First Porn, Now Skin Cream? ‘Age Verification’ Bills Are Out of Control | EFF

Age verification laws has been one of the main focuses of the EFF lately. Notably, various U.S. states have introduced legislation that affect websites that are not necessarily “adult” content.

This alarming trend is already clear, with the growing creep of age verification bills filed in the first month of the 2025-2026 state legislative session. Consider these three bills:

1. Skincare: AB-728 in California
   Age verification just hit the skincare aisle! California’s AB-728 mandates age verification for anyone purchasing skin care products or cosmetics that contain certain chemicals like Vitamin A or alpha hydroxy acids. On the surface, this may seem harmless—who doesn’t want to ensure that minors are safe from harmful chemicals? But the real issue lies in the invasive surveillance it mandates. A person simply trying to buy face cream could be forced to submit sensitive personal data through “an age verification system,” creating a system of constant tracking and data collection for a product that should be innocuous.

2. Dating Apps: A3323 in New York
   Match made in heaven? Not without your government-issued ID. New York’s A3323 bill mandates that online dating services verify users’ age, identity, and location before allowing access to their platforms. The bill’s sweeping requirements introduce serious privacy concerns for all users. By forcing users to provide sensitive personal information—such as government-issued IDs and location data—the bill creates significant risks that this data could be misused, sold, or exposed through data breaches.

3. Dieting products: SB 5622 in Washington State
   Shed your privacy before you shed those pounds! Washington State’s SB 5622 takes aim at diet pills and dietary supplements by restricting their sale to anyone under 18. While the bill’s intention is to protect young people from potentially harmful dieting products, it misses the mark by overlooking the massive privacy risks associated with the age verification process for everyone else. To enforce this restriction, the bill requires intrusive personal data collection for purchasing diet pills in person or online, opening the door for sensitive information to be exploited.

Of course, there are valid arguments for mandating ID for some of these situations. That is, if you ignore the horrible track record that most websites have when protecting personal data.

I could understand dating apps but skincare and diet products?

Is age verification the “evil” thing, or is it how it is implemented. I am in favor of fully private age verification for things like dieting, dating, etc. purely because of the constant overexposure to internet and weird cultures children have access to.

I prefer something like privacy pass over not having these reasonable restrictions. Current legislation is definitely putting the cart before the horse though. They should first build public consensus, then implement tech, and then make it mandatory, instead of just trying to use this as a garb for surveillance legislation.

I can understand ID checks for substances that are harmful to children, since we already do that, but creating an entire age verification system for it seems pretty needless.

The root problem is the government treating young people like prisoners, robbing them of any choices and privacy. Helicopter parenting is one issue, but its even worse when the government does it.

Treating young adults like prisoners is the reason why they are more depressed and unhealthy than ever before, not skincare products.

Age verification is inherently evil IN MY OPINION. It cannot be the role of government to regulate access to information or that power will be abused.

For example you may be perfectly ok with the current government blocking access to dating apps for people under 18, however you may be less ok with a future government banning access to LGBTQ content or certain books for minors or heck all people under the age of 150.

But did I say “I want government to implement age restriction”? My assertion was simple, if there was a perfectly privacy preserving way to do age verification, then I would not be against it. The issue you highlight is also an implementation issue, not intent issue. The implementation can be based on consent of parents, consent of individual, etc. The intent is not inherently evil in my opinion.

Plenty of discussion here.

That skin cream better be on a different higher orgasmic level if they’re going to lump it together with porn…

But seriously though, Vitamin A cosmetics can be a bit problematic but it should be held at the same level as alcohol. A simple good enough visual check is more than enough.

Do you guys think that if/once these things pass, the darkweb could become more popular among more normal people? As much as I like Tor, from my experience hidden services are about 90% scams and 5% drug sites.

This is hilarious.

It’s like the label “This product contains chemicals know to the state of California to cause cancer.” - I think we should embrace the CA tendency to go overboard and ensure that you can’t talk about anything from the Prop 65 list of hazardous chemicals without proving you’re old enough.

Sorry kids, looks like you can’t ask an online car forum for help without showing ID because California says you might get cancer from car exhaust.

It is not, and to burst your bubble - and everyone else’s on this forum: The vast majority (~80%) of the American public prefers age verification measures on porn sites: Tracking Major Supreme Court Cases and Rulings in 2025 - The New York Times

These laws are here to stay, the only question is how to make these checks secure and privacy-respecting.

Among those polled, how many have a well-informed opinion on this topic? If people were given the explanation that these laws lead to increased surveillance, yet there are alternative ways to restrict minors’ access to explicit content without implementing online age checks, how many would have supported them?

Laws or precedents stay unchallenged by giving up on the possibility of change. The purpose of raising awareness is to not let that happen. By voicing your opposition to enacted laws (by crafting good arguments that support your stance, explaining alternative solutions that don’t intrude on your privacy, etc) and informing others about the drawbacks of laws that may seem beneficial at first glance, you maintain the option for change.

