Hoping it will never happen, But how will we be protected, notified or assisted in the case there is a breach of the data and our ID’s, Selfies/Videos and/or our personal data get leaked and out ‘‘on the street?’’ or if misuse of data is discovered by either parties?
Second, how will the correct way of data handling be enforced? and i mean this in more of a way of the data exchange between VRChat and Persona, and how the data within VRChat will be handled.
So are content creators who have a “channel” account and a personal account they wouldn’t want to share with the public just gonna be screwed and forced to choose which account to verify…
since we have to add our VRC name when we verify, why can’t you just make it so we can add multiple accounts
Even If i decide to delete the Data stored at persona.
I can’t tell I some employee there took my data already and run with it.
identity fraud is a very serious thing.
I rather want to have a paywall for vrchat (buy to play) then any possible stolen ID data.
This is serious data, not just a Credit Card or Address. Its possible to inpersonate you, like doing all sorts of crimes in your name.
Sharing this information with a random company, i’ve heard the first time, I likley nope out.
My VRChat account is linked to a steam account that is over 21 years old. Can I get age verified via that? 
How and where can I verify my account?
I reached out to Persona asking for clarification on some stuff in their privacy policy last week. While I have not yet heard back about that question. I did get an automated email which directly contradicts this statement. Is VRChat not the “data controller” in the relationship?
full email received for context:
My base question (The one that lead me to send the email that I got this automated response to, which I have not gotten a response to from Persona yet) has to do with the dual document nature of their privacy policy (as described in the first paragraph of the privacy policy).
TLDR: Data submitted to VRChat for age verification may not be governed by the “Choice and Control of Personal Data” section that you point to. This is because they do not make clear what in their privacy policy applies generally, vs what applies to specifically people using their service as a visitor, vs what applies to people using their service to verify their identity.
I don’t expect VRChat to know this answer, that’s for Persona to clarify (hopefully I will eventually get an email back).
However, for now, its clear from that email that if VRChat is the data controller, then requesting Persona to delete my data from their service is just going to redirect to VRChat.
So is my only choice at that point to completely unverify as stated here:
?
I live in a country where it is illegal to send your CNP(Social Security Number essentially) to anyone, and for any service that requires age verification, that information needs to be blurred out.
For persona, that does not work as they don’t accept it. So in order to verify my age, I’d have to break the law, and give extremely private information that can be used to steal my identity to a corporation that keeps the data and is involved in a lawsuit for misusing PII. Are you serious?
It has been clearly outlined that Persona keeps the ID, so my ID which can easily be used to steal my identity as we are not allowed to blur the most important information out which is not needed for verification anyway, will be stored by a company involved in an active lawsuit for misusing PII and we have to pray that they won’t be hacked and all of us won’t get our identities stolen?
This is an absolutely insane thing to want us to do. Just let us use our Steam account for age verification. Or switch to a provider that’s less shady than Persona is.
Edit: Additional, I took a look at persona policy, which states:
“Additionally, requests such as “the right to be forgotten” will be honored whenever possible, regardless of your location.”
When is it not possible? What does this even mean? This sentence means absolutely nothing without clear information when it might not be possible.
“DPA”
This is a non answer because we have no access to read, everything referencing DPA is a non-answer.
Persona is demanding full access to our ID, legal name, address, height, weight, SSN, everything is non-age related and not needed for verification, and then, in the same policy, see below:
“We may engage third parties to assist us in providing the Services, in which case we may disclose Personal Data to them. We may also disclose Personal Data to service providers, including hosting, cloud services and other information technology services providers; email communication and SMS software providers; and identity verification services, mobile device operators, background check providers, public and private records database providers, consumer reporting services, and fraud and identity management providers. For example, we may disclose your name and address to a third party database provider in order to request information they may have about you. Pursuant to our instructions, these parties will access, process or store Personal Data while performing their duties to us. We may also disclose Personal Data when required to do so by law.”
Persona themselves are saying they will share your non-age related data with 3rd parties. Which is just begging for identity theft.
Persona has also been caught wrongfully deactivating gig workers due to flawed and faulty systems in the US, along with an active lawsuit, and their policy, this is not a reliable trustworthy company.
Persona has more red flags than my ex, this is not a company that should be trusted with our Identification Information. They have absurd business practices and the VRC staff seem to either be dodging legitimate concerns about privacy or intentionally avoiding answering clearly.
The fact that VRChat is comfortable with Persona is concerning to say the least.
We are currently working on adjusting our approach to address the loophole identified in the FAQ.
This means that some questions and answers will change in the future, and answering new questions may provide inaccurate information.
As such, we won’t be providing further updates until we have finalized our development of the Age Verification feature for initial launch.
Some users have stated thats Illegal form them to send a unblurred version of thier ID, because there is to much information on it.
What happens in this case?
I may accept Persona holding my real age and date of birth, and i may accept Persona sharing with VRChat wether i’m +18 or not. BUT i don’t want, by any means, VRChat to know my real age and date of birth, or any info in my ID, nor, OF COURSE, any of VRChat users.
