How Age Verification Threatens Your Privacy

Age Verification laws are here, and let’s just say… people are NOT thrilled. From the EU’s Digital Services Act, to the UK’s Online Safety Act, to laws passed in multiple U.S. states, governments are requiring platforms to verify the age of all users in an effort to block children from accessing harmful and age-inappropriate content like pornography and violent media. That sounds reasonable, right? In theory, such laws protect minors by keeping them away from harmful and age-inappropriate content like pornography and violent media. But in order to verify who is a child online, sites must determine who is not. This is where things get messy.

You might be thinking, “but we check people’s ID’s to enter bars, dispensaries, and other adult businesses, why can’t we do the same online?” Checking ID in person is simple: someone looks at your government issued document, verifies it, and lets you in. The bouncer may remember you, but they never store your private information anywhere. Online, it’s a LOT more complex. Digital age verification can be incredibly invasive and ineffective, making adult users feel uncomfortable in their right to maintain privacy while consuming adult content. In this blog, we will walk you through the major forms of age verification and highlight, demonstrate their shortcomings, and talk about better solutions that balance child safety and personal privacy.

Methods of Age Verification & How They Can Be Dangerous:

1. Self Declaration

This is the “age verification” method you’re probably most familiar with. It’s like the bouncer asking, “when were you born” and simply believing whatever you say. It’s entirely based on trust. You visit a website and it asks, “Are you over 18?” All you have to do is check a box, maybe enter your birthdate, and proceed. You are not required to provide any sort of concrete evidence to confirm your age. It’s an extremely simple method for companies to implement and one that they use to avoid legal liability. You can already guess why this method might be ineffective.

Kids can lie, and they do it pretty frequently. This unreliable method does almost nothing to actually shield them from “harmful content”. A survey released in 2024, conducted by the UK media regulator, indicates 22% of eight to 17 year olds lie that they are 18 or over on social media apps. Self declaration is really only used so that companies can claim they “tried” to check for compliance without enforcing anything actually meaningful.

2. Facial Age Estimation

Similar to the way a bouncer stares at your face to see if you match your photo, AI scans your face and takes a guess at what age it believes you to be. But with a human, you know that there aren’t any ulterior motives at play when they look at your face (aside from maybe the bouncer wanting to ask you out). With digital face scanning, the system scans your face, extracts patterns, and compares them to those of known ages. The processing usually takes less than one second and produces a simple “yes” or “no” result. Facial age estimation technology trusts the judgement of a robot over a human and uses your biometric data to do it.

In reality, age estimation is both inaccurate and discriminatory. After all, this tech does not verify anything. It’s simply making educated guesses, and those guesses can be way off (and often are). Both humans and AI struggle with age detection across different ethnicities, lighting, and facial features. But in a 2022 study comparing human performance with that of the most prominent AI technology available today, AI actually overestimated the age of smiling faces even more than human observers did. In addition, AI showed a sharper decrease in accuracy for the faces of older adults compared to faces from younger age groups. In other words, the technology is biased and unreliable. Secondly, if the biometric data used for this tech is stored, it could be hacked, leaked, or misused later down the line.

3. Open Banking

With open banking, you grant the website “temporary” access to your bank account data. It uses the account holder’s personal information to confirm you’re an adult, since you can’t lie to a bank about your age. On the one hand, this could be appealing to websites and users because it’s easy. It’s like telling the bouncer, “Let me show you my transaction history to prove I’m over 18.” On the other hand, how many of us are comfortable showing our bank account and transaction history to a total stranger? How comfortable would you be connecting your bank account with, say, your adult media consumption?

In addition to being a huge privacy overreach, open banking can be just as discriminatory as facial age estimation. Not everyone has access to a traditional bank account. Low-income individuals or adults in countries with limited banking access may be wrongfully denied access to content they have a right to. But no matter who you are, this method drastically increases the chances of your data being involved in breaches and fraudulent activity. You’re essentially trusting a third-party open banking provider to discard your financial details after they check your age. Even if they do dispose of your information, one small breach or man in the middle attack could still expose your sensitive data to other bad actors.

4. Credit Card Age Checks

Similar to the open banking method, you can enter your credit card number to prove your age. In person, this would be the equivalent of walking up to the bouncer, showing them your Visa, and hoping that it can vouch for your age. Since credit cards are generally issued to individuals who are at least 18 years old, the assumption is that anyone who can successfully make a purchase with a credit card is of legal age. This method has been widely used in various industries, including online gambling, e-commerce, and certain digital content platforms.

Not only does this method put you at a high potential for fraud exposure, some websites even charge a “verification fee”. Beyond the inherent risk of phishing, it is not always possible to validate that the person using the card is the legitimate owner. Moreover, the age for owning a credit card varies across countries. And finally, not everyone has a credit card, so this method can exclude young adults or lower-income communities.

