Those defenses carry the record of the environments they came from. For more than a decade, Incode's models have operated in some of the most attacked environments online -- banks, fintechs, healthcare, and other high-stakes services where fraudsters bring deepfakes, injection attacks, and replayed video every day.
Incode's security layer achieves 99% spoof detection across deepfakes, injection attacks, replay attacks, and physical spoofing -- the same anti-impersonation standard trusted by eight of the top ten U.S. banks -- and has flagged more than 1 million face attacks across Incode's platform in 2026.
On-Device Age Estimation is the first enterprise-ready offering to combine on-device age estimation with those defenses -- a combination the company believes can reset the standard for how platforms verify age worldwide.
Part two: fighting fraud together without pooling the data
The second part of the commitment addresses a different exposure: the way institutions share fraud intelligence. Fraudsters collaborate across institutional boundaries; the institutions defending against them typically work alone, each seeing a fraction of the threat data.
The traditional fix -- pooling customer data across institutions -- solves one problem by making the other worse. Central data lakes are precisely the kind of target the breach statistics describe.
Identiq spent nearly a decade and invested more than $50 million developing patented privacy-enhancing technology that lets organizations share fraud signals without exposing customer data to any third party.
No central data lakes. No data brokerage.
Integrated into Incode's platform, that work is projected to reach billions of verifications annually, adding network fraud intelligence to the platform's capabilities.
"Every institution shared the same concern with us: how do we fight fraud together without giving up control of our customers' data," said Itay Levy, Co-Founder and CEO of Identiq.
"Identiq built the answer to that very question. As part of Incode, that answer is now available to every organization that deals with massive amounts of user data."
The standard is being set now
The pressure comes from both directions: regulation keeps expanding, and users are increasingly demanding more privacy-preserving ways to meet it. Regulators, meanwhile, are actively deciding which age assurance methods count as effective -- which makes this the period in which the standard gets set.
Incode's position going into that period is a matter of record rather than roadmap: a compliance program spanning SOC 2 Type 2, ISO/IEC 27001, HIPAA Attestation of Compliance, FedRAMP Ready, the Age Check Certification Scheme (ACCS), and the Kantara IAL2 Component Services Trust Mark; more than 7 billion trust checks processed; and now a shipping product where the face never leaves the device, alongside fraud collaboration that never pools the data.
"We have always believed that privacy and fraud prevention are not a tradeoff, but part of the same problem -- solved together or not at all," said Ricardo Amper, Founder and CEO of Incode.
"Age checks are becoming law around the world. Our job is to do what we can so that proving your age asks as little of the user as possible."
Try Incode’s On-Device Age Estimation
See how On-Device Age Estimation lets platforms meet age assurance requirements without the user's face leaving the user's device, and book a walkthrough for your team: incode.com/privacy
Sponsored and written by Incode.









English (US) ·