Yes, we have to be pragmatic, but not fatalistic. Support the “privacy-respecting” solutions when these laws are enacted, but also don’t stop trying to overturn them.

Can you provide any examples? And by examples I don’t mean a fear-mongering EFF article full of non-sequiturs.

Why do you assume people are misinformed about this? There isn’t much to be misinformed about. 80% of people don’t want minors to be able to watch adult content online. They don’t care how age verification is done, just that it’s done.

The American people do not want to overturn these laws. I am more concerned about the porn industry’s massive lobbying, manipulation, and astroturfing efforts (“Free Speech Coalition,” anyone?) which could lead to attempts to overturn these laws against the will of the people.

I’m all for privacy, but I think the people on this forum tend to focus on the wrong enemy in this case. I’ll say it again: There’s bipartisan support for these laws. Focus on making age-verification privacy-respecting: e.g. develop privacy-respecting age verification software, exert pressure on sites that do not use privacy-respecting age verification technology, etc.

Your post gives me the feeling that you’re okay with these laws since the general public supports them, so we just need a private way to verify our identity and everything will be fine.

You are not wrong in saying that most Americans do support age verification to access pornography, the problem is that these laws don’t just limit access to pornography. Look at the Online Safety Act in the UK; it is overly broad in its implementation in that anything which is potentially “harmful to children” is being restricted. The law does have some very specific categories that are reasonable to restrict from children: pornography, instructions on how to commit suicide, etc. However, the language is so broad that basically everything is being swept up as content which is potentially harmful to children and, in order to avoid liability, websites are just making ID verification mandatory. I as a grown adult shouldn’t be forced to verify my age simply to browse certain sites on the internet. In the real world, I can walk into a gun store, porn shop, and liquor store and browse without providing my ID. It’s only when I try to consume content (read: purchase items) in that store am I asked to verify my age/identity. With the exception of buying a gun, its a quick glance of an ID to verify that I am of proper legal age to make the purchase. They don’t photocopy my ID and put it in some folder that could be potentially breached further down the road. ID verification services have been breached before and its only a matter of time until it happens again.

Circling back to the UK’s Online Safety Act, who decides what content is harmful for children? Could the ruling party decide the opposition party’s newest ad campaign is harm for children and restrict it? Could a government decide that non-state sponsored media is harmful for children and restrict access to it? Sure, access to those things would still be achievable by showing you are of age, but whose to say the government isn’t snooping on those verification requests to figure out who dissidents are? Everything I’m saying is purely hypothetical but its meant to demonstrate the potential chilling effect that these laws can have when they are too broad in their implementation.

I created an account on social media platform Z anonymously to discuss mature content. My real identity remains unknown, and my digital activities are confined to that site only. If I were to abandon that account, I could do so without any issues, as it wouldn’t be linked to any other digital identity of mine. This level of anonymity is achievable today. Linking identities back to your real identity is only possible if you have poor digital hygiene, such as reusing email addresses, usernames, not using a VPN, or posting identifying information on your account. If you know what you’re doing, you can maintain anonymity legally.

With the advent of age verification laws, this level of privacy is no longer possible. To ensure that a person is of legal age, companies need to know their real identity. This means you have to deanonymize yourself by uploading a piece of identification to a company (whether it’s a third party or not), showing a picture of yourself with liveness detection, or through other means of verifying that an adult is behind the account. By doing this, you’re putting your trust in the company verifying your information to uphold their promises that the process is private and anonymous.

However, trusting is not the same as proving. If you’re here on the PG community, I assume you might notice parallels with so-called “no-logs” VPNs. Wanting solutions that don’t require “trusting” someone is why tools like Tor and I2P were developed in the first place. So, why trust a corporation’s proprietary age verification software? How can you be sure they’re not keeping logs, or that their algorithms won’t produce deterministic outputs that could link different identities, or that their sessions aren’t linkable, or that they won’t start logging under a gag order, or any other valid concerns with centralized architectures?

Why does any of this matter? If you have some knowledge of OSINT, and I recommend reading some write-ups if you have the time, you’ll understand how important it is to avoid having such information in databases. Once acquired (via a breached database, leaked by an insider, or fraudulently obtained through fake Emergency Data Requests, etc.), this information can connect otherwise unrelated graphs of digital footprints.

(In my example, I’m using an age verification company that promises some level of privacy. In the worst-case scenario, a site might simply store your ID in another table in the database and set a foreign key, and call it a day)

Were you asking for a real-case example of this happening? Unfortunately, it’s still too early for such incidents to have occurred. We will have to wait until subpoenas against anonymous accounts start mentioning information related to age verification.