5. Mobile Network Operator Checks

This verification method would be like a bouncer calling up your phone company and asking them how old you are. When you try to enter a website, your phone number is checked against your mobile provider’s records to confirm your age. There are several red flags here. First off, many accounts are registered to parents, so a teen could simply use their parent’s account to bypass the age verification. Shared family plans are also very common because they’re a convenient and cost-effective way for households to manage finances together.

Secondly, you’re expected to just blindly trust telecom companies to handle and share your personal data securely. This isn’t easy to do when a high number of telcos have suffered damaging data breaches in recent years. In July of 2024, AT&T revealed that the call and text records of almost all of its 100 million customers (including FBI agents) had been stolen by hackers. Rival provider T-Mobile US paid a $15.75 million penalty in October 2024 to settle a Federal Communications Commission (FCC) investigation into incidents that occurred in 2021, 2022, and 2023. Finally, this method isn’t even offered by all carriers.

6. Photo-ID Matching

Photo-ID matching is exactly what it sounds like. You upload a government-issued ID along with a selfie, and the website checks that they match to confirm your age. This method feels more like handing your ID to a bouncer and having them compare it to your face. The problem? When it’s done digitally, it’s painfully invasive. Critical information like your signature, birthdate, ID number, photo, and address are listed on most forms of ID. Even if a website says that your data isn’t stored, there’s no way to be totally sure it won’t be hacked, leaked, or even sold sometime in the future.

We know that because we’ve already seen it happen. Recently, Tea, an app marketed as a dating safety tool, admitted that it had suffered a data breach in which 72,000 images were accessed by an intruder. That included 13,000 images (selfies and photo ID’s) submitted by users during account verification, since photo-ID matching doesn’t just verify your age, it confirms your full identity. Websites do not actually need that much information from you. This approach can also be just as exclusionary as the others we’ve explored, since it locks out people without government-issued ID. There are tens of millions of U.S. residents, for example, who are without a form of government-issued identification.

7. Digital Identity Services

Many of us have been to a bar or event where a bouncer checked our ID and then issued us a wristband or stamp to indicate to other staff that you are of legal age. Think of digital identity services as being a digital version of that. You register once with a digital ID service like Sweden's BankID or EU Digital Identity Wallet. They then verify your age and give you a pass that you use to access age-restricted content. So far, this seems like the least invasive method, but there are still a few reasons why it’s problematic for privacy.

First of all, these services aren’t available everywhere and aren’t widely accepted across the web. Second, any data that they store to determine or verify your identity creates a prime target for hackers. Any data that’s not properly stored can expose you to identity theft, biometric data vulnerabilities, and data breaches from centralized databases. After all, even the most advanced digital security systems can be brought down by one gullible employee falling for one successful phishing attempt. The final con is that anonymity is quite literally impossible. This not only compromises a person’s right to privacy, but also their ability to express themself freely. Policy researcher at Stanford University Riana Pfefferkorn warns, "Age verification impedes people’s ability to anonymously access information online." Finally, you must be sure that your digital ID app isn’t linked to other services because it could be sneakily tracking your activity across multiple websites.

How A Privacy Respecting Age Verification System Could Work

Age verification is a fine idea, but we can’t have a solution that’s unreliable and creates more problems than it solves. After being in effect for only a few months, the UK’s Online Safety Act sparked so much backlash that a petition to repeal it has reached over half a million signatures in just a few days. Petition creator Alex Baynham explained the concern pretty clearly, "We think that Parliament should work towards producing proportionate legislation rather than risking clamping down on civil society talking about trains, football, video games, or even hamsters because it can't deal with individual bad faith actors.” Worse yet, studies now show that websites that comply with these laws and implement age checks get penalized by having their traffic plummet. Meanwhile, websites that openly defy these laws are being rewarded with a massive uptick in traffic.

The good news is that thoughtful, privacy-respecting solutions are in the works and may actually make things better. In the European Union (EU), a ZKP age verification protocol is being developed as part of a European-wide EU Digital Identity (EUID) framework. Under France’s SREN law, adult content websites were required to implement age verification, with at least one double-blind option by April 2025.

Such a system could work like this: * You upload your ID once to a trusted app (like a secure digital wallet) which then gives you a digital "age token" (like “18+”). * When a site asks for age verification, you just send the token through the app. No ID, no extra info. * The app only shares the “yes, this person is 18+” and nothing else. Even the app doesn’t know what website you're trying to access.

Think of it like the wristband example we mentioned earlier, except this wristband was issued to you ahead of time by a vetted and trusted entity…and you never have to show the bouncer your government issued ID in the first place. Now imagine you’re always wearing that wristband, so you maintain peace of mind knowing that you’ll never have to sacrifice your privacy or anonymity if you don’t want to.

If age verification is going to be part of our online future, it needs to be done with care, transparency, and respect for privacy. The tools to do this safely are already being explored; now it’s up to lawmakers and tech companies to make sure we don’t sacrifice our digital rights in the process.