A credit card is a valid form of ID check as per ofcom.

It's also not a particularly good one. The Australian system is the gold standard for this

From the store front, you sign into a government website (in the same way you sign into paypal). The government issues Valve a certificate that says 'yes the owner of this account is 18'. Every time you buy something, Valve checks that the certificate is still valid and sells you the thing.

Valve doesn't see my ID, the Government doesn't know what I'm buying and I can order booze on doordash.

Well, to jump on the protests bandwagon here, there is also the fact that, presumably, it is dangerous to leave credit card information on the account ALL THE TIME.
I assume this means that any fisher (as opposed to a hacker) can just spend your credit limit. What happens then?


But I do agree that it's lazy of Valve to only implement one system.

Originally posted by Doctor Zalgo:

It's also not a particularly good one. The Australian system is the gold standard for this

From the store front, you sign into a government website (in the same way you sign into paypal). The government issues Valve a certificate that says 'yes the owner of this account is 18'. Every time you buy something, Valve checks that the certificate is still valid and sells you the thing.

Valve doesn't see my ID, the Government doesn't know what I'm buying and I can order booze on doordash.

The Australians have a far better idea about protecting kids than the Brits do. They firmly believe that the answer is should not be retroactive on an internet that wasn't designed for any level of safety, so their answer, ultimately is more one of a system designed from the ground up with safety in mind. Like an internet for kids or something.

The Brits were repeatedly told that their system was rubbish, but they didn't listen. The people doing this are, apparently, extremely arrogant. And typical government, they made the rules but left it up to the companies to implement - hence why valve has implemented a rubbish system.

Originally posted by Pocahawtness:

Well, to jump on the protests bandwagon here, there is also the fact that, presumably, it is dangerous to leave credit card information on the account ALL THE TIME.
I assume this means that any fisher (as opposed to a hacker) can just spend your credit limit. What happens then?

Exactly, leaving CC on an account at all time could lead to problems.
It's a bad solution imo.

Originally posted by The End:

Originally posted by Pocahawtness:

Well, to jump on the protests bandwagon here, there is also the fact that, presumably, it is dangerous to leave credit card information on the account ALL THE TIME.
I assume this means that any fisher (as opposed to a hacker) can just spend your credit limit. What happens then?

Exactly, leaving CC on an account at all time could lead to problems.
It's a bad solution imo.

Yes, it should be entered once, the account unlocked and that's that. The account never requires it again and the credit card information is deleted.
In fact, isn't this a requirement of the UK government, that any ID is deleted once it's been entered?

Originally posted by Pocahawtness:

Originally posted by The End:

Exactly, leaving CC on an account at all time could lead to problems.
It's a bad solution imo.

Yes, it should be entered once, the account unlocked and that's that. The account never requires it again and the credit card information is deleted.
In fact, isn't this a requirement of the UK government, that any ID is deleted once it's been entered?

Not sure, I'm not in the UK. But forcing people to create a creditcard/loan and then permanently bind it to Steam is not a good solution. Valve has to rethink this move imo.

Originally posted by Pocahawtness:

Originally posted by The End:

Exactly, leaving CC on an account at all time could lead to problems.
It's a bad solution imo.

Yes, it should be entered once, the account unlocked and that's that. The account never requires it again and the credit card information is deleted.
In fact, isn't this a requirement of the UK government, that any ID is deleted once it's been entered?

It only states:

6.1.5 Data minimisation
You must ensure that the personal information you collect is adequate, relevant and limited to what is necessary for the purpose.

Age assurance may require you to process personal information beyond what is involved in delivering your core service. You must apply data minimisation to your chosen age assurance approach. This means that you must make sure that the personal information you process for age assurance purposes:

is sufficient to properly achieve the stated purpose of the age assurance (adequate);
has a rational link to that purpose (relevant); and
is no more than you need for that purpose (limited to what is necessary).
The data minimisation principle means that the personal information you collect must be adequate to achieve your purpose. In the context of age assurance, self-declaration can be easily circumvented, which means the information you collect is likely to be insufficient for high-risk scenarios. Therefore, you may require more personal information to achieve your purpose. In most cases, as long as you limit your processing to what is necessary and proportionate, it is likely to be appropriate to use age assurance to reduce the risk of harm to children while complying with data minimisation.

You must only use personal information necessary to undertake age assurance. What is necessary is linked to what is proportionate for the circumstances. A service or platform that does not pose a high risk to children is likely to need to process less information to assess or verify the age of users than one that poses a high risk to children.

