More and more governments and big platforms around the world are shifting toward forcing users to verify their identities when using online services, rolling out mandatory digital ID plans and biometric age checks—and at a faster pace than ever. Whether it’s for safety (as they usually justify these developments) or simply for more control, we’ll likely have to adapt.
In this article, we’ll map where age verification rules and full-scale digital surveillance are already a way of life, how the tech works, the privacy risks, how we can mitigate them, and what the future holds for privacy seekers.
Digital ID vs. Digital Identity
Let’s deal with the terms first. A digital ID is a credential or token—like a passport or a badge—that you show to let services recognize you online. It can be a government-issued digital ID card or a verified “over-18” attestation issued by a licensed provider.
Then what is digital identity? Your digital identity is everything behind that credential: the attributes and metadata tied to you—name, date of birth, an ID number, behavioral signals, account links, etc. In short, a digital ID is the credential you present, and your digital identity is the full profile that credential represents.
Online Verification Rush: The Global Landscape
Up until recently, we could conditionally split countries into two camps: one camp (USA, EU, UK, Australia, and several other countries) originally started adopting online age verification laws in efforts to protect minors and reduce online harms, mostly by pressuring adult and social media platforms to verify users’ age, while another camp (notably China) was straight off clear about its goal—creating a centralized identity system that binds real names and biometrics to online accounts.
However, the latest developments in the first camp—primarily the digital identity wallet rollout plans in the EU and UK—showed that the lines between the camps can blur. So where are we now: which frameworks are already in place, and which online privacy laws will we have to live with in the near future?
United States
While nationwide online verification proposals in the U.S. are still in debate, many state-level laws aimed at age checks have already been adopted. They typically require adult websites, social media platforms, and—recently—app stores to implement “reasonable” age verification.
Verification laws for adult content
Since 2023, 25 U.S. states have passed age verification laws for websites that contain pornography or display materials harmful to minors. In most cases, such websites should request users to pass age verification using a state-approved digital ID, a government-issued ID, or a “commercially reasonable method of age and identity verification.” Most of these laws are already in effect; others will take effect by the end of 2026.
Verification laws for social media platforms
As of November 2025, 10 states have adopted regulations that restrict children’s access to social media platforms. In 6 more states, similar laws are currently enjoined. The regulations typically require social media platforms to verify users’ age and obtain parental consent before allowing minors to create accounts. In 8 states, the laws are already in force, and the other 2 will take effect in 2026.
Verification laws for app stores
4 states (Texas, Utah, Louisiana, and California) have recently passed laws with implementation dates in 2026 and 2027 that force app stores to implement age verification online. Google Play Store, Apple App Store, and other app store operators will be required to “use a commercially reasonable method” to verify an individual’s age category.
Kids Online Safety Act (KOSA/KOSPA)
First introduced in 2022, the Kids Online Safety Act is a nationwide initiative that would impose a “duty of care” on social media platforms to reduce harms to minors if enacted, plus parental controls, reporting tools, third-party audits, and public transparency reports. As of November 2025, the bill hasn’t yet passed the Senate.
Kids Off Social Media Act (KOSMA)
If adopted, the Kids Off Social Media Act would bar children under 13 from holding social media accounts, prohibit platforms from using personalized recommendation algorithms for users under 17, and require schools to block social media access on their networks. The bill was presented in January 2025 and hasn’t yet passed the introduction stage (as of November 2025).
European Union
The EU is moving fastest toward an adoption of government digital ID cards as part of the EU Digital Identity Wallet (EUDI). Member states plan to start using them interoperably for age verification by the end of 2026. Here are the current EU online privacy laws:
Digital Services Act (DSA)
The DSA entered into force in 2022 and requires platforms to put in place “appropriate and proportionate” measures to protect minors. In July 2025, the European Commission published DSA guidelines, recommending, among other things, to endorse “accurate and non-intrusive” age assurance methods (with the EU Digital Identity Wallet as a reference example).
EU Digital Identity Wallet (EUDI)
EUDI is basically a government-approved app that will be used for authentication and age verification of EU citizens and residents. The implementing acts for the European Digital Identity Framework were adopted in November 2024. requiring each member state to make at least one digital identity wallet available to residents by the end of 2026.
The wallets can vary in design but should all support selective disclosure (e.g., proving the holder’s age or nationality rather than sharing full identity) and integrate with government services. The wallets will also be interoperable, meaning you could open a bank account in Estonia using your Italian digital ID.
United Kingdom
The UK government has recently rolled out the plans for implementing its digital ID app—GOV.UK Wallet—that will be used to verify identity when using online services. The debate about the scope of application and whether it’ll support selective disclosure (like EU wallets) is ongoing, but there’s no doubt it’ll be mandatory for certain government services and potentially beyond. Let’s take a closer look at this and other UK online privacy laws:
Online Safety Act 2023 (OSA)
Passed in October 2023 and expected to be fully implemented in 2026, the Online Safety Act forces platforms to take action against illegal or harmful content to children where they can likely access it. Section 12 of the Act states that the platforms must use age verification or age estimation technologies.
