Hey #discord . Why the hell would we give you our ID when you've already exposed the ID of the folks who have already given you their ID?
"We're now using a different vendor who haven't yet leaked everyone's IDs and we keep your data for the smallest possible period of time!"
Every organization will have a data breach eventually. The question is when affected users will find out and what data you had in the first place.
The fact that your new vendor has not yet had a known breach doesn't mean that they're safe. It doesn't even mean they haven't had a breach yet! It just means any breaches are, as yet, unknown.
A fundamental principle of PII is that you should not gather data unless you have a sufficient justification for doing so that cannot be handled without having that data.
Your justification is nonexistent for you ever having this information. Therefore ever having it is not justifiable. If our legal systems allowed the full consequences of that inappropriate data collection to fall on your shoulders where it belongs, no insurance company would ever agree to insure you while you are gathering this data. No matter how little a period of time you purport to have it.
![Badalich also says after the October data breach, Discord “immediately stopped doing any sort of age verification flows with that vendor” and is now using a different third-party vendor. She adds that, “We’re not doing biometric scanning [or] facial recognition. We’re doing facial estimation. The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.”](https://pool.jortage.com/tootcat/media_attachments/files/116/041/692/312/542/628/original/d7519a954498e39e.png)
