In this quarter’s update, we’ll examine the unusual slowdown in privacy legislation this year, and what the fast-changing world of biometric data and age verification means for organizations in the U.S. and around the globe.
Throughout the update, we’ve included links to relevant legislation and documents where applicable.
Continue reading to become informed of the latest regulatory and provisional information you need to do your job as efficiently and confidently as possible!
At the start of 2025, the momentum around privacy legislation in the United States was undeniable. In 2024, eight states enacted new laws, and growing public demand for stronger data protections led many in the records management community to expect even more legislative activity. I personally expected at least five new jurisdictions to pass privacy laws this year, potentially increasing data governance complexity, addressing growing concerns around AI’s use of personal information, and burdening organizations with greater compliance demands. The groundwork had been laid for another big year, and the trajectory seemed clear and unavoidable—more states, more regulation, and more responsibility for records professionals.
Here we are though, well into September, and the silence is deafening. Not a single new comprehensive privacy law has been passed in 2025, and the current political winds are not whispering any optimism that the remaining states will close with a win for consumer data protection. For those of us who were preparing for a wave of legislative updates, perhaps by adjusting policies and budgeting for compliance tools, this pause offers a silver lining: a chance to strengthen our footing within the patchwork of state laws.
The lack of movement raises real questions about political will, legislative priorities, and whether the urgency around data privacy is waning in the United States. However, it would be a mistake to interpret this pause in activity as a full stop in privacy-related legislative activity. In fact, targeted carve-outs, particularly around biometric data, continue to gain momentum across states and countries. These focused laws reflect a growing recognition of the unique risks associated with biometric identifiers, such as facial scans and fingerprints. So, while broad frameworks may be stalled, the regulatory landscape is still evolving in meaningful ways that demand attention and adaptation.
ARMA InfoCon offered more sessions than any one attendee could take in, so let’s break down the highlights and share key insights you may have missed. Join us for a conversational recap of what stood out in Phoenix and how…
The rise of biometric age verification laws across the U.S. and internationally introduces new considerations for how personal data, particularly sensitive biometric identifiers, is managed, classified, and retained. These laws, now enacted in over 20 U.S. states and countries like the UK and Australia, require platforms to verify users’ ages using facial recognition, government-issued IDs, or other biometric methods. Organizations collecting such data must treat it as a high-risk category, subject to stricter controls and more detailed recordkeeping requirements.
When creating or updating a records retention schedule, it’s important to address the unique challenges of biometric data. This means setting clear retention limits, secure disposal protocols, and documenting consent. To manage risk, records managers should consider a distinct category for biometric data with retention periods that meet legal requirements and operational needs, which is often shorter than those for traditional data types due to the heightened sensitivity involved.
In the absence of specific biometric data legislation, other privacy legislation impacts how the data is classified, accessed, and audited. For example, verification logs, consent records, and third-party processing agreements may all need to be retained as part of compliance documentation. These records should be indexed in a way that supports rapid retrieval during audits or investigations, and metadata should clearly indicate the source, purpose, and legal basis for collection. Records managers must collaborate with legal and IT teams to ensure that these records are not only stored securely but also governed by policies built for an evolving regulatory landscape.
The use of third-party vendors for biometric verification adds another layer of complexity. Contracts and data-sharing agreements with these providers should be treated as records, subject to retention and review. These agreements should specify data handling practices, breach notification protocols, and retention timelines. Additionally, any data transferred to or from these vendors must be tracked and documented.
Now, let’s review specific biometric age verification laws and regulations from around the world.
The United Kingdom introduced the Online Safety Act 2023, regulated by Ofcom, to enhance internet safety for both children and adults. It places legal obligations on online platforms, including social media, search engines, and content-sharing services, to prevent the spread of illegal content, reduce exposure to harmful material, and enforce age-appropriate access controls.
The Online Safety Act requires age verification, which may include biometric age estimation technologies. Platforms offering age-restricted content must verify users’ ages using methods such as facial analysis, photo ID uploads, or financial data checks. This introduces a new category of sensitive personal data that must be securely stored, classified, and governed in accordance with UK GDPR. Biometric data use requires explicit consent, strict access controls, and detailed records of verification processes, risk assessments, and third-party vendor agreements.
[Online Safety Act 2023, §§ 23, 34, 36, & 81]
Germany enforces age verification through the Interstate Treaty on the Protection of Minors in the Media (JMStV), regulated by Kommission für Jugendmedienschutz (KJM). The legislation is designed to protect children and adolescents from harmful or developmentally impairing content in broadcasting and telemedia. It aims to ensure that media content accessible via electronic communication channels does not violate human dignity or expose minors to material that could negatively influence their development into socially responsible individuals. The Treaty establishes age-based content classifications, mandates technical safeguards, and outlines enforcement mechanisms for compliance across public and private media providers.