Age appropriate design code (Children’s code)
The ICO’s Children’s code that took effect in September 2020 runs alongside the Online Safety Act and requires services likely to be used by under-18s to verify users’ age, minimize data collection for children, use maximum privacy settings by default, and present privacy policies and controls in a clear and accessible manner.
GOV.UK Wallet
The GOV.UK Wallet app will be implemented no later than August 2029 and will represent a unified storage of government documents that could be used for digital identity verification in the UK. The question of whether it will be a voluntary tool with selective disclosure or a mandatory digital ID used for a wide range of checks is still open.
Australia
Australia’s latest online verification regulations include the adoption of national digital ID legislation and the introduction of the Social Media Minimum Age amendment that forces social media services to take “reasonable steps” to verify users’ age to prevent under-16s from holding accounts on certain social networks.
Digital ID Act 2024
Adopted in late 2024, Australia’s Digital ID Act establishes a framework for secure digital identity verification in Australia, allowing both government and accredited private providers to issue verified digital credentials, like proof of age. They could then be used to confirm age or identity without collecting full ID data. Government use began in 2024; private sector participation will open from December 2026.
Online Safety Amendment (Social Media Minimum Age) Act 2024
Adopted in late 2024 and taking effect in December 2025, this amendment completes the Online Safety Act 2021 and requires major social media platforms (currently Facebook, Instagram, Snapchat, Threads, TikTok, X, and YouTube are affected) to verify users’ age to prevent Australians under 16 from creating accounts.
China
China’s real-name verification system requires ISPs and online platforms to collect and verify users’ real names and other information and has been around for more than 10 years. In 2025, the government also launched the voluntary digital identity verification system—Cyberspace ID—that can be used across online accounts for authentication.
Real-name verification
In December 2012, China’s National People’s Congress Standing Committee adopted the Decision on Strengthening Network Information Protection, forcing users to disclose their identity to network service providers. This was amended in 2015 with the requirement to provide a real name when registering on social media and later in online games. Most major services have adopted the system since, making the area of implementation of real-name verification in China extensive.
National Online Identity Authentication (Cyberspace ID)
In July 2025, the government launched the National Online Identity Authentication Public Service (Cyberspace ID) that allows citizens to obtain a unique ID token to verify their identity across online accounts using digital ID and biometric ID verification methods.
| Country/region | Law/instrument | Area of implementation | Status (as of November 2025) |
|---|---|---|---|
| United States | 1. State age verification laws for adult content 2. State social media verification rules 3. App store age verification laws (TX, UT, LA, CA) 4. Kids Online Safety Act (KOSA) 5. Kids Off Social Media Act (KOSMA) | 1. Websites that host pornography or material harmful to minors 2. Social media platforms 3. App stores (Google Play, Apple App Store, others) 4. Social media platforms 5. Social media platforms | 1. Passed in 25 states 2. Passed in 10 states 3. Passed; implementation in 2026–2027 4. Introduced 5. Introduced |
| European Union | 1. Digital Services Act (DSA) 2. EU Digital Identity Wallet (EUDI) | 1. All major online platforms accessible to minors 2. Public and private services across member states | 1. Entered into force in 2022 2. Implementing acts adopted; implementation by the end of 2026 |
| United Kingdom | 1. Online Safety Act 2023 (OSA) 2. Age appropriate design code (Children’s code) 3. GOV.UK Wallet | 1. Platforms with UK users 2. Services likely used by under-18s 3. Public and private services | 1. Passed in 2023; expected full implementation in 2026 2. In effect since 2020 3. Pilot is underway; rollout target no later than August 2029 |
| Australia | 1. Digital ID Act 2024 2. Online Safety Amendment (Social Media Minimum Age) Act 2024 | 1. Public and private services 2. Social media platforms | 1. Adopted in 2024; government use began in 2024; private participation opens in December 2026 2. Adopted in 2024; takes effect in December 2025 |
| China | 1. Real-name verification 2. National Online Identity Authentication (Cyberspace ID) | 1. Social media platforms, online games, many online services 2. Online services | 1. In effect since 2012 2. Launched in 2025 |
How Verification Systems Work
Verification systems can vary from simple mobile operator checks to government digital ID and biometric authentication. Let’s speak about the most common approaches and how private each option is.
Government eID wallets and APIs
These are government-backed apps or digital ID cards (e.g., EU Digital Identity Wallet, GOV.UK Wallet, Australia’s Digital ID) that hold cryptographic credentials. Good wallet designs use selective disclosure so you prove one attribute without handing over a full ID. This option usually offers a high level of privacy if implemented with the abovementioned selective disclosure and tight retention rules.