Is this possible? Can my ID show my real age, but the date of birth i give to VRChat differ? Or is it “hard-coded” once i verify with Persona?
Since age verify doesnt NEED to say 18+, does that mean underage users can submit an id to say the account is verified? and if so, does that mean they will automatically get the 18+ one when they turn 18?
Would be good having heavily verified accounts, for the same reason this will hopefully help with banning and people valuing their accounts more, since people won’t want to get banned if they can no longer verify their accounts. and make instances with verified (not 18+, just verified) a lot safter in general.
I have a Question, can someone be Age Verified, without being 18+ years old? ( while still meeting the 13+ Age requirements on the game)
LunarGatta, I’d like to make you aware that in Romania, that while it’s true, the Cod Numeric Personal (CNP) is a unique personal identification number assigned to individuals for various administrative purposes, including age verification. Sharing your CNP with organizations like Persona for age verification is not inherently illegal. The confusion of bluring out information comes from a misunderstanding the GDPR where when the information is not necessary, it should be blured out and not collected. However organizations must only collect it when absolutely necessary and cannot use it excessively or without a legal basis.
It is true if the CNP is not essential for the specific purpose (e.g., verifying age), it should be blurred or redacted before sharing the document. However if the CNP is being used to prevent duplicate submissions of the document or person (as is the secondary purpose of Persona), then at that point it’s become essential for that specific purpose.
Other identification that can be used legally in Romania that can be used for age verification can also include:
As you can see above, not all forms of identification include a CNP.
I hope this has helped you with understanding the subject matter better.
How do we know/where would we find the age verification link to go to? Is in gunna be in the UI in-game or on the website or both?
Apologies if these have been answered but I’m quite confused.
Why does Persona need our full ID, unblurred? They don’t need to know my exact home address. They’re free to look up whatever location my ID is from to verify that it’s not a different design. Realistically, all they need is date of birth and face verification.
If “ID Data” is retained, then what “ID data” is retained? Just DoB? My home address? Any/All identifying info in text form on my ID? This seems contradicting to “…VRChat will choose to minimize the amount of data retained and the duration for which it is retained…” unless that means VRChat won’t retain the data, but Persona will?
Personally, I’m fine with a single-use ID verification. But I find it weird that Persona has to retain however much unspecified data, just to make sure it’s not used again? I’m not an expert of a better solution, but I’d rather not have them keep my ID after I verify with VRChat, full stop. Especially since it currently could just be deleted and used again anyway as a loophole? Doesn’t make sense.
Ah, just noticed that there’s going to be no more updates until things have been sorted with the loophole… which, cool, but, only trying to sort out the loophole is preventing you from answering more questions?? Things are being changed that much to where you can’t answer any other question, or is it more changes outside of the loophole fix too? If it’s just the former, that’s very confusing.
Me and a few friends were wondering how we will know if we are able to age verify our accounts. Are we going to get a notification in the client/on the website or in our email?
Regarding the age verification process. I’m in the military, so I don’t have a state ID or license, but I do have a CAC which is just military ID. Do you know if Persona accepts that as identification?
Hi, how would we verify with our ID? and is it rolling out to where?
“As you can expect, however, this third party service has a cost, so we’re not going to be rolling this out to everyone all at once.”
Who is paying for this? Do the users have to pay to use Persona’s age verification service?
I’ve been thinking a lot about this feeling something have been off with the whole framing of this solution. Including the aformented “loophole”.
The problem is here that VRChat has decided to mix together identity verification with age verification.
That is, as soon as you want to prevent “reuse” of an ID, you are doing identity verification.
Meaning if VRChat is only intending this to be for verifying the age of a person then there can be no attempts to limit the times the ID can be used.
The only thing that should be done is that VRC asks Persona (or another provider) to verify the age of the user, the provider verifies the age and tells VRC back “yes user is 18+”, or “user has DOB so and so”.
And then all information used for this verification is promptly deleted and never retained.
To prevent ID reuse you will have to create a persistent identifier, therefore you are doing identity verification. VRC might not get the identity, but Persona does.
With regarding to deleting data from the service, according to GDPR that would primarily be VRC’s reponsibility to ensure as the data controller.
Meaning that if VRC is intending users to contact Persona for deleting data instead of VRC doing it on their behalf. Then a clear process have to be described and the contract with Persona has to cover the fact that users will contact Persona directly to get their data removed.
Also the whole framing of “GDPR compliant” is such a weird thing. That is basically saying “yes we are not breaking the law”, which argubly should be an obvious thing?
Actually the requirement of not covering up any part of the ID is arguably a breach of GDPR.
To verify the age of the user you don’t need the full information on the ID for the process, therfore you would be in breach of GDPR because you are requiring more information than what is strictly needed.
If you are doing identity verification then more information is probably needed, but then you need to state that that’s what’s being done here.
Small edit to focus questions:
