The Supreme Court's Age Verification Ruling Creates New Reality for Digital Identities

In a recent blog, "Online Age Verification: A Roadmap", I explored the complex issues surrounding online age verification and how Texas's law for app stores was indicative of a growing national trend towards stricter digital age verification to protect minors from harmful online content. At the same time, I argued that there was a need to balance these types of measures with protection with free speech, privacy concerns, and the practical challenges of implementation.

On Friday, June 27, the Supreme Court of the United States ruled that the Texas age verification law is constitutional. This will undoubtedly be seen as a bellwether decision in the history of privacy legislation, and while we can’t know for sure how this will be manifested for individuals and businesses, we know that it portends a dramatically altered landscape for digital privacy.

For organizations that will now be mandated to verify for age, it will require that they apply new tactics of identity verification to their current approach. But it also means they will be faced with a new set of challenges for protecting the privacy of user data. The latter challenge is not merely a checklist-able set of goals. Organizations will need to establish and maintain trust by virtue of how carefully they protect that data. There is an understanding that there is a type of sanctity that exists in the customer-provider relationship, and this law

For decades, the internet has operated under the fiction that online access is a free-for-all, where a simple "I am 18" checkbox was a sufficient gate. But that era is over. The Court has just sanctioned a new reality, and with this ruling, has made it clear that the state has a compelling interest in erecting verifiable, digital fences.

It could be interpreted that in his majority opinion, Justice Thomas dismissed the very notion that online age verification is a uniquely insurmountable or privacy-invasive burden. The opinion analogizes online age checks to a store clerk asking for an ID—a "long, widespread, and unchallenged practice."

This ruling is a direct challenge to the privacy-by-design principles our industry has long championed. The Court has declared that the perceived social good of protecting minors outweighs the incidental privacy burdens on adults. They've handed a blank check to state legislatures. The Texas law is a blunt instrument, targeting "sexual material harmful to minors." But the logic of this ruling can be applied to any sector where age is a factor:

• Social Media: Expect mandates to age-gate content, feeds, and interactions. The "I'm 13" checkbox will be replaced with a hard identity check.
• Gaming: The days of unregulated loot boxes and in-game economies for all ages are numbered.
• Fintech: Expect new scrutiny on who can access crypto exchanges, trading platforms, and other financial services.
• Cannabis & Alcohol: Online delivery services, already navigating a patchwork of state laws, will face a new federal-level legal framework for enforcement.

The question is no longer if these laws are coming, but how many jurisdictions will adopt and enact them. The Court’s decision creates a vacuum of responsibility, shifting the burden of protecting a user's sensitive data onto the very platforms and verification providers that are now mandated to collect it.

Those of us in this field are no longer just enabling access; we are now the gatekeepers, and the legal system has just given us a wide berth with which to operate as it relates to users’ data. The fraud and identity risks inherent in this new paradigm are enormous. The race is on to build the secure, private, and user-centric playbook that the market—and now the courts—demand.

A Proposal for Moving Forward: A Secure Age Verification Playbook

At Prove, we believe the solution lies in a secure, privacy-first approach to age verification. A successful playbook must address the following:

• Privacy by Design: Solutions must be built from the ground up to minimize data collection. The goal should be to verify age, not to collect and store sensitive user data.
• Decentralized Verification: Rather than requiring users to upload their IDs to every site they visit, a secure system would allow users to verify their age once with a trusted third-party service, which can then issue a privacy-preserving token or credential.
• Data Minimization: Companies should only collect the data necessary for verification and nothing more. The less data stored, the less there is to lose in a breach.
• User Control: Users should have control over their data and the verification process. They should be empowered to choose how they verify their age and who has access to their information.

The Supreme Court's ruling will force digital identity verification to adapt. For companies that are proactive and prioritize user privacy and security, this is an opportunity to build trust and demonstrate a commitment to responsible digital citizenship.