Most age-restriction laws follow the same pattern. They set a minimum age and require platforms to take "reasonable steps" or "effective measures" to prevent underage access. Australia's social-media minimum-age law. The UK's Online Safety Act. Various US state proposals. What these laws rarely spell out is how platforms are supposed to verify who is actually over the line.
At the technical level, companies have only two real options: collect explicit identity proof from every user, or estimate age from behavioral and biometric signals. The first is invasive on its face. The second only works at scale by harvesting and analyzing large amounts of personal data. Neither path is privacy-preserving.
The trap closes when you stack the two regulatory regimes against each other. GDPR and modern privacy laws push platforms to collect less data, retain it for shorter periods, and give users control over what is stored. Age-verification laws push platforms to collect more data, retain it long enough to prove compliance, and offer users no real way to opt out without losing access. The same regulator's left and right hands tell platforms opposite things.
For users, the cost is borne by everyone, not just minors. To prove that some users are old enough, every user has to be checked. Age verification universalizes identity collection. Children get protected from one set of risks by exposing the entire population to another.
Vendors pitch various forms of "privacy-preserving" verification: zero-knowledge proofs, on-device estimation, third-party tokens. The cryptography is real. The deployment is rare. In practice, the systems that ship are databases, face-scan APIs, and ID-document processors run by third parties with their own retention policies and breach exposure. The privacy-preserving versions exist mostly in policy whitepapers, not in the production code at Meta, TikTok, or X.
Even when the cryptography works, it solves only part of the problem. The metadata of who tried to verify, when, and from where remains highly identifying. And every layer of intermediaries adds more parties holding age-related data about users they have no other relationship with.
The piece argues that the right response is not to abandon child-safety goals, but to recognize that the current path makes them incompatible with privacy. Three implications. First, regulators need to choose. They cannot demand strict age verification and strong data minimization in the same breath without expecting platforms to cheat one or the other. Second, the focus should shift from gating access to designing platforms whose default behavior is safer for younger users, regardless of who is signed in. Third, age-verification proposals deserve the same scrutiny as any other surveillance system, because that is what they are.
The age-verification trap is a specific instance of a broader pattern: regulators reaching for identity verification as a tool to enforce content rules. Each new use of identity verification at the network layer normalizes the next one. What starts as "prove you are old enough for this app" becomes "prove who you are to use the internet." The infrastructure built for one purpose tends to expand into adjacent ones. The piece urges treating that trajectory as a policy choice, not an inevitability.