Age Verification & Privacy

Age verification has become a critical issue in the digital landscape, with governments and regulatory bodies worldwide implementing measures to protect minors online while balancing privacy concerns.

EU Developments

EDPB Statement

The European Data Protection Board (EDPB) has recently issued comprehensive guidelines for implementing age assurance systems in digital services. On February 11, 2025, the EDPB adopted Statement 1/2025, which outlines ten fundamental principles for age verification that align with GDPR requirements. These guidelines emphasize:

1. Respecting fundamental rights with children's best interests as a primary consideration
2. Adopting a risk-based approach
3. Preventing unnecessary tracking and profiling
4. Adhering to data minimization principles
5. Implementing tokenized approaches for verification
6. Ensuring broad accessibility and non-discrimination
7. Maintaining clear communication about verification processes
8. Implementing human intervention and appeal mechanisms for automated systems
9. Employing data protection by design and default
10. Implementing appropriate security measures

The EDPB Chair, Anu Talus, stressed the importance of balancing child protection with privacy, stating, "Age assurance is essential to ensure that children do not access content that is not appropriate for their age. At the same time, the method to verify age must be the least intrusive possible and the personal data of children must be protected."

EU Digital Identity Wallet

The European Union is developing the EU Digital Identity Wallet (EUID Wallet), which is set to launch in 2027. This initiative aims to provide a secure and convenient way for users to authenticate themselves online and manage digital credentials. The EUID Wallet is expected to play a significant role in age verification processes across the EU.

Key features of the EUID Wallet include:

• Privacy-Preserving Age Verification: The wallet will allow users to verify their age without revealing additional personal details, which is in line with GDPR and data minimization principles.
• Interoperability Across Member States: The EUID Wallet will be recognized across all EU countries, enabling seamless authentication for digital services requiring age verification.
• Secure Digital Credentials: The wallet will store various digital credentials, such as government-issued IDs, driving licenses, and health records, allowing users to access age-restricted content and services more securely.
• Implementation of Zero-Knowledge Proofs: To enhance privacy, the EUID Wallet may integrate cryptographic techniques like zero-knowledge proofs, ensuring that users can prove they meet age requirements without exposing unnecessary data.
• Potential Industry Adoption: Companies operating within the EU, particularly in social media, gaming, and e-commerce sectors, may be required to integrate the EUID Wallet for compliant age verification practices.

While the EUID Wallet is still under development, its introduction is expected to set a new standard for secure and privacy-conscious age verification across Europe.

United States Legislation

In the United States, age verification laws have been enacted at the state level, leading to a complex legal landscape and numerous challenges.

State-Level Initiatives

As of March 2025, several new legislative actions and judicial rulings have shaped the age verification landscape:

• Tennessee Age Verification Laws: Includes SB 1792, which classifies violations of age verification or data retention rules as a Class C felony, and the Tennessee Age Verification Law, which mandates age verification for accessing certain online content. This law was initially blocked but later allowed to proceed by the 6th U.S. Circuit Court of Appeals while legal challenges continue.
• California CAADCA Blocked: A federal judge issued a preliminary injunction against California’s online child safety law, citing concerns about its constitutionality and vague requirements. This decision followed a lawsuit by NetChoice, which argued that the law imposes excessive restrictions on online platforms.
• Florida HB 3: Requires age verification for certain websites and mandates at least one option for anonymized age verification.
• Georgia SB 351: Mandates that social media companies verify users' age and obtain parental consent for those under 16, effective July 1, 2025.
• Utah App Store Accountability Act: Requires app stores to verify users' ages before allowing downloads, making Utah the first state to implement such a mandate.
• Texas Age Verification Law: The U.S. Supreme Court heard oral arguments on January 15, 2025, regarding Texas' House Bill 1181, which mandates age verification for accessing certain online content. A federal district court had blocked the law, citing potential First Amendment violations, but the 5th U.S. Circuit Court of Appeals lifted the injunction. The Supreme Court’s decision is pending.
• Free Speech Coalition's Challenge: The Free Speech Coalition (FSC), representing the adult entertainment industry, has actively challenged age verification laws, arguing they impose unconstitutional restrictions on free speech and privacy. Critics contend that the FSC’s primary motivation is to protect the commercial interests of the adult entertainment industry rather than uphold broad free speech rights. The Supreme Court’s upcoming decision is expected to have significant implications for similar laws nationwide.

These ongoing legal proceedings underscore the national debate over balancing the protection of minors with the preservation of constitutional free speech rights.

California's Age-Appropriate Design Code Act (CAADCA)

The CAADCA was signed into law in 2022 and was set to take effect in July 2024. It aimed to enhance online safety for minors by requiring digital platforms to adopt stronger privacy protections, assess risks to children, and default to the most protective settings for young users. However, the law faced significant legal challenges.

On March 14, 2025, a federal judge blocked CAADCA, ruling in favor of a lawsuit brought by NetChoice, a trade association representing major tech companies including Amazon, Google, Meta and Netflix. The court found that CAADCA likely violated the First Amendment, citing vague requirements that could lead to over-censorship of content and excessive compliance burdens for digital platforms. The ruling stated that while protecting children online is important, the law’s broad restrictions could infringe on constitutional rights.

Despite this setback, California lawmakers have expressed their commitment to revising the legislation to withstand legal scrutiny, possibly introducing a more targeted bill in the near future.

Privacy and Security Concerns

The implementation of age verification systems has raised significant privacy and security concerns:

• Data Collection and Storage: Age verification often requires collecting and storing sensitive personal information, making these systems attractive targets for hackers.
• Anonymity and Free Speech: Critics argue that requiring identification before accessing certain content undermines online anonymity and could have a chilling effect on free speech.
• Exclusion Risks: Some age verification methods may exclude individuals who lack government-issued IDs or credit cards.
• Biometric Data: The use of biometric scanning for age verification raises additional privacy concerns.
• Data Minimization: The EDPB guidelines emphasize the importance of data minimization and recommend tokenized approaches where only binary age threshold confirmations are shared with service providers.

A recent study suggests that age verification laws may drive both adults and minors to unregulated websites, potentially exacerbating the issues they aim to mitigate. This raises further concerns about the effectiveness of such laws in achieving their intended goals.

As age verification regulations continue to evolve, striking a balance between protecting minors and preserving privacy remains a significant challenge for policymakers, businesses, and technology developers worldwide.

Neven Dujmovic, March 2025

References

• Statement 1/2025 on Age Assurance Adopted on 11 February 2025, https://www.edpb.europa.eu/system/files/2025-02/edpb_statement_20250211ageassurance_v1-1_en_0.pdf
• California's online child safety law blocked, https://www.courthousenews.com/internet-trade-group-wins-new-injunction-against-californias-kids-privacy-law/
• European data regulator details new age verification rules for digital services, https://ppc.land/european-data-regulator-details-new-age-verification-rules-for-digital-services/
• EU Digital Identity Wallet Home - European Commission, https://ec.europa.eu/digital-building-blocks/sites/display/EUDIGITALIDENTITYWALLET/EU+Digital+Identity+Wallet+Home
• Supreme Court divided on Texas age-verification law, SCOTUS Blog
• Tennessee law requiring age verification takes effect, Tennessean
• Supreme Court May Decide if Government Can Age-Gate Online Expression, ACLU

#AgeVerification #DigitalPrivacy #RegulatoryCompliance #EU #USA