Can Online Age Verification Work Without Exposing Your Identity?
AI-generated, human-reviewed.
A new age verification system being rolled out in Spain—and based on EU standards—is proving it’s possible to verify user age for restricted content online without exposing personal identity or tracking users. On Security Now, Steve Gibson explained that this privacy-focused approach may become a model for responsible age regulation across the web.
Spain is launching a digital age verification solution that uses “verifiable credentials”—a set of cryptographically signed digital documents that can confirm facts (like age) without revealing sensitive user details such as names, addresses, or full birth dates. The system is being implemented to comply with new laws requiring that access to adult or age-restricted content be limited to those who can prove they are old enough.
According to Steve Gibson on Security Now, Spain’s solution utilizes technology developed by the World Wide Web Consortium (W3C) for “verifiable credentials.” These are secure files that confirm the holder meets age requirements. The credentials are issued by trusted authorities (such as national governments), are stored privately on a user's device, and can be independently verified by any website without sending identifying information to the site itself.
The core of this technology is privacy by design. Instead of exposing your identity—even to the website you're visiting—the credential only asserts that you meet the age requirement, and nothing else. The credential is stored in a secure app on the user’s device (like a smartphone). When a website requests age verification, the user simply scans a QR code and approves the action using a PIN or, optionally, their device’s biometrics.
Websites never see names, full legal IDs, or other details—just a confirmation that the user is “over 18,” for example. There’s also no centralized tracking of where users verify their age, making it nearly impossible to build activity profiles or cross-site records.
Recent laws in the EU, UK, Brazil, and various US states require online services to block minors from accessing mature or restricted content. Self-declaration (“click to confirm you’re 18”) is no longer sufficient under these regulations. Penalties for non-compliance are increasingly severe—for instance, Brazil’s new law includes fines up to nearly $10 million or 10% of a company’s revenue.
The challenge: Most current age checks require users to upload ID documents or credit cards, exposing sensitive information to potentially untrustworthy sites and creating significant privacy and security risks.
How Does the Spanish/EU Approach Work in Practice?
Users download an official age verification app and register their national digital ID (in Spain, every citizen receives one at birth).
The app issues a verifiable credential confirming only that the user is above a certain age.
When accessing a restricted website, the user scans a QR code with the app or responds to a prompt on mobile.
The website receives only a cryptographically verified "Yes, this user is old enough" response.
No other personal information is shared. The app stores credentials locally, and no central database tracks user activity.
This open-source blueprint is being considered as a reference implementation for other EU countries, offering flexibility for different national needs while preserving privacy.
Key Takeaways
Spain's age verification system is built on privacy-first principles using W3C verifiable credentials.
No personal data (name, birthday, address) is ever shared with websites—only age status.
The system is open source, customizable, and compliant with EU privacy regulations.
Governments are increasingly mandating robust age checks for online content.
Privacy-preserving verification could become the standard, replacing risky practices like uploading IDs or credit cards.
The solution is technically advanced but designed for ease of use, using apps, QR codes, and national digital IDs.
The approach ensures minimal risk of tracking or profiling across websites.
The EU, starting with Spain, is demonstrating that it’s possible to comply with strict age verification laws without sacrificing online privacy or anonymity. As regulation expands globally, privacy-first digital credentials like these are likely to become essential for accessing age-restricted content safely and responsibly.
Stay tuned—this technology may shape digital identification beyond just age verification, setting new standards for privacy, security, and regulatory balance online.
Subscribe for more insights and analysis: https://twit.tv/shows/security-now/episodes/1044
