On-Device Age Verification: A New Era for Privacy and Compliance
As age verification laws proliferate globally, the challenge of securing sensitive biometric data intensifies. A new architectural approach, exemplified by **Incode Technologies**' latest offerings, aims to revolutionize age estimation by keeping facial data on the user's device, addressing growing concerns over data breaches and the rise of AI-powered fraud.

Age verification is no longer a niche concern but a global mandate. Over 30 age assurance laws are now active worldwide, with significant regulations in the UK (**Online Safety Act**), Australia, Brazil (**Digital ECA**), and half of all U.S. states. This regulatory push is driving platforms to implement robust age checks, but the question of how to do so without compromising user privacy remains paramount.
Facial age estimation has emerged as a preferred compliance method due to its accessibility, requiring no government ID or database lookups. **Incode's** data indicates that users opt for this method eight out of ten times over alternatives. However, this convenience traditionally comes at a cost: users must share their face, often transmitted to and processed on remote servers.
## The Peril of Server-Based Age Estimation
Traditional server-based age estimation models present significant liabilities. The **Identity Theft Resource Center's 2025 Annual Data Breach Report** highlights a record 3,322 U.S. data compromises last year, a 79% increase over five years, with supply-chain breaches doubling. This escalating threat landscape, coupled with 63% of consumers expressing serious concerns over biometric data collection, underscores the fragility of current approaches.
Compounding the issue is the rapid rise of agentic fraud, sophisticated fraud attempts aided by AI agents. **Incode** has observed agentic fraud attempts soar from 3% in 2024 to 40% by Q1 2026, with projections to exceed 90% within the next 18 months.
## Privacy by Architecture: A Paradigm Shift
Historically, the industry's answer to biometric data concerns has been a privacy policyβa legal document outlining data handling practices. However, a policy is not a security control; it cannot prevent a breach, an insider threat, or a compromised vendor. It merely assigns responsibility post-incident.
**Privacy by architecture** offers a fundamentally different approach: building systems where sensitive data is never accessible in the first place. If a face is never transmitted, it cannot be intercepted. If it is never stored, it cannot be breached. This shifts privacy from a promise to a verifiable fact of the system's design.
## Incode's $100 Million Commitment to Privacy-First Identity
Last month, **Incode Technologies**, a leader in AI-powered identity verification, announced a **$100 million commitment** to advance privacy-preserving identity infrastructure. This initiative includes the acquisition of **Identiq**, a company specializing in cryptographic solutions for peer-to-peer anti-fraud collaboration, and significant investment in on-device processing capabilities and privacy-enhancing technologies.
This commitment has already yielded results. **On-Device Age Estimation**, launched in July, marks the first time **Incode's** proprietary models for facial age estimation and passive liveness detection run entirely on the user's device (phone, tablet, or laptop). The face is analyzed locally, never transmitted or stored.
### How On-Device Age Estimation Works
**Incode's** models are compressed to roughly a tenth of their original size using knowledge distillation, enabling them to run efficiently on a wide range of devices without specialized hardware. The outcomeβwhether the user meets the required age thresholdβis the only data transmitted to the server.
While the face stays on the device, a server-side layer analyzes session metadata (e.g., device characteristics, connection details) to detect injection attacks and tampering. This crucial step, devoid of facial or biometric information, ensures the integrity of the age check and prevents fraudulent circumvention.
Drawing on over a decade of experience in highly attacked environments like banking and fintech, **Incode's** security layer boasts **99% spoof detection** against deepfakes, injection attacks, replay attacks, and physical spoofing. This robust defense has flagged over 1 million face attacks on **Incode's** platform in 2026, setting a new standard for age verification.
## Collaborative Fraud Prevention Without Data Pooling
The second pillar of **Incode's** commitment addresses the challenge of fraud intelligence sharing. While fraudsters collaborate across institutional boundaries, organizations typically defend in isolation, possessing only fragmented threat data. Traditional solutions, such as pooling customer data, create new vulnerabilities by centralizing highly sensitive information.
**Identiq's** patented privacy-enhancing technology enables organizations to share fraud signals without exposing customer data to any third party. This eliminates the need for central data lakes or data brokerage, integrating network fraud intelligence into **Incode's** platform without compromising individual privacy.
Itay Levy, Co-Founder and CEO of **Identiq**, emphasized, "Every institution shared the same concern with us: how do we fight fraud together without giving up control of our customers' data. **Identiq** built the answer to that very question. As part of **Incode**, that answer is now available to every organization that deals with massive amounts of user data."
## Setting the Standard for Trust and Compliance
The convergence of expanding regulations and increasing user demands for privacy-preserving solutions means that the standard for effective age assurance is being defined now. **Incode's** approach, backed by a robust compliance program (including **SOC 2 Type 2**, **ISO/IEC 27001**, **HIPAA Attestation of Compliance**, **FedRAMP Ready**, **Age Check Certification Scheme (ACCS)**, and **Kantara IAL2 Component Services Trust Mark**), over 7 billion trust checks, and new privacy-by-architecture products, aims to reset this standard. This commitment reinforces the belief that privacy and fraud prevention are not mutually exclusive but integral components of a unified solution.