In many cases it may be excessive to see an official document (eg a passport or driving licence). This is because you can use an age assurance method that processes less personal information whilst still being proportionate to the risks faced by children. You may only need to record a yes or no output that a person meets the age threshold.

and

6.1.7 Storage limitation
You must not keep people’s information for longer than you need it. You should be able to justify how long you keep personal information collected for age assurance purposes and you should have a policy that sets out retention periods.

You should be proportionate in how frequently you carry out age checks compared to the risks on your service. It may be necessary to implement age checks at suitable intervals to ensure the personal information you collect remains accurate. In this case, you should erase personal information which you have obtained through previous checks that is no longer required. This ensures that you do not hold age assurance information for longer than necessary.

You must retain only the minimum amount of personal information necessary for the purpose. If you use a hard identifier to assess age, you may only need to retain a yes or no output once you’ve completed the check.

People have the right to have their information erased in certain circumstances. You must consider challenges to your retention of personal information you collected for age assurance.


---

And yes, that final part is what it sounds like. The government wants companies to check that once proven we are over 18, that we remain over 18. In case we reverse age?

Originally posted by Pocahawtness:

Originally posted by The End:

Exactly, leaving CC on an account at all time could lead to problems.
It's a bad solution imo.

Yes, it should be entered once, the account unlocked and that's that. The account never requires it again and the credit card information is deleted.
In fact, isn't this a requirement of the UK government, that any ID is deleted once it's been entered?

No, they have to periodically check it.

Also, a credit card is not an ID.

After reading some of the threads about this topic I believe Valve handled the issue almost as poorly as possible. The Germany treatment would be probably the only worse scenario.

Hopefully Valve will rethink their approach and everyone will be able to access their games with no issues, while abiding to nanny-state laws. That also includes folks from Germany.

Originally posted by Zarineth:

After reading some of the threads about this topic I believe Valve handled the issue almost as poorly as possible. The Germany treatment would be probably the only worse scenario.

Hopefully Valve will rethink their approach and everyone will be able to access their games with no issues, while abiding to nanny-state laws. That also includes folks from Germany. :winter2019happydog:

They’re either handling it incredibly poorly or doing it deliberately to try to make people get angry against the government

I’m leaning towards the latter seeing as I’m seeing Steam not even imposing the OSA across the entire platform as required on say the GTAV store page or workshop meaning they are only targeting the UK consumer directly and because after this I’m now all for us borrowing a page out of the Ukrainians book and going full Maidan on this London government

Originally posted by Hellstorm901:

Originally posted by Zarineth:

After reading some of the threads about this topic I believe Valve handled the issue almost as poorly as possible. The Germany treatment would be probably the only worse scenario.

Hopefully Valve will rethink their approach and everyone will be able to access their games with no issues, while abiding to nanny-state laws. That also includes folks from Germany. :winter2019happydog:

They’re either handling it incredibly poorly or doing it deliberately to try to make people get angry against the government

I’m leaning towards the latter seeing as I’m seeing Steam not even imposing the OSA across the entire platform as required on say the GTAV store page or workshop meaning they are only targeting the UK consumer directly and because after this I’m now all for us borrowing a page out of the Ukrainians book and going full Maidan on this London government

Or they simply chose a verification method they're familiair with, doing the minimum possible.

I go for that.

Originally posted by Crazy Tiger:

Originally posted by Hellstorm901:

They’re either handling it incredibly poorly or doing it deliberately to try to make people get angry against the government

I’m leaning towards the latter seeing as I’m seeing Steam not even imposing the OSA across the entire platform as required on say the GTAV store page or workshop meaning they are only targeting the UK consumer directly and because after this I’m now all for us borrowing a page out of the Ukrainians book and going full Maidan on this London government

Or they simply chose a verification method they're familiair with, doing the minimum possible.

I go for that.

Yeap, I agree with that. I would call Valve's approach lazy and cheap, but I don't think there was an actual malicious intent behind it.

Originally posted by Doctor Zalgo:

It's also not a particularly good one. The Australian system is the gold standard for this

Ofcom is not in Australia and they can choose which options they want to be available.

Originally posted by Zarineth:

Originally posted by Crazy Tiger:

Or they simply chose a verification method they're familiair with, doing the minimum possible.

I go for that.

Yeap, I agree with that. I would call Valve's approach lazy and cheap, but I don't think there was an actual malicious intent behind it.

Valve probably picked the option that has the least GDPR requirements and the least privacy invasive