Online age verification is having a moment. Governments around the world are pushing platforms to check users’ ages before granting access to adult content, social media, and other restricted services. The idea sounds reasonable — keep children away from harmful material. But the way most age verification systems work today creates a new set of problems, trading one risk for another. A recent article by Proton explores whether there are smarter ways to protect children online — without turning the internet into an ID checkpoint.
France’s data protection authority, the CNIL, has studied the question in depth. Its conclusion: no single age verification method simultaneously offers reliable verification, full population coverage, and meaningful privacy protection. Most existing systems are either easy to circumvent or require users to hand over sensitive personal data — or both. The good news is that several alternatives are gaining real traction.
Cryptography Over ID Cards
One of the most promising technical approaches is the Zero-Knowledge Proof (ZKP). Rather than asking you to prove who you are, a ZKP lets you prove a single fact — such as “I am over 18” — without revealing anything else about your identity. No name, no date of birth, no document upload. In May 2025, Google integrated ZKP technology into Google Wallet, allowing apps to verify a user’s age without accessing personal data. Dating app Bumble was among the first to adopt the system. The European rollout is already underway too: Google and German savings bank group Sparkassen-Finanzgruppe are piloting the EU’s first nationally scaled ZKP age verification system, with broader availability expected in 2026.
It’s not a perfect solution — ZKPs still require a government-issued ID to be stored somewhere in the chain — but the verification step itself becomes private. That’s a meaningful improvement over the current norm of uploading a passport scan to a website you’ve never heard of.
Making Platforms Responsible
A fundamentally different approach shifts responsibility away from users entirely. The Age-Appropriate Design Code (AADC) model, championed by the Electronic Privacy Information Center (EPIC), targets the platforms themselves rather than the people using them. EPIC published its model AADC bill in early 2026, and it’s already been introduced in multiple US states including Georgia, Kansas, Kentucky, and New Jersey. South Carolina became the fifth state to enact an AADC into law.
The logic is straightforward: tech companies engineer their products to maximise engagement, and children are particularly vulnerable to these techniques. Rather than requiring every user to verify their age at the door, the AADC requires companies to assess their own products for features that drive compulsive use, prohibit high-risk design patterns for minors, and give children meaningful control over their privacy settings. No mandatory age checks, no data collection — just platforms built responsibly from the start.
Parental Controls and Honest Conversations
The most immediate tools available to most families are also the most underused. A 2025 study by the Family Online Safety Institute (FOSI), based on a nationally representative survey of 1,000 US parents and 1,000 children aged 10–17, found that parental controls are activated on fewer than half of children’s devices across most device types — only 51% on tablets, dropping to 35% on games consoles. Meanwhile, children with lower screen time were significantly more likely to have parental controls installed, suggesting that the tools do work when used.
The same study found that 89% of children say they feel comfortable speaking to a parent if something online makes them feel unsafe. That’s a striking figure — and it points to something that no technical system can replicate: open communication. Households that have regular conversations about online safety report greater confidence in the effectiveness of parental controls. The tools and the conversations reinforce each other.
No Single Fix
The honest answer is that there is no single solution. ZKPs are promising but require infrastructure and government ID as a foundation. Design codes shift the burden to platforms but take time to legislate and enforce. Parental controls are effective but underutilised and imperfect. Education takes years to show results. The Proton piece argues — persuasively — that a combination of all these approaches is more realistic and more privacy-preserving than mandatory ID checks for every website visit.
The broader concern with ID-based age verification is the data trail it creates. Uploading a passport or driving licence to verify your age on a website means that data now exists somewhere — vulnerable to breaches, misuse, or surveillance. The alternatives explored here don’t eliminate all risk, but they do avoid creating a centralised record of which adults visit which corners of the internet. That matters, both for adults and for the integrity of the systems built to protect children.
Key Takeaways
- France’s CNIL concludes that no single age verification method satisfies reliability, coverage, and privacy simultaneously.
- Zero-Knowledge Proofs (ZKPs) allow age confirmation without sharing personal data — Google Wallet and Bumble are already using them.
- The Age-Appropriate Design Code shifts responsibility to platforms, banning addictive design features targeting minors — now law in five US states.
- Parental controls are underutilised: fewer than half of children’s devices have them enabled, despite evidence they work.
- Regular family conversations about online safety significantly boost the effectiveness of parental controls.
- A layered approach — technical, legislative, and educational — is more realistic than any single ID-check mandate.
Photo: William Fortunato via Pexels