The question of whether age assurance systems should prioritise privacy by design is not merely a technical one; it strikes at the heart of how democratic societies balance competing public goods. On balance, the answer should be yes. The issue is not whether the proposal sounds attractive in principle, but whether it improves public reasoning, accountability, and fair institutional design. This essay argues that privacy-first age assurance, though imperfect, offers a more defensible framework than alternatives that treat data collection as a negligible cost.

First, age checks may be justified in some settings, but data collection should be minimised. This matters because public systems lose legitimacy when power operates without sufficient transparency or scrutiny. A serious argument therefore begins with the conditions of trust, not only with convenience. When a platform demands a driver’s licence or a facial scan to verify a user’s age, it creates a repository of sensitive information that could be misused, leaked, or repurposed. The harm is not hypothetical: data breaches have exposed millions of records, and surveillance creep is a documented phenomenon. Privacy-first design, by contrast, limits what is collected to the minimum necessary—perhaps a cryptographic token that confirms age without revealing identity. Such an approach respects the principle of data minimisation, which is foundational to modern privacy law. It also reduces the incentive for platforms to monetise or exploit verification data, since there is less data to exploit. Critics may argue that minimal data collection makes verification less accurate, but this objection conflates precision with legitimacy. A system that collects less data but preserves trust may be more effective in the long run than one that collects everything but erodes confidence.

Second, privacy-first design reduces the risk created by verification itself. The reasoning here concerns structure as much as outcome: incentives, information flows, and institutional habits all shape what follows. That makes the issue larger than one isolated case. When verification systems are designed without privacy safeguards, they create a perverse incentive for platforms to gather ever more data, ostensibly to improve accuracy but often to fuel advertising or profiling. This dynamic is well documented in the context of social media, where age verification has been used as a pretext for expanding data collection. Privacy-first design breaks this cycle by embedding constraints at the architectural level. For example, a system that uses zero-knowledge proofs allows a platform to confirm that a user is over 18 without learning their exact birth date or identity. Such a system is not only more private but also more secure, because there is less data to steal. The objection that privacy-preserving methods are computationally expensive or slower is valid, but the cost is a worthwhile investment in long-term trust. Moreover, as technology improves, these costs are likely to decrease. The deeper point is that design choices encode values; a system that prioritises privacy signals that individual autonomy matters, whereas one that does not signals that convenience or profit trumps rights.

When a platform demands a driver’s licence or a facial scan to verify a user’s age, it creates a repository of sensitive information that could be misused, leaked, or repurposed.

Third, good regulation should solve one harm without creating another. This point is persuasive because it connects principle with implementation rather than pretending the two can be separated. Public policy improves when strong values are translated into workable expectations. Consider the alternative: a system that requires extensive identity verification might effectively block minors from harmful content, but it also creates a centralised database that could be used for mass surveillance or identity theft. The harm of surveillance may outweigh the benefit of age assurance, especially if the content being blocked is not genuinely harmful. Privacy-first design avoids this trade-off by achieving the same goal with less risk. For instance, a device-based age signal—such as a phone’s operating system confirming the user’s age without revealing it to the app—can satisfy regulatory requirements without creating new vulnerabilities. This approach also respects the principle of proportionality, which holds that the means should be proportionate to the ends. If the goal is to protect children, then collecting adults’ personal data is an overreach. Privacy-first design thus aligns with both ethical and legal norms, such as those in the Australian Privacy Act and the European General Data Protection Regulation.

A substantial counterargument is that privacy-preserving systems may be less effective or harder to enforce. This objection has force. Incomplete solutions are not necessarily bad solutions; the better question is whether the proposal improves the baseline of accountability and informed judgment. A privacy-first system might allow some minors to slip through, but a system that collects vast amounts of data might also fail if the data is stolen or misused. The choice is not between perfect and imperfect, but between different kinds of imperfection. A system that respects privacy is more likely to be accepted by users, which in turn increases compliance. Moreover, enforcement can be strengthened through independent audits and transparency reports, rather than through data hoarding. The counterargument also assumes that effectiveness is the only value, but democratic societies value liberty and privacy as well. A system that sacrifices privacy for marginal gains in effectiveness may not be worth the cost.

For these reasons, the affirmative position remains stronger. The issue ultimately turns on how a democratic society protects trust, responsibility, and informed choice. Privacy-first age assurance is not a panacea, but it offers a principled framework that balances competing interests. It acknowledges that verification is sometimes necessary, but insists that it be done in a way that minimises harm. This approach is consistent with the broader trend toward privacy-enhancing technologies and with the growing recognition that data is not a neutral resource but a source of power. By prioritising privacy by design, we can build age assurance systems that are both effective and respectful of individual rights. The alternative—collecting ever more data in the name of safety—risks creating a surveillance infrastructure that undermines the very freedoms it purports to protect. In the end, the choice is not just about technology; it is about the kind of society we want to live in.