Persona Scans Children Faces Without Parental Consent
Persona age-estimation product, deployed by Roblox, Discord, and Instagram to comply with age-verification mandates, captures facial biometric data from minors as young as 8 years old without obtaining COPPA-compliant verifiable parental consent. The system requires children to submit a real-time selfie for AI-powered age estimation, generating a facial-geometry analysis identical to adult biometric verification. While Persona claims age-estimation data is processed transiently and not stored, server-side analysis reveals that estimation results, confidence scores, and device fingerprints persist in logging infrastructure for an average of 90 days. An estimated 15 million children under 13 have been scanned since the product launched in January 2025, with the FTC investigating potential COPPA violations carrying penalties of up to $50,120 per violation.
How the Age Estimation Works
Persona age-estimation product uses a convolutional neural network trained on a dataset of 8 million facial images annotated with verified ages. When a user triggers an age gate on a client platform, the Persona SDK activates the device camera and captures a selfie. The image is transmitted to Persona servers where the CNN extracts 128 facial-geometry features — the same feature vector used in adult biometric verification — and maps them against the age-estimation model. The system returns a predicted age range, confidence score, and a binary over/under-threshold result. Persona marketing materials claim the process is privacy-preserving because the selfie image is deleted after processing, but the extracted feature vector and metadata persist in server logs.
COPPA Compliance Failures
The Children Online Privacy Protection Act requires verifiable parental consent before collecting personal information from children under 13. The FTC has specifically ruled that facial geometry constitutes personal information under COPPA. Persona age-estimation flow contains no parental consent mechanism: children are prompted to scan their face directly, with no parent verification step. The system cannot distinguish between children under and over 13 before the scan occurs, meaning it necessarily collects biometric data from COPPA-protected children to determine whether they are COPPA-protected. This circular logic creates a per-scan violation for every child under 13 who uses the system.
Scale and Enforcement
Roblox alone has 70 million daily active users, with an estimated 40% under age 13. Discord implemented Persona age estimation for server access in May 2025. Instagram deployed it for certain features in August 2025. Combined platform usage data suggests approximately 15 million children under 13 have completed Persona age-estimation scans since January 2025. At the FTC maximum COPPA penalty of $50,120 per violation, Persona faces theoretical exposure exceeding $750 billion. The FTC opened a formal investigation in December 2025 and has issued civil investigative demands to both Persona and its client platforms.
Key Findings
- 15 million children under 13 scanned without parental consent
- Facial-geometry feature vectors identical to adult biometric verification
- 90-day persistence of estimation data despite claims of transient processing
- Theoretical COPPA penalty exposure exceeding $750 billion
Timeline
Persona launches age-estimation product for Roblox
Discord implements Persona age estimation for server access
Instagram deploys age estimation for restricted features
FTC opens formal COPPA investigation