Photo ID upload + biometric matching
You upload a passport or driver’s license and a selfie; a vendor or platform runs facial matching. This method is hard to spoof, but the trade-off is lower privacy—the process creates biometric records that are hard to erase and very attractive to bad actors.
Third-party age verification services
These can check credit files, mobile operator signals, or identity broker databases to confirm age. They’re convenient and broadly supported, but they create query logs and link your digital footprint to the platform.
Device & behavioral methods (including facial age estimation)
These options verify age from device signals, cookies, usage patterns, or AI estimates from your camera feed. They’re cheap but error-prone and often entail profiling and fingerprinting.
Federated identity & attribute-based tokens
These are cryptographic credentials like zero-knowledge proofs (ZKPs) that support selective disclosure, which, unlike government digital IDs, are issued by multiple trusted entities rather than a single state system. In theory, that’s the best privacy-first option, but implementation matters.
Privacy and Security Risks
While some might find verification tools useful, they create obvious risks for users:
- Surveillance creep and scope expansion. What starts as an age check can quickly evolve into broader identity checks, and voluntary systems can become de facto mandatory.
- Data breaches and identity theft. Verification vendors and government registries hold high-value data. A breach can result in identity fraud, and biometrics can’t be reset.
- Anonymity loss for vulnerable people. Mandatory online verification reduces safe, anonymous spaces for activists, whistleblowers, survivors, and marginalized communities.
- Discrimination and exclusion. People without passports or other required documents—refugees, stateless people, and some elderly or low-income users—can be locked out of services, including education and health information.
- Data monetization & law enforcement access. Identity data is valuable. Weak rules or vague “safety” exceptions can lead to profiling, targeted ads, or broad law enforcement access.
Vive la Résistance: How You Can Minimize Surveillance
More and more governments and platforms want your personal data, but you don’t have to be helpless. Here’s what you can do to preserve your privacy:
Use privacy-protecting tools. VPNs hide your IP and can bypass geoblocks, but they do not stop platforms from demanding a passport scan. Tor hides your origin even better but won’t defeat a forced biometric match. These tools can help if verifications are region-based, but they’re not a magic anonymity fix.
💡 Quick tip: VPN Privacy: Are You Really Anonymous?
Choose attribute-only attestations. Where possible, use services that accept attribute attestations rather than full ID uploads.
Limit sharing and tidy your footprint. Use pseudonymous accounts where allowed, separate identities for different purposes, burner emails for low-risk signups, and strong 2FA on valuable accounts.
Take civic and legal action. Exercise data access/deletion rights, review privacy policies, and support NGOs pushing for limits on biometric storage, vendor monopolies, and reuse of identity data.
Trends to Watch in the Next Few Years
We’ve already established that online verification is gaining momentum, but what should we expect in the near future?
- Wider government eID rollouts. EU wallets and national digital ID pilot programs, like in the UK and Australia, can make such attestations common if they’re implemented successfully.
- Privacy-preserving tech gains ground. Zero-knowledge proofs and selective disclosure will see more attention—nobody wants to share the whole enchilada of their personal data.
- More granular laws. We’ll likely get sector-specific rules aimed at social media, finance, and gaming platforms rather than one-size-fits-all regulations.
- VPN use growth. Expect spikes in VPN app downloads in countries adopting mandatory age or identity verification.
💡 Quick tip: Types of VPN Explained: How Each Works and Which Is Best for You
Don’t Give Up Your Privacy
Age and digital identity verification systems are here to stay, that’s for sure—but they don’t have to force you out of the internet. Favor trusted services that support attribute-only verification and don’t reuse data, use VPNs and other network privacy tools, and keep good account hygiene. And remember that our privacy is still in our hands, even when it seems like we’re running out of it.
FAQs
What is a mandatory digital ID?
Usually this means a government-backed credential that citizens need to obtain by verifying their identity online to access certain services defined by that government.
Will I need to show my ID to use social media?
It depends heavily on the country and platform. Some places require stronger age checks with a digital ID or biometrics, while others allow for lighter methods like self-declaration. But digital identity industry trends in 2025 suggest that we’re moving toward stronger verification requirements.
Can a VPN stop platforms from asking me for ID?
Yes, if the ID verification requirement is region-based, and no if it’s platform-based. VPNs hide your IP and help with geoblocks, making you appear to be browsing from another country, but they don’t stop platforms from demanding document uploads or biometrics.
Is age verification always photos or biometrics?
No. Methods range from self-declaration and mobile operator checks to government digital ID cards and biometric ID verification systems. Photos or biometrics are usually used where high assurance is required.
Are digital ID systems safe from hacks?
No system is foolproof, and each carries risks of identity theft and data security breaches to a certain extent. Prefer systems that minimize stored data and use decentralized attestations, as they are generally safer than centralized registries and third-party verifiers that are attractive targets for bad actors.
How can I avoid handing over an ID or sharing biometrics?
Favor privacy-friendly systems that use attribute-only attestations, avoid unnecessary document uploads, and demand alternative verification methods where possible.
