The Center for Democracy & Technology (CDT) has published a brief which offers a useful snapshot of how a small group of US teens and parents feel about common age-verification methods. The sample is modest and qualitative by design, so it surfaces concerns rather than measuring broad public opinion. We always welcome research and insight of this nature but critically important technical capabilities and safeguards now widely available in modern age assurance solutions were missing from the picture painted for the participants before they shared their views.
First, a word on context. It is harder to win trust in the US because there is no comprehensive federal privacy law, so people rely on a patchwork of state rules and sector laws. That inconsistency understandably breeds doubt about who holds personal data and for how long. By contrast, in the UK which is covered by the Europe-wide GDPR regime, strong age checks for both social media and pornography came into full force on July 25, 2025, and services have been delivering them at scale since then. We have not seen any major security incidents reported against certified age assurance providers in that first month, which matters for public confidence.
ID-based verification
CDT heard that uploading an ID feels intrusive and risky, especially at first contact with a new service. That is understandable. Two points appear to have been missed in their briefing to the people they consulted. First, selective disclosure lets you prove only that you are over a threshold without revealing your full birth date or address. US mobile driver’s licenses built on ISO 18013-5, and modern verifiable credential systems, support data minimization and selective release, and can be implemented with zero-knowledge techniques. Second, the latest software can perform document checks locally, even on a smartphone. NFC-based reading of the security chip on passports or Optical Character Recognition (OCR) for other physical documents, avoid the need for any personal data to leave the palm of a user’s hand.
Parental approval
Families in the study preferred parent-mediated controls for flexibility in the home. That makes sense for parenting, but it is a different policy objective from legal compliance by platforms. When a platform has a statutory duty to keep minors out of specific content, it cannot rely on optional parental settings alone. In those cases the service needs a robust age check which will not be affected by persistent pestering from a child to amend their age, perhaps to play a game that has a rating older than their real age.
Face-based age estimation
Participants in this small group distrusted face scanning and doubted it could tell the difference between adjacent teen ages. Estimation is not perfect, however it offers an inclusive option to people who may not own, have access to or feel comfortable using document based approaches. Independent evaluations and recent vendor results show rapid improvement in the ranges regulators care about. Yoti’s latest white paper reports a mean absolute error of 1.1 years for 13 to 17 year olds, and very high true positive rates when using decision thresholds. Operators can add a buffer age to minimize false positives, then route anyone near the line to a more accurate verification method, such as a reusable digital ID app. Results from Meta with millions of users who have a choice of options to prove their age, show that over 80% select estimation approach versus a document based approach. Here is a video explainer from Meta which can help consumers to understand how the technology is built and the safeguards in place. https://www.youtube.com/watch?v=PqZxgQ70Efc
Device-based signals
CDT’s interviewees were unsure how a device would know a user’s age and worried other data might leak. Those are fair concerns. Reusable IDs from providers like Yoti and Luciditi, and US mDLs, are designed to return only the fact that someone is over a set age, from either a document or a facial age estimation. An even better approach than app store or OS controls, may be to keep age as a standalone attribute that apps can query through a wallet or token, not a free pass into broader device data. Interoperability further reduces exposure by letting users re-use an approved result as an anonymized token, rather than re-uploading data across sites. The euCONSENT AgeAware model is one such tokenized approach.
Third-party apps and services
Some families worried that adding a third party increases breach risk. That is exactly why the AVPA supports mandatory audit and certification of providers against international standards: IEEE 2089.1 sets a framework for online age verification, with a certification program, and ISO/IEC 27566-1 establishes principles for privacy-preserving age assurance. And typically, users do not select an age assurance provider, they are referred to one by the platform they were seeking to access, and that platform will do due diligence on its partners, before trusting them with their user’s data. Many large platforms have learnt at great cost the impact of data breaches on their business so make very careful decisions before appointing suppliers.
Privacy, deletion, and US law
The brief voices a common fear that providers will keep sensitive data. In practice, strong rules and common vendor commitments run the other way. Many laws now bar retention of identifying information after an age check is complete. Texas for example, in its statute HB 1181 which was recently upheld by the Supreme Court, explicitly prohibits retaining any identifying information, with penalties for each instance. These rules sit alongside vendor designs that default to sharing only a pass or fail with the platform, and in some jurisdictions, doing so with zero-knowledge proof to make it technically impossible to track or trace a user.
Evidence on effectiveness
Beyond deployment experience in the UK, the Australian Age Assurance Technology Trial has already published preliminary findings, with a full technical report due that tests accuracy and conformance of some 50 methods of age assurance against standards like ISO/IEC 27566-1 and IEEE 2089.1. That kind of independent evaluation is what will build public trust. (Age Assurance Technology Trial). There is also a global benchmark which has now been undertaken for several years by the US National Institute of Standards and Technology into facial age estimation, see link – https://pages.nist.gov/frvt/html/frvt_pad.html
Where we agree
We agree with CDT that transparency, choice and user agency matter, and we sympathize with adults, parents and teens who want simple, private and credible options. We also agree that the path to trust is through privacy-by-design, selective disclosure, on-device processing where possible and strict deletion policies. Where we diverge is that today’s solutions already offer many of these safeguards, and the policy environment in places like the UK now demonstrates the capability to deliver a high level of age assurance at national scale.
Our ask
Let’s keep learning from user research, particularly experiential research, but let’s also make sure families hear about the latest capabilities. Reusable IDs from trusted issuers, standards-based wallets, and tokenized interoperability can give people one-tap, privacy-preserving proof of age across the web. That is how we square safety with privacy, and how we earn trust in markets that lack a single federal rulebook.
Reference: Center for Democracy & Technology, “Teen and Parent Perspectives on Approaches to Age Verification,” 22 Aug 2025. https://cdt.org/wp-content/uploads/2025/08/2025-08-22-CDT-Research-Brief-on-Age-Verification-1.pdf