The web wants your ID now. Most age checks leak the data they collect.
Mandatory age-verification laws are turning the open internet into a checkpoint. Here's what the UK, EU, and US states actually require, and why the methods leak.
Sarah McLaughlin’s argument is blunt: age verification is identity verification. In a recent essay for FIRE, she lays out how a wave of child-safety laws is quietly rebuilding the open web as a checkpoint, where the price of entry is proving who you are. The framing is real. So is the surveillance it leaves behind.
That infrastructure is no longer hypothetical. The UK turned on mandatory checks last summer, the EU shipped a verification app this spring, Australia pulled millions of teens off social media in December, and the US Supreme Court cleared the way for states to demand ID at the door of adult sites. The mechanics differ. The common thread is that most of them route your government ID or your face through a third party, and that party can be breached. One already was.
What an age-verification mandate requires
Strip away the legal language and these laws all demand the same thing: a platform must confirm you clear an age bar before it lets you in, and a self-declared birthday no longer counts. Ofcom, the UK regulator, explicitly rejects “self-declaration of age” as a valid method.
So platforms reach for something harder to fake. In practice that means one of four approaches: you upload a government ID, you submit a selfie or video for age estimation, you link a bank account or credit card, or the platform reads “signals” it already holds about you, like how old your account is. Snapchat, for example, routes users through a Singapore-based vendor called k-ID that offers a bank link, an ID scan, or a selfie-based age range, per FIRE’s reporting. Each method moves sensitive data somewhere new. That movement is the whole privacy story.
Who’s mandating it, and when
The timeline tightened fast. The UK’s Online Safety Act, the OSA, hit its age-assurance deadline on July 25, 2025, forcing any platform with adult content to run “highly effective” age checks or risk fines up to £18 million or 10% of global turnover. Enforcement was immediate. By February 2026, Ofcom had opened investigations into more than 90 services and issued six fines.
In the US, the Supreme Court decided Free Speech Coalition v. Paxton on June 27, 2025, upholding a Texas law that requires age checks on sites where more than a third of the content is sexual material harmful to minors. By the time the ruling landed, two dozen states had already passed similar laws. The EFF called the decision “a direct blow to the free speech rights of adults,” warning it would “jeopardize their data security and privacy.”
Australia went furthest. Its under-16 social media ban took effect in December 2025, and by mid-month platforms had removed access to 4.7 million accounts. The EU isn’t far behind. Five countries, Denmark, France, Greece, Italy, and Spain, are piloting a verification app tied to their national digital-identity wallets, with Greece set to bar under-15s from social media in 2027.
The methods, and how each one leaks
Here’s the part the press releases skip. Each verification method has a specific failure mode, and they centralize data by design.
ID upload is the most direct, and the most dangerous. You hand a platform or its vendor a photo of your passport or license, and now that image sits in a database. On October 3, 2025, Discord disclosed that a breach of a third-party support vendor exposed roughly 70,000 government ID photos, along with names, emails, and partial payment data. The attackers claimed far more. The EFF’s verdict on this class of risk is flat: “history shows that data (especially this ultra-valuable identity data) will leak, whether through hacks, misconfigurations, or retention mistakes.”
Face-age estimation sounds privacy-friendly because no document changes hands. The catch is that it’s a guess, not a verified age, and it guesses badly for some people. The EFF notes these tools are “notoriously unreliable, particularly for people of color, trans and nonbinary people, and people with disabilities.” A bad guess pushes those users to upload an ID anyway, so the supposedly lighter-touch option funnels straight back to the heavy one. Australian kids reportedly fooled the estimators by drawing on facial hair.
Card and bank checks leak in a quieter way. They tie your financial identity to the content you view, and they exclude anyone without a card. Device and account signals, the “we already know enough about you” approach, are the most invisible of all. As the Australian Human Rights Commission put it, not everyone goes through an explicit check, but “that doesn’t actually mean you escape scrutiny. It just means that platforms will use what they already know about you to make the call.”
