Others have asked similar I think, but to be specific:
When you say an ID can only be used once, do you mean a person can only verify once (and their system can (or attempts to) match different IDs belonging to the same individual as a single ‘person’) , or if one has multiple forms of valid ID (passport, driving licence, proof of age card, etc) they could validate multiple accounts with a different document used against each account.
2 Likes
For uploading content, will those marking their content as sexual have to have an 18+ account to use it, or will it prevent from uploading atall? If they mark it wrong so they can use it, and it gets reported as not being tagged correctly and the tag changed, will it be taken down? or just unable to be used? (ive seen quite a few under 18s that buy very explicit avatars and upload them on their accounts ._. would this prevent those under 18 from doing that? or restrict the content untill they are of age but keep it uploaded?) (ofcourse when content gating gets re-implimented with the age verifacation now with it)
2 Likes
Is there anything preventing VRChat from offering alternative age verification methods for people who aren’t comfortable with Persona?
Edit: Or for people who, for whatever reason, are unable to verify using Persona?
4 Likes
I’d really like to know if after the verification process, if you ask Persona to delete your info, will you still have your verification in vrchat? AFAIK, after you verify you’re over 18, and the data is sent over to the vrchat-side, the server will know you’re over 18, and doesn’t need to keep the selfie-id data to “re-verify”.
Also, I do have an alt that I use to test avatars on pc & quest at the same time. Given that I wouldn’t be able to verify my alt, I’m worried about being able to use it now. I’ve seen from other replies that alts are very important to people, and I’d be really concerned that they wouldn’t be able to use them fully…
4 Likes
So VRChat does not request the data be deleted upon verification? If VRChat is only using the ID verification to store DoB data, the onus should be on VRC to have made the deletion request instant as soon as VRC receives the notification that the user is verified. This seems like something that’s been neglected and only fuels our concerns.
5 Likes
Alright, so are we going to have access to Persona support? Because I tried to verify myself with Persona on another website, and no matter what I try, it just says “Verification failed”, no matter what I try, and on that site at least, there is no way to contact Persona for information on why the verification has failed, and if I can do a manual verification or something.
I just gave up… and VRC is not something I can afford to just “give up” if the ID verification just “fails” without letting me know how I can “fix it”. 
6 Likes
All questions up to this point have been logged and will be answered in an upcoming update.
As a reminder, all posts in this thread that are not a question will be deleted. Please do not discuss questions, attempt to answer questions, or leave feedback for us in this thread! Your post will be removed.
Please direct all feedback (change requests, feature additions) to our feedback boards.
5 Likes
Is there a link you can provide for us to easily have Persona delete our info? I like the idea of age verification but I hate the idea of my data sitting on a server waiting to be hacked/leaked.
5 Likes
You state that VRChat does not receive any information other than the verified date of birth from Persona, however, reading their help page here, it states that:
“How do we access the information collected by Persona?
All information from Persona’s verifications (e.g. the verification results, verification checks, documents, reports, etc) can be retrieved via API. Please see our API for more information. You will also have access to the Persona Dashboard where you can view information from your end users’ verifications and export this information from the Dashboard itself.”
and:
“Can Persona send us the personally identifiable information (PII) provided by individuals (e.g. Name, DOB, address)?
Yes, in the API / Configuration section of the under “Enabled API attributes” you can specify the PII you’d like to retrieve via the API. By default, we do not expose the attributes directly provided by individuals (e.g. name, birthdate, address) via API for data privacy reasons.”
Yet you keep saying that “Persona firewalls all other information from VRChat”. That is only the case if you’ve configured it to not record the parts the part you don’t need in the Dashboards inquiry templates, which I have checked in Persona’s Sandbox. I cannot find a single mention in Persona’s security policies that they force companies that use them to only have access to specific information. I’d love to be proven wrong though.
How can we know that you configured Persona to not save that information into the dashboard?
Can you tell us more of how the collection system works, such as if it:
- Only saves the date of birth or takes all the information off of our IDs and makes all the information accessible in the Dashboard despite you having the API configured to return DOB only?
- Or do you have Persona setup so that you only have access to our DOB through both the Dashboard and API and it deletes/redacts/does not record the rest)?
5 Likes
Will VRChat Team Members / Employees also be subject to the terms of this Age Verification policy?
Will Age Verified instances be strictly locked and override things like invite permissions? (Example: can an instance owner in an Age Verified instance invite someone who is not Age Verified to that instance?)
2 Likes
Are there going to be added parameters for avatar creation, I’m thinking similar to the IsOnFriendsList parameter? So avatar creators and modifiers such as myself can make it so only certain parts of an avatar are available based on their age verification status?
2 Likes
Is there a way to know which countries will be covered by Persona for VRC age verification ? I have some friends who are in places that do not seem to be covered, but the info comes from linkedin, not from Persona or VRC.
In the case where someone would be outside of the countries covered by Persona, does the VRC team have plans to contract other providers to fill the blank areas ?
( sry for duplicating this question, I posted this in the previous discussion, but it seems to be better suited here )
4 Likes
My main question is that if this goes well will there be options to include 18+ Avatars and worlds?
There are alot of people who use 18+ avatars around places that are meant to be for young teens. Having options for 18+ avatars would help alot to keep minors a bit more safe.