I assume that most people are misinformed, thinking this is the best or only solution. I assume that because most people are not tech-savvy and may not be aware of less intrusive alternatives. Most people do not want minors to access adult content, and point-of-access age verification is presented as the solution to this problem. Many people, having been informed by pollsters or through news reports, therefore believe that age verification at the point of access is the only and most effective way to achieve this goal.

Genuine question: Do you support the age verification laws, or do you oppose them but think it is futile to stop them; which position do you hold?

What many people are misinformed about in regard to age verification technology are

• steered into thinking that it is the best and only solution
• insufficiently informed about the harms that it would likely bring to the internet

I say “likely” because no one knows what the end result would be yet, but in all likelihood it will lead to erosion of privacy and freedom, one that (like this thread suggests) would broaden in scope over time. My guess is the vast majority of people would submit to ID/face scans as the most convenient method, and privacy-respecting solutions would exist only at the fringes. I fear age verification technology will cause cultural harm by normalizing permission culture and outsourcing of responsibility.

These laws are being drafted and introduced based on technologies that aren’t yet decided on nor proven. Even if hypothetically age verification were the best solution, the first step ought to be to specify, design, implement, test and pilot the technology, and only then introduce the legal framework. Instead, the reverse is happening, which brings uncertainty about the effects the law will have.

I say “misinformed” only because that’s the word that others here used, but as in many past erosions of privacy and freedom, “disinformed” and “uninformed” are more fitting. The same process of governments creating an agenda, fabricating a boogey man that rationalizes their agenda, creating a policy that fits their agenda and spreading their policy to the masses is happening with age verification technology.

You may be right in saying most people (rightfully I would add) don’t want minors to watch adult content online, but that doesn’t mean those majority people are right to demand mandatory age verification, nor to outsource their parenting/supervision of minors to governments and corporations. Might doesn’t make right.

Zero Knowledge Proofs exist, which means this isn’t necessary.

Again, don’t send me that EFF article. It’s full of misinformation and “whataboutisms.”

(also: I thought there’s no shame in consuming pornography, what happened to that attitude?)

Thank you. So you have to admit that fear-mongering attitudes regarding this technology are not based on established fact?

Any proven alternatives?

Bonus points for cop-out excuses like: saying parents should educate their kids about it and/or surveil their kids online activities 24/7 or use built-in parental controls of their OS. (They don’t work. You have to be very naive or childless to think that these things work.)

Has been done for centuries and it just werks. Liquor stores, video stores, etc come to mind.

I support age verification offline and online. Just as I don’t want 12-year-olds to be able to buy whiskey and porn in stores, I don’t want them to be able to do so online either.

I also think that it’s futile to stop these laws, if the recent Supreme Court decision is any indication. Imo, the public would be better served if the community was to showcase a privacy-respecting implementation.

You mean consent? Doesn’t sound that bad to me.

Agreed. But here’s a counter-example:

Electronic voting would likely still be considered impossible if there hadn’t been legal pressure to implement it. The IT privacy crowd always said it was impossible to implement this is in a secure manner (I remember the endless discussions and IT conference talks in the 90s and early 2000s).

And last time I checked, these Dominion voting machines are perfectly, undoubtedly 100% secure, at least according to the lawsuits that many right-wingers have lost. (Am I being serious here? Maybe?)

So sometimes it has to work the other way around for serious efforts to be made.

Reading between the lines, I think the issue isn’t that there isn’t a privacy respecting way to do age verification. Rather, there is extreme doubt such a way would even become the implementation unless protected by law.

Of course no one can say this won’t be done as it hasn’t been done. But the massive amounts of corporate lobbying and the already side eye to privacy measures seen by the US government should at least make you think twice about the possible negative repercussions.

To be fair, software isn’t built to solve hypothetical laws and requirements, it’s mean to solve ones that will be in place. Perhaps research institutes may have looked into this, but the industry will absolutely never make effort to build things they don’t have to. And the US government is already slashed of a lot of funding, so fat chance of public R&D being spent on it prior to going into effect.

Of course there is no established fact. Do you expect people to have a crystal ball? Instead of accusing us of not presenting facts about what will happen in the future when we express genuine fears/concerns, you should present facts that prove those fears/concerns won’t eventuate. Do you have facts that age verification will be both effective and privacy respecting?

No I don’t mean consent. I mean, whenever someone visit a website they are forced to obtain third-party permission to visit it, and whenever someone hosts a website they will be forced to implement age verification. This mandatory permission-based system is anti-consent. But you have revealed that sounds not that bad to you.

Okay, now I do see why the reverse is happening. New laws can drive new technological solutions.

At the same time, it is very problematic that what politicians are deciding on is unspecified and has potentially serious consequences, and if it becomes law would be realistically impossible to claw back. Without a spec that specifies what technology is to be deployed, proof of concept, how it would be operated, impact assessment etc, decisions to support this law are uninformed.