While the Treaty does not explicitly mention “biometric” age verification, it does require technical systems for age assurance that can differentiate access based on age groups. These systems may include biometric technologies, such as facial recognition or age estimation tools. For records managers and compliance officers, this means that biometric data collected for age verification must be treated as sensitive personal information under all applicable privacy laws—securely stored, properly classified, and retained only as long as necessary. While the legislation is not explicit about retained materials, it’s implied that providers must maintain sufficient records to demonstrate adherence to the Treaty’s requirements and ensure defensibility.
[JMStV, § 21]
Italy’s approach to age verification, particularly in response to concerns about minors accessing adult content online, has integrated biometric age verification within the scope of privacy regulations via the Public Digital Identity System (SPID).
SPID plays a crucial role in Italy’s efforts to restrict minors’ access to harmful online content, such as pornography or age-restricted platforms. SPID can be configured to share only essential data, like proof of age, without revealing full identity, preserving user privacy. Parents can also manage SPID credentials for their children, enabling controlled access while ensuring compliance with GDPR and national privacy laws.
The most critical regulatory guidance for records managers and professionals in Italy regarding age authentication is found in AGCOM Resolution No. 96/25/CONS, adopted on April 18, 2025, in implementation of Law No. 159/2023 (Decreto Caivano). Resolution No. 96/25/CONS mandates that websites and video-sharing platforms offering adult content must implement certified age verification systems that comply with strict privacy and data protection standards. The regulatory framework enforces a “double anonymity” model, ensuring that identity verifiers do not know which service is being accessed and platforms do not receive personal data about users. The Garante per la protezione dei dati personali (Italy’s Data Protection Authority) supports this framework as it emphasizes data minimization, purpose limitation, and aligns Italy with the EU GDPR’s obligations.
The United States operates under a permissive landscape for biometric age verification, encouraging the use of the technology but not requiring its exclusive use. Age verification options tend to include biometric facial recognition, government-issued ID, and credit card authentication. A common theme in the U.S. is for states to require websites where at least one-third of the content is pornographic to perform age verification to prevent minors from accessing the harmful material. In other areas, laws permit the use of biometric age verification for the purchase of alcohol and tobacco.
In the United States, biometric age verification is subject to privacy and data protection safeguards primarily enforced through Federal Trade Commission (FTC) guidance and state-level laws. These safeguards are designed to prevent companies from using biometric data for purposes beyond the original intent of the age verification.
In the absence of Federal legislation, the FTC Policy Statement on Biometric Information from May 2023 provides essential guidance on how to manage biometric data, such as facial recognition, fingerprints, and voiceprints, used for age verification. In line with prevailing privacy laws worldwide, FTC guidance makes records professionals responsible for ensuring that biometric data is collected and processed only for specific, disclosed purposes and not repurposed for marketing, profiling, or surveillance. The FTC emphasizes the need for clear and informed consent, data minimization, and robust security measures to protect against unauthorized access or breaches. Documentation of all data handling procedures, ensuring transparency in user communications, and regular audits of systems for compliance is essential. The FTC Act permits enforcement actions against violations of these standards, especially when practices are considered unfair or deceptive.
The European Union has taken a broader approach with the Digital Services Act (DSA), which mandates platforms with over 45 million users to protect minors from harmful content. While the DSA does not prescribe specific technologies, it encourages effective age verification mechanisms. This has led to the development of privacy-enhancing solutions like the European Digital Identity Wallet (EUDI Wallet) under eIDAS 2.0, enabling users to verify age using cryptographic credentials without revealing identity. The European Data Protection Board (EDPB) supports this approach, emphasizing that biometric age verification must be used only when strictly necessary and must comply with GDPR principles, including data minimization, transparency, and the protection of children’s rights.
In terms of record retention, the DSA requires platforms to maintain documentation of age verification processes, moderation actions, and user complaints to support transparency and regulatory oversight. These records must be retained in a way that aligns with the General Data Protection Regulation (GDPR), which mandates that personal data, including biometric identifiers, be retained only as long as necessary for the original purpose that they were collected.
Biometric age authentication is governed by complex and inconsistent regulations across the U.S. and globally. Still, records professionals can take proactive steps to stay ahead:
To learn more about how to address records retention, data privacy and security requirements more efficiently, request a call with an Access expert or request a product demonstration of Virgo.
Share