The government of Spanish Prime Minister Pedro Sánchez intends to implement age verification to access adult content on the internet across the board to prevent minors from viewing age-restricted websites. Spain's data regulator Agencia Española de
Protección de Datos (AEPD) is developing a process to require web users to utilize a digital ID card.
The Royal Spanish Mint will be directed to develop the digital ID technology following recommendations from the AEPD. One format floated by the
agency is that a user will download an app on their mobile device, a QR code, or some other type of digital document verifying their age through a government ID, health or residence cards, a driver's license, or a passport. AEPD claims that this approach
minimizes risks of a data breach since third parties--such as a private sector age verification software vendor or a regulated platform--will not be able to access a user's sensitive personally identifiable information.
Unfortunately, there is no
guarantee of sensitive personally identifiable information being safe in the hands of a government agency or private company. Consider a case that occurred in Louisiana, which was the first U.S. state to require an ID to view adult content. Seeking to
comply with the law, the tube site Pornhub adopted an age verification solution that integrated with the state's digital identification app, LA Wallet.
Months after the deployment of LA Wallet by Pornhub, the company and the agency administering
the digital wallet program were victims of a data breach. A local news report indicates that over 6 million records from the Louisiana Office of Motor Vehicles were exposed by hackers in June 2023. Names, addresses, ID numbers, social security numbers,
height, weight and eye colors were exposed in a breach of a file transfer protocol.
Even with the best intention and risk mitigation, AEPD will not be able to completely prevent a breach of data. That is one major concern among critics of age