The U.S. House passed sweeping child protection legislation on June 29, but privacy advocates warn the bill’s age verification requirements could create a dangerous surveillance infrastructure rather than protect minors. Frederik Gregaard, CEO of the Cardano Foundation, argues that well-intentioned policies designed to keep children safe online may inadvertently expose millions of users to identity theft and data breaches.
The Kids Internet and Digital Safety Act, which passed 267-117, now faces scrutiny in the Senate where its own authors are pushing for even stricter provisions. The bill doesn’t explicitly mandate age verification, but it holds platforms liable for harm to minors, creating a powerful financial incentive for companies to implement identity checks. This indirect mechanism, Gregaard contends, will inevitably lead to the collection and storage of sensitive personal data.
Recent breaches demonstrate the real-world risks of centralized identity databases. In 2024, identity verification provider AU10TIX, which served companies like TikTok and Uber, exposed drivers’ licenses to hackers for over a year. The following year, Discord’s age-verification system provider suffered a breach affecting approximately 70,000 users’ government IDs. These incidents underscore how safety systems can quickly become liability vectors when they depend on third-party vendors storing sensitive data.
The pattern reflects broader concerns about regulatory approaches to online safety. This follows a pattern seen in related regulatory moves like the Philippines’ stricter crypto listing rules and privacy coin bans, where well-intentioned restrictions sometimes create unintended consequences. Gregaard warns that artificial intelligence is accelerating these risks, making hacks faster and more damaging.
See also: Philippines Issues Stricter Crypto Listing Rules, Bans Privacy Coins
The liability structure embedded in the KIDS Act creates what Gregaard calls a “simple risk calculus” for platforms. Companies face two options: verify age and collect identity data, or accept legal exposure from not knowing whether users are minors. Either way, the incentive structure pushes toward verification. The distinction between explicit mandates and liability-driven incentives matters legally but produces identical practical outcomes.
Once age verification becomes standard practice, the scope of data collection tends to expand beyond its original purpose. A tool designed solely to confirm someone is old enough often becomes a comprehensive identity verification system. Databases built to limit liability transform into repositories of personal information, creating new vulnerabilities. Gregaard emphasizes that these distinctions, however small, carry significant privacy implications.
Privacy-preserving alternatives already exist. In Utah, which passed State-Endorsed Digital Identity legislation, the Cardano Foundation-built Veridian platform demonstrates how age verification can work without exposing unnecessary personal data. The system allows users to prove they are above or below a specific age threshold without disclosing any other information. This model shows that trust and verification need not require comprehensive data disclosure.
Gregaard argues that lawmakers should adopt a data minimization standard when crafting child protection policies. If the goal is genuinely protecting minors, the tools should be narrow, purposeful, and minimally invasive. Broad mandates that push every platform toward greater data collection and retention risk creating problems alongside the ones they claim to solve.
The Senate Commerce Committee is expected to markup the legislation this month, with KOSA authors Richard Blumenthal and Democrat and Marsha Blackburn pushing a tougher version that ties child safety to federal preemption of state AI laws. Whatever emerges will shape how digital identity functions online for years to come.
Gregaard’s core argument is straightforward: safety and surveillance are not synonymous. According to Cointelegraph, privacy-focused technology advocates increasingly emphasize this distinction in policy debates. Building for data minimization, limiting retention periods, and using privacy-preserving verification where truly necessary represents a more responsible approach than creating comprehensive identity checkpoints across the internet.
The challenge for policymakers is threading a needle between two competing imperatives. Children do deserve protection from harmful online content and predatory behavior. But that protection need not come at the cost of turning the entire internet into an identity verification system. The right standard, Gregaard concludes, protects minors while limiting data collection and preserving privacy. Safety and surveillance are not prerequisites for each other.
More Reads:
South Korea Sets 2027 Pilot for Tokenized Government Bonds on Wholesale CBDC
US Government Moves $288M in Seized Crypto to Coinbase Prime Custody
If you’re reading this, you’re already ahead. Stay there, by joining the…
Dipprofit’s private Telegram community
Discover more from Dipprofit
Subscribe to get the latest posts sent to your email.