There is a method that doesn’t leak. A zero-knowledge proof lets you prove you clear an age bar without revealing your birth date or anything else, and the EU’s app uses exactly this: it generates a mathematical proof that your date of birth satisfies “years >= 18” without exposing the date. Each attestation is unique and non-correlatable, so platforms can’t track you across sites. The problem isn’t the tech. It’s that most laws specify a result, not a method, so platforms reach for the cheapest tool that satisfies a regulator, and that’s almost never the cryptographic one.
The chilling effect is the point
Breaches are only half the cost. The other half is what people stop doing when they know they’re being watched.
Anonymity is load-bearing for a lot of speech. The EFF puts it plainly: “Many people rely on anonymity to speak freely. LGBTQ+ youth, survivors of abuse, political dissidents, and countless others use aliases to explore identity, find support, and build community safely.” Tie that activity to a government ID and the calculus shifts. “When you’re worried that what you say can be traced back to your government ID, you speak differently, or not at all.”
This is the same surveillance-creep pattern that shows up across the privacy beat, from automated license-plate readers feeding police databases to cars quietly shipping driving data to insurers. Verification mandates add a new layer: a record of what you read and where you go online, keyed to your legal identity. McLaughlin’s warning is that the hard part isn’t building this. It’s tearing it down. “Once we create this legislative infrastructure of surveillance,” she writes, “we may find it very painful to dismantle it.”
The circumvention numbers suggest the laws don’t even hit their stated target cleanly. UK VPN sign-ups surged by up to 1,800% in the days after enforcement, and Australian research found seven in 10 banned-age kids still reached social media months later. That gap matters, and it’s the subject of our piece on the EU’s VPN loophole.
What this means for you
You can’t opt out of the laws, but you can be choosy about how you clear them. When a site offers a verification flow, look for the named vendor before you submit anything, and check whether the option stores your image or just returns a yes/no. Prefer face-estimation flows that explicitly store no data, prefer zero-knowledge or device-level attestation where it’s offered, and treat a raw ID upload as the last resort, not the default. If a platform won’t say who processes your documents or how long it keeps them, that silence is your answer. The safest data is the data you never hand over, and the second safest is a proof that reveals nothing but the one bit the law actually needs.
Share this article
Quick reference
Sources
- The 'papers, please' era of the internet will decimate your privacy — FIRE
- Discord Voluntarily Pushes Mandatory Age Verification Despite Recent Data Breach — Electronic Frontier Foundation
- 70,000 government ID photos exposed in Discord user hack — NBC News
- Today's Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy — Electronic Frontier Foundation
- The EU approach to age verification — European Commission
- Online Safety Act and age-appropriate access — National Law Review
Frequently Asked
- What does an age-verification mandate actually require?
- It requires a platform to confirm a user is over a set age before granting access, usually by checking a government ID, running a face scan, linking a bank or card, or reading device signals, rather than trusting a self-declared birthday.
- Why is age verification a privacy problem if I have nothing to hide?
- The risk is the data trail. Verification ties your identity to what you read and say, and that identity data gets stored by third-party vendors who can be breached, as Discord's 70,000-ID leak showed.
- Does a face scan avoid the privacy problem?
- Not reliably. Face-age estimation is a guess, not a verified age, and studies cited by the EFF find it misjudges people of color, trans and nonbinary people, and people with disabilities, who then get pushed to upload an ID anyway.
- Is there a privacy-preserving way to prove age?
- Yes. Zero-knowledge proofs let you prove you clear an age threshold without revealing your birth date, and the EU's age-verification app uses them. The catch is that most laws specify a result, not this method, so platforms default to ID collection.
- What can I do right now?
- Favor services that use device-level or zero-knowledge attestation over raw ID upload, check a platform's named verification vendor before submitting anything, and prefer face-estimation flows that store no image where they're offered.