Governments Want to Know How Old You Are Online. The Way They're Doing It Should Worry You.

Texas passed one. Louisiana passed one. The UK rolled out its own version. The EU’s Digital Services Act has requirements baked in. And last year, New York State enacted the SAFE for Kids Act, which will force social media platforms to verify the ages of users under 18.

The political logic is simple: kids shouldn’t access harmful content online. Both parties agree. Parents agree. It polls at 80 percent.

The technical reality is far more complicated, and the privacy implications of how governments and companies are implementing age verification should concern every New Yorker with a phone.

The Mandate Is Spreading Fast

At least 20 US states have passed or proposed laws requiring age verification for social media, adult content, or both. The European Union’s approach is broader, requiring platforms to assess risk to minors and implement appropriate measures, which in practice means checking IDs.

New York’s version, signed into law in 2025, requires platforms to restrict algorithmic feeds for minors and obtain parental consent for users under a certain age. Enforcement begins this year.

The problem isn’t the goal. The problem is the method.

How Age Verification Actually Works

There are currently three main approaches to verifying someone’s age online, and none of them are great.

Government ID upload. The most common method. You scan your driver’s license or passport, a third-party service confirms your date of birth, and you’re in. This is the approach most adult content sites now use in states with verification laws.

The issue: your government ID is now stored on a server operated by a company you’ve never heard of, in a jurisdiction you don’t control, with security practices you can’t audit.

Credit card verification. Assumes that if you have a credit card, you’re over 18. Obviously imperfect, easily circumvented, and still creates a data trail linking your identity to the specific content you accessed.

Facial age estimation. AI analyzes your face and estimates your age. No document upload required. But the accuracy is inconsistent, the biometric data collection raises its own concerns, and the technology has documented biases across racial demographics.

Each method trades one problem for another. You’re solving child safety by creating a massive, distributed surveillance infrastructure.

The Privacy Paradox

The central tension is this: to protect minors, you have to identify everyone. There’s no way to check if someone is under 18 without checking everyone.

That means every adult who wants to access age-gated content, which increasingly includes mainstream social media, must hand over identifying information. For millions of New Yorkers, that means creating a permanent, searchable record of which platforms they use and when.

“We are building the architecture for a national ID system through the back door,” said Dr. Rebecca Liu, a privacy researcher at NYU’s Center for Cybersecurity. “Nobody voted for that. It’s happening because legislators passed laws without specifying the technology, and the cheapest technology is the one that collects the most data.”

Civil liberties organizations, including the ACLU and EFF, have challenged several state laws on First Amendment grounds. Courts have blocked enforcement in some states. But the legislative momentum hasn’t slowed.

A Different Approach Exists

What makes the current situation frustrating is that better technology already exists. The verification doesn’t have to work this way.

Cryptographic verification methods can confirm that a person meets an age threshold without revealing their actual date of birth, their name, or any other identifying information. You prove a fact about yourself, that you’re over 18, without proving who you are.

Companies working on decentralized identity, like Zyphe, have built systems where a user verifies once through a secure process, then carries a portable credential that can be checked by any platform without re-uploading documents. The platform learns that you meet the requirement. It never sees your license.

Zero-knowledge proofs, the cryptographic technique behind this approach, have been used in financial compliance for years. Applying them to age verification is technically straightforward. The barrier isn’t technology. It’s inertia.

What New York Should Be Asking

As New York’s SAFE for Kids Act moves toward enforcement, the implementation details matter more than the headlines. Legislators should be asking:

What data do verification providers retain? If a third-party vendor stores ID scans, who audits their security? What happens when they get breached?

Is there a privacy-preserving alternative? If the technology exists to verify age without collecting identity documents, why isn’t it required?

Who bears the liability? When the inevitable breach happens and millions of New Yorkers’ identity documents leak, is it the platform’s problem, the vendor’s, or the state’s?

Does this actually work? VPN usage among teenagers in states with age verification laws has increased significantly. If the privacy costs are real but the enforcement is easily bypassed, the policy fails on both ends.

The Stakes Are Real

New York is not a state that takes privacy lightly. It led the nation on financial data protection with the SHIELD Act. It has some of the strongest consumer protection laws in the country.

But the age verification wave is moving faster than the privacy safeguards. Every month that passes without specifying privacy-preserving implementation standards is another month where millions of identity documents flow into centralized databases with minimal oversight.

The goal, protecting kids online, is the right one. The current implementation is not. And for the 8 million people who live in this city, the difference between good policy and bad policy is whether your driver’s license ends up in a database you never knew existed.