Age-verification providers and the Open Rights Group (ORG) recently called for a mandatory certification from the regulator, saying the proposed voluntary scheme fell short in meeting adequate standards of cybersecurity and data protection
current guidance on security, encryption, pseudonymisation and data retention in the standard (PDF) – published in April – is vague and imprecise, and often refers to generic "industry standards" without explanation.
It sounds like the whole process has been badly thought out. Who would have thought that would be the case?!?