I want to come at this from another angle: We are about to tell the entire world wide web where all the kids are.
The more these laws are enforced, the more we hand over this information to any unscrupulous website operator, app developer, or advertiser. Are we about to hand Elon Musk [0] your kids' PII? How about Zuck, who (friendly reminder) sold your 2nd-factor phone number to advertisers [1]? How about all of the leaks from these ID services [2]? Or how about these services doing far more than Age Verification [3][4]?
Given the terrible track record of data breaches in tech, this means all this information leaks into even worse hands with little recourse for people and no punishment for companies.
From a security and privacy perspective it's in kids' own self-interest and self-protection for them to undermine all of these laws.
0: "I really want to hit the party scene in St Barts or elsewhere and let loose. The invitation is much appreciated, but a peaceful island experience is the opposite of what I’m looking for." https://www.justice.gov/epstein/files/DataSet%2011/EFTA02706...
There is no need to implement these kind of things in a way that gives any PII to Musk or Zuck.
One way is the California approach which requires that device operating systems offer parental controls that parents can set up when creating accounts for their children that will provide an age bracket to apps when the children are using the device. The California laws requires that apps that need to restrict use by children to ask for that age bracket.
Note that the California approach does not actually do any age verification. The parental controls accept whatever the parent says is the the child's age bracket.
Another way is to put actual ID documents on the device, cryptographically tied to the device, and to implement a protocol by which software on the device can prove to a remote site that the device contains such ID documents and that those document show an age that is in the age range that is allowed to use the site but without disclosing to the site any another information from the documents. Google, Apple, and the EU are all using and/or working on this type of approach.
The more these laws are enforced, the more we hand over this information to any unscrupulous website operator, app developer, or advertiser. Are we about to hand Elon Musk [0] your kids' PII? How about Zuck, who (friendly reminder) sold your 2nd-factor phone number to advertisers [1]? How about all of the leaks from these ID services [2]? Or how about these services doing far more than Age Verification [3][4]?
Given the terrible track record of data breaches in tech, this means all this information leaks into even worse hands with little recourse for people and no punishment for companies.
From a security and privacy perspective it's in kids' own self-interest and self-protection for them to undermine all of these laws.
0: "I really want to hit the party scene in St Barts or elsewhere and let loose. The invitation is much appreciated, but a peaceful island experience is the opposite of what I’m looking for." https://www.justice.gov/epstein/files/DataSet%2011/EFTA02706...
1: https://www.securityweek.com/facebook-admits-phone-numbers-m...
2: https://www.eff.org/deeplinks/2024/06/hack-age-verification-...
3: https://stateofsurveillance.org/news/persona-age-verificatio...
4: https://www.malwarebytes.com/blog/news/2026/02/age-verificat...