Compliance

Age Verification Without Storing ID — A 2026 Compliance Guide

Age verification without storing ID is now possible. Meet 2026 US age-verification laws with a private over-21 proof — no ID honeypot, far less breach exposure.

D
Dlovan Sharif
10 min read

The fastest way to fail a new age-verification law is to follow it the obvious way.

A statute lands in your state. It says you must confirm your customers are old enough to buy what you sell. So you bolt on an ID-upload flow: the customer photographs a driver's license, your vendor reads the birthdate, you keep the scan on file to prove you checked. You are now compliant. You are also sitting on a pile of government IDs that did not exist last quarter — a pile that is worth more to an attacker than anything else in your database. You solved a compliance problem by manufacturing a breach liability. This is the trap, and age verification without storing ID is the way out of it.

The good news for buyers is that the trap is avoidable, and the escape is no longer theoretical. You can prove a customer is over 21 without ever receiving — let alone retaining — their birthdate, name, address, or a photo of their license. The law gets satisfied. You hold nothing worth stealing.

The 2026 age-verification reality: who has to check now

There is no single federal online age-verification law. US regulation is a state-by-state patchwork stacked on top of a few narrow federal product rules, and the landscape moved fast after June 27, 2025, when the Supreme Court decided Free Speech Coalition v. Paxton 6-3, upholding Texas's adult-content age-verification statute under intermediate scrutiny. That ruling validated one category of state mandate. It did not bless every kind, and several remain contested — but it cleared the path for expansion.

Where things stand as of mid-2026, by category:

  • Adult content. Roughly half the states — about 24 to 26 — have enacted age-verification mandates, with nine taking effect during 2025 alone. Louisiana was first, effective January 1, 2023.
  • Online tobacco and vape. Nationwide and federal. The PACT Act, extended to e-cigarettes in 2021, requires age and identity verification before sale, with a federal minimum age of 21.
  • Online gambling and sports betting. State licensing requires identity and age checks, typically 21+.
  • Alcohol e-commerce. State delivery rules require ID and signature.
  • App stores and devices. Newer 2025 laws in Utah and Texas push age assurance to the operating system. California's device-level law follows on January 1, 2027.
  • Social media. Mostly enjoined on First Amendment grounds — Ohio's and Arkansas's laws were blocked, California's partially. Mississippi's was allowed to take effect in August 2025 pending litigation, though even the justice who let it stand called it "likely unconstitutional."

The practical takeaway for an operator: if you sell alcohol, vape, cannabis, gambling, or adult content, you are already obligated somewhere. The exact threshold and method vary by state, and the list grows. Tracking it is a real cost — but it is the smaller of the two costs in this article.

Why storing the ID is the wrong default

The bigger cost is what the obvious compliance method does to your risk profile.

Start with the breaches, because they are concrete. In October 2025, Discord disclosed that attackers had compromised a third-party support vendor and exposed government-ID images submitted for age-verification appeals — roughly 70,000 by Discord's own count, with some reporting claiming far more. In 2024, the identity-verification vendor AU10TIX left administrative credentials accessible for over a year, reportedly exposing access to user ID documents. In both cases the data that leaked was the data collected to comply. A scanned driver's license is not a record of a check. It is a honeypot.

Now layer on the law itself, which has started to punish the very retention the obvious method requires. Texas's HB 1181 carries penalties up to $10,000 per day for non-compliance — and a separate $10,000 per day for illegally retaining the identifying information used to verify age, plus up to $250,000 if a minor slips through. Read that twice. The statute fines you for not checking, and fines you again for keeping the proof that you checked. Louisiana's first-in-the-nation law added a private right of action: an individual can sue, with damages, court costs, and attorney fees. Utah's app-store law lets minors or parents sue for up to $1,000 per violation.

That is the bind buyers keep walking into: you feel pressure to keep records to prove compliance, while the newer statutes increasingly forbid keeping the records. The trend is real but not yet uniform — some statutes still permit retention "for legal compliance" — so the safest posture under every law is to hold as little as possible. Data-minimizing verification is the only thing that resolves the bind cleanly.

There is a third cost, quieter but real: conversion. Heavy ID-upload flows push legitimate customers away. As Florida's law took effect at the start of 2025, the state saw a reported 1,150% surge in VPN demand. Every percent of that is a paying adult routing around your storefront to a competitor — often an offshore one that ignores the law entirely. The friction punishes the businesses that comply.

What "age verification without storing ID" actually means

The phrase is precise, and worth unpacking, because the whole resolution lives in the distinction.

Most verification asks the wrong question. It asks "what is this person's birthdate?" — collects the full document, computes the answer, and is left holding the document. The right question is narrower: "is this person over 21?" The answer to that question is one bit. Yes or no. A single bit does not need a name attached, an address, a date of birth, or an image. And a single bit, sitting in your logs, is worthless to a thief.

