Age verification laws sound simple on paper — until you look closely at how they work. Canada is now debating this through Bill S-209, which would require platforms to take reasonable steps to stop minors from accessing adult content online. Australia has also recently banned those under 16 from social media.

Kids are online more than ever, and not all content on the internet is meant for them. But age verification is messy, and it becomes even messier when you realize how easily this sensitive personal data can be leaked — so Canada needs to do it right, and protect young people without creating a surveillance-style internet.

In early October, Discord announced that ID photos from 70,000 users may have been exposed in an attempted extortion hack. The breach didn’t come from Discord itself, but from the third-party provider the company uses to review age verification requests.

Digital-rights reporters at 404 Media investigated the leak, saying that the hackers were posting Discord data, including selfies used for age verification, ID documents, phone numbers and email addresses, in a Telegram channel.

“Basically all of the sensitive information is now in the hands of these hackers and they’re threatening to release more. They’re trying to extort Discord,” said 404 Media reporter Joseph Cox in an explainer video. “It shows the risk that can happen of when somebody uploads their identity documents for age verification to an app like Discord or any of the other ones that people now have to do that for.” With the hackers publishing people’s private information online, privacy concerns about age-verification aren’t merely hypothetical.

Photo via Freepik But age verification methods, including uploading proof of age with identification are becoming more widespread. The United Kingdom has implemented laws like the Online Safety Act, where platforms like Discord must enforce age verification for users by July 2025 — or face fines. Acts like these come from valid societal concerns. According to CBC, violent extremist networks committing online criminal offenses have targeted youth in multiple countries, including Canada. But as age verification requirements roll out to combat this issue, privacy groups have become increasingly interested in what else is at stake.

Groups like Privacy International argue that if companies collect unnecessary identity information, they will have immense power. Privacy international warns that identity information such as passports, facial images or other biometric details can be misused, this increases the concerns. They point out that once companies gather sensitive data, the stakes rise dramatically.

CNIL, France’s privacy regulator, has also taken a strong position on the matter. CNIL warns against systems which create databases of identity documents, store browsing habits, or most importantly, use facial recognition to match selfies with ID cards. Instead, it recommends privacy-preserving age-verification methods — such as independent third-party checks or “double-anonymity” systems — that confirms a user is an adult without exposing personal data.

These approaches will reduce risks of data breaches, but at the same time be more technically complex and costly, which is why not all platforms choose to adopt them.

All this matters for Canada, because Bill S-209 doesn’t specify which age-verification method companies should use (section 7 mentions prescribed age-verification or age-estimation method, but does not specify). The bill sets a high-level requirement, like limiting data collection to what’s necessary, but it doesn’t dictate which specific type of technologies are allowed or discouraged. That freedom can be good, but it also leaves room for risky approaches. Without guidelines, I worry, platforms may choose the most affordable method available, not the safest one.

There are better, perhaps relatively safer ways to verify age and privacy-focused approaches that are already being explored. Some proposals use token-based or minimal data systems designed to avoid linking identity to viewing habits. Canada could choose the latest privacy-preserving standards, but Bill S-209 leaves those technical decisions open as of now. Without clear rules, platforms might adopt methods that collect more personal information than necessary.

Protecting youth online is important but so is protecting the privacy of everyone else. If age verification in Canada becomes tied to ID uploads or biometric databases, that’s a line we should not cross, unless we want to follow in Discord’s footsteps.