There are also worlds that try bypassing VRChat’s ToS which multiple get published everyday. And a 18+ world option could help minimalize the chances of minors coming across these worlds.
I’m no legal expert, but I’m pretty sure asking for a full, uncensored ID is not allowed under dutch law. From Copy of your ID: what can you do? | Autoriteit Persoonsgegevens (dutch personal data protection authority):
Copy ID without statutory obligation
Is an organisation not permitted by law to ask for or make a copy ID? Then this will only be allowed if there really is no other option. This means that the organisation first has to ask itself the question if there is any other way to achieve the same aim for which the organisation does not have to make a copy ID.
Is there really no other way? Then the organisation is allowed to ask for or make a blocked copy of your identity document. This means that the organisation has to render your citizen service number (Dutch BSN) and passport photo invisible. Or that you are allowed to do this yourself.
If you have blocked your BSN and photo in the copy, there are still personal data on your identity document. These are your full name, date of birth and the date and place of issue. An organisation must always take a critical look at these data to see whether all those data are necessary.
I’m mostly worried about the BSN on the back of the dutch identity card, which has about the same secrecy as a social security number in the US, which really shouldn’t be needed to verify your age. I remember trying to use the age verification on roblox a while ago (which I think also uses persona) and gave up after I realized they wanted me to take a picture of the back as well but not let me blur anything out. Will this be addressed?
I remember a while ago when I had to verify an ID for discord for verifying a bot I made that they had a specific exception for dutch citizens where they were allowed to use the kopieID app, an app made by the dutch government to block out parts of your ID, to block out parts of your ID that weren’t needed for verifying your identity (like your BSN, signature, photo, ect…)
7 Likes
In hopes of receiving as straightforward and plain English of an answer possible, will VRChat’s DPA require Persona to treat every user with GDPR-like levels of data protection, regardless of location? Additionally, is there anywhere that we as users might be able to read the terms of the DPA?
2 Likes
I’ve updated the OP with 27 new FAQs.
As an ongoing reminder, all posts in this thread that are not a question will be deleted. Please do not discuss questions, attempt to answer questions, or leave feedback for us in this thread! Your post will be removed.
Please direct all feedback (change requests, feature additions) to our feedback boards.
3 Likes
Is this a no, then? For instance, if I, a person who lives outside of the EU, goes through the verification process, then GDPR would not be part of those applicable laws, would they?
1 Like
Has VRChat considered alternative AV providers?
https://avpassociation.com/find-an-av-provider/
Persona is exceptionally invasive and is currently the subject of a lawsuit for illegally misusing PII. You say they are the best provider for you, but there are options which can do AV using voice alone - which would seem to be a natural fit for VRChat, which already has access to my microphone. These providers can fall back to alternative forms of AV if they aren’t confident enough in your age based on voice alone.
I assume that Persona was chosen in part on a cost basis. If this is the case, would VRChat be willing to offer alternative options for AV either as a part of VRC+ or as a one-time payment?
I would gladly pay some nominal amount to cover the cost of using an alternative AV provider.
Does VRChat have any comment on the disparity between what Persona says they will share with you and what you say you will receive from them? They state that by default they will not share these with you. Who has access to changing this? Is this going to be guaranteed in your privacy policy or ToS, or are we taking your word on it?
Persona also states on that same page -
We can also set an automated retention period for you, after which we permanently delete all PII.
Why not set that retention period to 1 day, rather than putting the onus of getting our PII deleted from Persona on us?
9 Likes
Does that mean, people from unsupported countries will be forced to be locked-out from adult instances and will be force-treated as minors?
Does that mean, if your intents to integrate Age Verification and Content Gating will be implemented, people from unsupported countries will be forced to be locked-out of gated content and only general not gated contend will be available to them?
4 Likes
The loophole issue seems like one you guys will make a decision on soon, so I think I could provide some sort of guiding advice here (with more questions). First you must decide what is more important, the privacy of your users or the rare edge cases where fraudulent ID verified accounts will exist (and can be managed with moderator intervention). If you choose to retain personally identifiable information (PII) you must first make this absolutely clear that this change has been made before rollout as this can carry significant legal ramifications if you do not. Secondly instead of retaining personally identifiable information, you should create a “black box” program. This duplicate verification program serves simply to check whether an ID has already been used or not. At the start Persona provides the program a non reversible hash, the program then stores it only comparing hashes when generated to see if duplicates exist. All that can happen then is you know whether or not a hash has been used before, not who it is or what account it belongs to. This program you create should be simple, open source, and easily audited by third parties.
If Persona is unable to generate non-reversible hashes, the process becomes a little more complex. After you create the program you must provide a technical demonstration to show which data elements are gathered, how the black box verification mechanism generates a non-reversible hash, and how the input information is discarded. This program should perform hash generation only in active memory (RAM) and must NEVER store PII inputs on a disk under any circumstances. Again, this system should be simple, open source, and easily auditable by third parties.
I am dissatisfied with Persona’s process for deleting information, as the information used for verification does not need to be retained especially if you implement the aforementioned “black box” type of program. After Persona performs verification, must users then disclose their information again to persona to have their information removed. This approach is not only questionable but also highly inefficient.
Could you provide us with what specifically is in consideration currently?
3 Likes