Over the past two years, age verification has gone from a fringe compliance topic to an operational reality for anyone running age-restricted content online. The UK’s Online Safety Act is being actively enforced by OFCOM. The U.S. Supreme Court upheld Texas’s age verification law in mid-2025, and by early 2026, more than 20 American states have enacted mandates for adult content — with more legislation pending. Australia is rolling out its own enforcement in phases, and the EU’s Digital Services Act is pushing platforms in the same direction.
When this wave hit our properties — I went looking for a solution. What I found in the commercial market didn’t sit well with me, so I built my own. This post explains why, and how XY Zinc takes a fundamentally different approach.
## The Problem With Existing Solutions
Most commercial age verification services follow the same basic model: collect the user’s personally identifiable information (name, address, phone number, sometimes SSN), verify it against public records, and confirm the user is 18+. Some offer photo ID upload as a secondary method.
This approach has three serious problems:
**Privacy risk.** You’re creating a database that connects real identities to regulated services. No matter how many security certifications a company has, databases get breached, companies get acquired, and policies change. For users of adult content sites, cannabis sites, and gambling sites this is an unacceptable risk. And from the operator’s perspective, you’re exposing yourself to liability for data you never needed to collect in the first place.
**User friction and abandonment.** People don’t want to hand over their Social Security Number or home address to access a website. The abandonment rates are brutal — the majority of users faced with a verification wall will simply leave, and the more personal information you ask for, the higher that number climbs.
**Cost at scale.** Commercial providers charge per verification, and you’re paying for every attempt — including the ones that don’t convert to regular visitors. When your effective verification rate accounts for high abandonment, the cost per retained user becomes very expensive.
## The XY Zinc Approach: Biometric Without the Baggage
XY Zinc uses a two-tier biometric approach that confirms a user is 18+ without collecting any personally identifiable information.
**Tier 1** covers roughly 95% of verifications. The user does a quick face scan through their phone camera or webcam. The system runs a liveness check (confirming it’s a real person, not a photo or video) and then uses age classification — specifically minor probability scoring — to determine whether the user is clearly an adult. The whole thing takes about 30 seconds. No name, no address, no phone number, no ID.
**Tier 2** applies in two situations: when state law explicitly mandates ID-based verification (as in Texas, Louisiana, and others — that’s a legislative decision, not ours), or when the Tier 1 face scan alone isn’t conclusive for a particular user. In either case, the user also scans a government ID. The system extracts only the date of birth and document expiration date, confirms the user is 18+ and the document is current, performs a face match between the selfie and ID photo, and then discards everything. No name, ID number, address, or document image is retained. This mimics the process of handing the clerk your ID in a convenience store to purchase a six pack.
## Privacy by Design, Not Privacy by Promise
The architecture enforces privacy at every level — this isn’t a policy decision that could be reversed by a future business owner:
**Images never touch disk.** Selfie and ID photos are stored exclusively in a local Redis instance with persistence disabled — meaning no disk writes, ever. They exist in server RAM only, for a maximum of 15 minutes during the active verification. Automatic TTL expiration ensures data is purged even in the event of system failure.
**No intermediary cloud storage.** Images are transmitted directly to processing services (AWS Rekognition, AWS Textract, SightEngine) as raw bytes within API requests. No S3 buckets, no cloud storage intermediaries, no place for data to linger.
**AWS AI opt-out enabled.** We’ve enabled AWS AI Services opt-out policies on our account, which prevents AWS from using user images to train or improve their machine learning models.
**Anonymous session records.** The only persistent data is a session log containing a random UUID, a timestamp, a pass/fail result, region code, and IP address (for fraud detection). There is no way to connect a session record to a specific person by name.
**Nothing to breach.** If our verification infrastructure were compromised, an attacker would find anonymous session logs. No faces, no names, no documents, no PII of any kind.
This approach aligns well with where regulators are heading. The UK Online Safety Act specifically supports biometric verification as an approved method. The data minimization principles in GDPR, the UK Data Protection Act, and many US state privacy laws all favor systems that collect only what’s strictly necessary. We’ve published a full [Data Processing Agreement](https://www.xyzinc.com/dpa) and [Privacy Policy](https://www.xyzinc.com/privacy) that document exactly what data is processed, how, and for how long.
## Built For Site Operators
I built XY Zinc initially to solve my own compliance problem, but the technology is designed from day one as a multi-tenant SaaS platform available to other businesses in regulated industries — not just adult content, but also cannabis, alcohol, and gaming.
**Free WordPress plugin.** A drop-in plugin that handles the entire verification flow — region detection via Cloudflare geo headers, the verification UI with QR code support for mobile, cookie management, and account-level persistence for logged-in users. The free plan includes 100 verification credits per month with no credit card required. Download it here or check out the live WordPress age verification demo.
**Static site integration too.** Not on WordPress? XY Zinc also offers a JavaScript embed option — a single script tag for any website — plus REST API integration with sample code for PHP, Node.js, Python, and even Classic ASP for legacy systems.
**Configurable by jurisdiction.** Different states and countries have different requirements. XY Zinc lets you configure verification tiers, minimum age thresholds, blocked regions, and custom messaging per jurisdiction through an admin panel protected by two-factor authentication.
**White-label ready.** Run verification on your own subdomain with custom CSS and logo branding, so users never feel like they’ve left your site.
**Transparent pricing.** Two-tier pricing means simple face checks (Tier 1) cost less than full ID verification (Tier 2). You pay for verification attempts, not abandoned sessions. The Pro plan offers volume discounts at higher tiers. No surprises, no hidden fees.
**Compliance audit trail.** Every verification produces a detailed session record that demonstrates your site took reasonable steps to verify user age — which is ultimately what these laws require.
## The Regulatory Landscape Isn’t Slowing Down
If you operate an age-restricted site and you haven’t dealt with age verification yet, the window is closing. Beyond the existing UK and US state mandates, Australia’s eSafety Commissioner has a phased rollout underway targeting websites in early 2026. The EU’s Digital Services Act is pushing platforms toward similar requirements. And in the US, states that haven’t yet passed laws have bills pending — with some even proposing VPN-blocking measures to prevent circumvention.
The question isn’t whether you’ll need age verification. It’s whether the solution you choose respects your users enough to not turn compliance into a privacy liability.
## Get in Touch
XY Zinc is actively serving verifications and is available to other site operators. You can:
– **Try it yourself:** Visit the live demo to experience the full verification flow
– **Get started free with WordPress:** Download the WordPress plugin — 100 verification credits per month, no credit card
– **Learn more:** Visit xyzinc.com for full product details, privacy policy, and data processing agreement
– **Contact us:** Reach out via xyzinc.com/contact for Pro WordPress plugin plans, SaaS customer API integration, or custom requirements