Age Verification Is Going Federal, but Nobody's Said What Happens to Your ID

A new Senate bill would require certain websites hosting explicit sexual content to verify every visitor's age before granting access.

Sen. Jim Banks (R-Ind.) introduced the Safety and Age Filtering Enforcement (SAFE) for Kids Act on June 10, 2026, targeting commercial sites where more than one-third of content meets the bill's definition of "sexual material harmful to minors."^[1] Banks' office has described the bill's targets as "commercial pornography websites" in its press release.^[2]

This new age verification bill has real momentum, as more than 25 states already require adult sites to verify visitors' ages.

What the bill doesn't address is what happens to your identity documents after a commercial pornography website — or the third-party verification vendor it hired — finishes checking them.

Here’s what the bill would actually require, why identity verification vendors are proving they can't reliably protect your data, and what you can do now.

What the SAFE for Kids Act would require

The bill targets commercial websites where more than one-third of content qualifies as "sexual material harmful to minors," the operative term used throughout the bill's text. Under the SAFE for Kids Act, covered sites would need to verify every visitor's age before allowing access. The bill's listed acceptable methods include government-issued identification, methods relying on public or private transactional data, or any other method that reliably and accurately indicates whether a user is a minor.

In practice, that means a site could ask you to upload a photo of your driver's license or passport, confirm your age via a credit card check, or route your identity through a third-party verification company. The site chooses the method. You comply, or you don't get access.

The Federal Trade Commission would have civil enforcement authority under the bill. The Department of Justice could investigate platforms that knowingly violate the law. Parents and legal guardians would have the right to bring civil lawsuits directly against covered sites.

The bill builds on real precedent. More than 25 states already enforce their own age verification requirements for adult content websites. According to tracking from All About Cookies, states with active laws include Texas, Louisiana, Florida, Georgia, and 21 others. The SAFE for Kids Act would nationalize that patchwork into a single federal standard.

The privacy gap supporters aren't talking about

The SAFE for Kids Act requires verification but doesn't require the deletion of collected data. It also fails to set data breach notification standards and doesn't prohibit the sites or the vendors they hire from sharing or selling your verified identity information to third parties.

That privacy gap matters because age verification collects several pieces of identifying information. Depending on the method, a covered site could end up holding your name, birth date, home address, nationality, and a photo of your driver's license or passport, along with biometric data if facial scanning is used. 

According to an All About Cookies survey of 1,000 U.S. adults conducted in February 2026, 79% say their top concern about age verification laws is privacy and data security. Another 66% worry specifically about identity theft tied to verification requirements. 

The last two years have produced a pattern of incidents demonstrating exactly why those concerns are warranted. Age verification creates centralized collections of sensitive identity documents, and those collections keep getting compromised.

In October 2025, a third-party service provider formerly used by Discord to review identity documents suffered a data breach, which policy analysts at the Abundance Institute have called the first known identity document exposure directly tied to a government-mandated age-verification law. Discord's age verification system was required under the United Kingdom's Online Safety Act, and users who appealed an incorrect age estimate had to submit a government ID through a separate review service. An unauthorized party compromised that service. According to Discord's own disclosure and reporting by The Verge, approximately 70,000 users had government ID photos exposed. Hackers demanded several million dollars in ransom for the stolen data.

The identity verification industry more broadly has the same problem. The same pattern played out in 2024, when AU10TIX — an identity verification vendor whose clients included TikTok, X, Uber, LinkedIn, and PayPal — disclosed that employee credentials had been stolen in 2022 and circulated on Telegram for over a year before the company discovered the breach, leaving passport and driver's license images from users across all those platforms exposed.

Another exposure was first discovered in November 2025 and later reported by Cybernews in February 2026. Cybernews reporters discovered an unprotected MongoDB database traced to IDMerit, a California-based identity verification provider serving financial services and fintech platforms. According to Cybernews, the exposed data included full names, home addresses, national ID numbers, dates of birth, phone numbers, and email addresses belonging to people across 26 countries, with more than 203 million U.S. records among them. IDMerit disputed the findings, stating it "identified no exposure, vulnerability, or unauthorized access" within its systems.

As the Electronic Frontier Foundation has noted in its analysis of the AU10TIX breach, the structural risk is the same in every case: a single compromised vendor exposes users across every platform the vendor serves.

The SAFE for Kids Act could create more situations like these. More sites required to verify age means more vendors collecting identity documents, more centralized databases to target, and more users whose sensitive information sits somewhere they don't control.

How to protect your privacy if this becomes law

The SAFE for Kids Act is still a bill, not a law. But the state-level version already applies to millions of Americans, and the same protections apply under either framework.

1. Use a VPN before you comply with a location-based check. Most current age verification laws work by detecting your location. A VPN routes your traffic through a server in a state or country without those requirements, so the site sees that location instead of yours. However, not all platforms can be bypassed this way. Discord, for example, moved to account-level verification in early 2026, which applies regardless of location. But for most location-based laws, a VPN is the most effective way to bypass age verification systems.
2. Choose the lowest-risk verification method available. When a site offers options, a credit card check exposes less than an ID upload. Financial verification confirms you're an adult; it doesn't hand over a photo of your face and the physical address on your license. If you have to verify, use the method that collects the least amount of personal data.
3. Know what a third-party vendor means. When a site routes you through a separate verification screen — a branded age-check page that isn't the site itself — your data goes to that vendor, not directly to the site. One example is AgeGO. Look up the vendor before you submit anything.
4. Monitor your identity if you've already verified. If you've submitted ID to any site using age verification, treat that data as potentially exposed. The pattern of vendor incidents over the last two years shows that your data isn’t guaranteed safe. Identity theft protection services monitor for your personal information appearing in data broker databases and dark web markets.

Bottom line

Senator Banks introduced the SAFE for Kids Act on June 10, 2026, and it has real tailwind, with Supreme Court backing, 25+ state precedents, and broad concern about minors accessing sexually explicit content online.

What the bill lacks is any meaningful protection for the adults who would be required to hand over their IDs to comply. The bill doesn’t specify deletion requirements, data breach notifications, or the prohibition of selling your verified data. Until Congress closes that gap, anyone subject to federal or state age verification laws should minimize what they submit and, where legal, use a VPN to avoid handing over sensitive information in the first place. Learn more about how to bypass age verification with a VPN.