This past week, age verification enforcement went live in the UK. France reinstated its ban on adult sites without verification. Texas is now fully enforcing its age-check law. Denmark will launch a national age verification app in 2026.
This wave of regulation is reigniting a pressing debate in digital privacy:
Can we verify age without turning digital identity into a tracking tool?
Governments are right to demand stronger protections for minors. Platforms are being held accountable. But users are now forced into a false choice: hand over sensitive personal data or lose access to lawful digital services.
That’s not real regulation. That’s coercion by design.
And it gets worse. The most serious risk isn’t just handing over ID. It’s the silent, permanent correlation of identity, behavior, and context every time you prove who you are online. A hidden surveillance layer is forming, powered by credential issuers quietly monitoring how their credentials are used.
It’s time to break that model.
The Laws Are Clear. The Architecture Is Not.
Across jurisdictions, age verification is now a legal requirement.
In the United Kingdom, Ofcom began enforcing the Online Safety Act on July 25, 2025. Platforms must now implement highly effective age assurance for adult and harmful content or face fines up to £18 million or 10 percent of global turnover. Ofcom has already launched formal investigations into 34 adult websites for noncompliance.
In Denmark, the government is piloting an EU-backed national age verification app, with a full rollout planned in 2026. The system is expected to be integrated with MitID and mandatory for adult content access.
In France, the Council of State reinstated enforcement on July 15, 2025, requiring pornographic websites to implement strict age verification under Arcom’s oversight. Platforms can now be fined up to 2 percent of global revenue and blocked by ISPs for failure to comply.
In Texas, House Bill 1181 has been in effect since 2023. The U.S. Supreme Court upheld the law in 2025, confirming that commercial adult sites must verify age using government-issued ID or facial recognition, or face civil liability.
Regulators are moving fast. But the systems being deployed rely heavily on centralized identity credentials, facial scans, and government-issued wallets. These methods often lack clear protections against one specific and dangerous behavior: silent issuer observability.
The "Phone Home" Problem
Whenever a user verifies an attribute like “over 18,” the credential issuer may be pinged in the background. This is what privacy professionals call the phone home problem. It allows the issuer - whether a government, identity vendor, or mobile platform - to know when, where, and why a credential is used.
Over time, this creates a behavioral profile that tracks not just identity but usage patterns and digital context. It enables cross-site surveillance without cookies, and without consent.
Even the EU’s EUDI Wallet project, designed to enable privacy-friendly digital credentials, has drawn criticism for failing to prevent issuer observability. Many implementations allow the credential issuer to log each verification event.
It's like your driver’s license quietly reporting to the state every time you visit a website. That’s not age verification. That’s behavioral surveillance in disguise.
We don’t need to choose between protecting children and protecting everyone else. We can have both - if we build it the right way.
A Better Model Starts With Privacy First
At AesirX, in partnership with the Layer 1 blockchain Concordium, we are finalizing a privacy-preserving architecture designed to meet compliance while protecting user anonymity by default.
The foundation is what we call the Contextual Uniqueness Key (CuK) - a client-side pseudonym generated per session and per domain. Each service a user interacts with sees only a one-time-use identity. Nothing persists, and nothing links across services.
The user verifies their age using an identity source of their choice: Concordium Wallet, EUDI Wallet, mobile driver’s license, national ID, or Apple or Google Wallet. A zero-knowledge proof (ZKP) confirms the age claim without exposing any personal data.
Each website receives a unique pseudonym, valid only for that context. No central system sees the full picture. And most importantly, the credential issuer never knows the verification took place.
This breaks the surveillance loop. There are no behavioral breadcrumbs. No phone home.
Concordium Anchors the Trust Without Owning the Data
The CuK system is anchored by Concordium’s privacy-first blockchain infrastructure, providing cryptographic proofs, decentralized trust, and legally governed audit capabilities - without ever collecting or storing user data.
Concordium’s unique approach to identity combines zero-knowledge proofs, layer-1 security, and multi-party unmasking, enabling lawful accountability where necessary, while preserving user anonymity by default.
This ensures that platforms and developers can meet regulatory demands without surrendering control to centralized intermediaries. Whether used directly or integrated through middleware like AesirX’s Shield of Privacy, Concordium enhances the entire trust layer while maintaining decentralization.
It delivers what regulators expect - traceability, provability, and compliance - while protecting users from being profiled, tracked, or linked across services.
This isn’t future tech. It’s working today.
The Pattern Is Spreading
Age verification is just the beginning. The same technical architecture is already being proposed or deployed for:
- Access to social media platforms
- Online gambling and gaming
- KYC-light DeFi and fintech onboarding
- Cross-border content filtering
- Health and mental wellness services
What we choose today will define the future of identity. If we default to centralized ID observability, we risk building an internet that reports on every action to a third party. If we build with privacy-first primitives like CuK and ZKPs, we can meet legal obligations without turning compliance into surveillance.
We need to move past checkbox regulation and demand real protections: unlinkability, zero-knowledge proofs, decentralization, and trust minimization by design.
The Identity We Build Defines the Internet We Keep
Digital identity is becoming the infrastructure of the internet.
We can design a future where compliance means trust, not tracking. Where privacy is a core requirement, not an afterthought. Where platforms, regulators, and developers build systems that truly protect users instead of exposing them.
With AesirX and Concordium, this isn’t a concept or a pitch. It’s real, working, and ready for implementation - and now we are working together to finalize the last parts of our CuK model to protect your privacy online.
If you’re building a platform, writing policy, or shaping digital infrastructure:
The architecture matters.
Design compliance that doesn’t compromise.
Build trust you never have to surrender.
Let’s build an internet worth trusting.
Reach out to explore pilots, standards collaboration, or help implementing compliant age verification.
Ronni K. Gothard Christiansen
Technical Privacy Engineer & CEO, AesirX.io
