OnlyFans Reveals How Often Police Demand User Data (Sort Of)

OnlyFans' first transparency report is light on specifics and a little difficult to parse.

We may earn a commission from links on this page.
Image for article titled OnlyFans Reveals How Often Police Demand User Data (Sort Of)
Photo: Tali Arbel (AP)

OnlyFans on Thursday released its first transparency report, providing insight into the number of times law enforcement agencies asked for information about its users over the past month. The report also details the number of accounts suspended by the company as well as the number of accounts believed to have posted child sexual abuse material (CSAM), among other figures.

“Government agencies from around the world ask OnlyFans to disclose user information. We carefully review each request to make sure it satisfies laws of the relevant jurisdiction,” the company said.

Within the United States alone, OnlyFans says it received no fewer than 67 requests for user information over the course of July; however, it’s unclear from the report how many of those requests originate with law enforcement. It’s also unclear how many requests were granted.


According to the report, the “67" figure pertains to the number of requests from “law enforcement agencies and charity helplines.” OnlyFans did not respond when asked to clarify why these two (very different) sources are combined.

In all other parts of the world, OnlyFans says it received only 31 such requests last month. Additionally, it disclosed having received a total of 783 requests over a 13-month period.


The information disclosed by OnlyFans may include basic subscriber information provided by users, but also their IP addresses and, more vaguely, “additional information OnlyFans may have access to.”

In the United States, at least, private conversations between users are protected under the Fourth Amendment; meaning authorities must demonstrate they have probable cause to believe a crime is being committed. An exception to this rule under the Stored Communications Act, however, enables law enforcement to use a subpoena to access such content, so long as it’s been stored for over 180 days.


Administrative subpoenas can be issued at the discretion of a law enforcement agency without a judge’s approval, often based solely on the claim that the information requested is relevant to a criminal investigation. A grand jury can also approve subpoenas on behalf of prosecutors. Internet companies the size of OnlyFans generally have specialized teams that work with law enforcement to facilitate these requests.

Metadata—the “who, when, and where” of a communication—is an example of data that can be obtained with a subpoena, (though a court order is required to obtain this information in real-time).


Certain law enforcement requests may arrive with a gag order, preventing a company from disclosing its existence to the subject targeted, or the public at large. Courts may require agencies to re-justify the application of a gag order periodically; usually every 180 days.

It’s a company’s prerogative whether to challenge government demands for personal data. In the last half of 2020, for example, Twitter reported having rejected requests around 70 percent of the time, though in some cases it merely asked police to provide a more narrow description of what’s being requested. (OnlyFans’ report does not include such details.)


In the last month, OnlyFans said it deactivated 15 accounts for allegedly posting child sexual abuse material, or CSAM. Fourteen accounts were reported to the National Center for Missing & Exploited Children (NCMEC), a U.S. nonprofit established by Congress, which works closely with law enforcement.

“We invest heavily in fighting child sexual exploitation online and use technology to deter, detect, and remove CSAM from our platforms. This includes automated detection and human review, in addition to relying on reports submitted by our users and third parties such as NGOs, in order to detect, remove, and report CSAM on our platforms,” OnlyFans said.


An array of detect technologies are used by the company, it says, to detect CSAM, including hashes—unique alphanumeric strings used to identify specific photographs—and machine learning classifiers, which attempt to automatically locate CSAM that’s yet to be identified. CSAM hashes are also shared with NCMEC, allowing its researchers to locate other instances of the content being shared across the web.

Only a single CSAM hash was shared with NCMEC last month, OnlyFans said.

Below are a few other figures released by the company pertaining exclusively to July 2021:

  • DMCA requests to remove copyright-infringing content: 809
  • Trademark violation requests: 18
  • Accounts deactivated for breaking rules: 655
  • Posts removed for breaking rules: 72,761

“Laws around the world affect the availability of content on OnlyFans,” the company said.


Additionally, the company says it has fulfilled 80 requests from users in July who sought access to data about themselves under Europe’s privacy law, the GDPR.

In a surprise announcement Thursday, OnlyFans says it will soon enact new limits on the types of content that can be posted by users. While the ability to post nude photographs and video will not be affected, the company said, as of October 1, “sexually explicit” content will no longer be allowed.


It’s unclear what the company means by “sexually explicit”—an OnlyFans spokesperson declined to comment at this time—but it is presumably targeting overt sexual acts. In a report Friday, Axios disclosed that while the company has experienced stellar growth, it continues to struggle to find investors due to its allowance of pornographic content.

OnlyFans has generated $3.2 billions for its users since its inception, Axios said.