Privacy-preserving age verification means your system receives only that bit, cryptographically signed by the issuer of the credential, and never receives the underlying document at all. You are not deleting the ID quickly. You never took custody of it. There is no honeypot because there is no pile.

This is the same protocol-not-platform logic that runs through everything we build — the idea that verification rigor can live with the user rather than with a gatekeeper. The customer's wallet does the proving. You do the reading.

How a private age proof works: a yes/no answer, not a document

The mechanism is a mobile driver's license — an mDL — built on the ISO/IEC 18013-5 standard, presented from the phone the customer already carries.

That standard supports selective disclosure. A verifier can request a single attribute — an "over 21" or "over 18" check — and receive back a cryptographically signed true or false. No name. No address. No date of birth. No photo of the license. The signature traces to the issuing state's public key, so you can confirm the answer is genuine without trusting the company that brokered the check, and without phoning home to anyone for an opinion.

Worth being precise here: this is selective disclosure of a signed attribute, not a zero-knowledge proof in the cryptographic sense. The technical difference is mostly academic for a buyer. What matters is the outcome — you get a signed pass/fail, and the document never enters your systems.

In UIP terms this is the age-verify primitive. It returns a pass/fail age proof and never returns the date of birth or the document image. It is reusable, too: a customer proves once, and every platform reading the same signed attestation gets the same trustworthy answer. The price is $0.01 per call. Compare that to the per-day fines above and the math is not subtle.

The US mobile driver's license as the compliance shortcut

UIP today verifies one thing: the US mobile driver's license, presented from Apple Wallet and Google Wallet over the same browser-based presentation flow the wallets already support. That is the entire supported surface. No document upload, no KYC vendor in the loop, no manual review queue, no ID image in your storage. The customer taps to present; the wallet returns the signed fields you asked for and nothing else.

Two honest caveats, because overstating this helps no one. mDL issuance is still rolling out — coverage is uneven across states, and remote presentation is maturing. So an mDL age proof is the privacy-preserving direction, not yet a universal fallback for every customer. The practical posture for most operators is to offer the mDL path as the primary, low-friction, no-storage option and keep a secondary method for customers who don't yet carry one. As issuance spreads, the share of checks that touch no PII climbs.

If you want the longer treatment of why the mobile driver's license is becoming the verification substrate for regulated commerce, we wrote that up separately in the mobile driver's license for business.

Does age verification without storing ID actually satisfy the law?

This is the question every compliance lead asks, and the answer is the comfortable one.

The laws require that you verify age. They do not require that you keep a copy of someone's ID — and the regulatory trend runs hard the other way. The FTC and privacy advocates have warned repeatedly that aggregating sensitive PII increases breach and liability exposure, and guidance consistently recommends deleting underlying proof-of-age data once age is determined. A method that delivers a signed, issuer-backed confirmation that the customer is over the threshold is verification in exactly the sense the statutes demand. It simply skips the step where you become a custodian of documents you never wanted.

One nuance to respect: the no-retention trend is real and growing, but it is not yet uniform. Some statutes still permit retention "for legal compliance," which creates loopholes. The point is not that every law bans storage — it is that minimizing what you hold is the safest posture under every law, the cheapest under the ones that fine retention, and the only one that makes a breach a non-event. You cannot leak what you never collected.

Comparing your options

Three approaches are on the table. They are not equivalent.

ID scanning and storage. Collect the document, read the birthdate, keep the file. Works across all customers today. Also the maximum-liability path: it builds the honeypot, draws the retention penalties, and adds the most friction.

Age estimation. Infer age from a selfie or behavioral signals. Lower friction, no document — but it is probabilistic, not authoritative, and accuracy near the legal threshold is exactly where it is weakest. It estimates; it does not verify.

mDL age proof. A signed pass/fail from a government-issued credential. Authoritative, no PII collected, lowest friction for customers who carry an mDL. The constraint is coverage, which is improving.

For a regulated seller, the decision usually resolves to: lead with the mDL proof for its accuracy and zero-storage profile, and treat the others as fallbacks rather than the default.

Implementation checklist for compliance and ops

A short list to take into a vendor conversation:

  • Map your obligations by state and category — adult content, tobacco/vape, alcohol, gambling — and separate in-force laws from enjoined or pending ones.
  • Audit what you currently retain. Every stored ID image is standing breach and, in some states, retention-penalty exposure. The goal is to stop collecting, not to delete faster.
  • Make the no-storage path the default and confirm your method returns a signed pass/fail, not a document.
  • Keep a minimal compliance record — that a check occurred and passed — without keeping the underlying PII.
  • Pressure-test third-party risk. Both headline breaches above ran through a vendor. If your provider holds IDs, their breach is your lawsuit.

What to ask any age-verification vendor before you buy

Five questions separate the data-minimizing vendors from the honeypot-builders:

  1. Do you ever take custody of the customer's ID document or birthdate, even momentarily?
  2. What exactly do I store after a check — a signed yes/no, or PII?
  3. Can the proof be re-verified offline against the issuer's key, without trusting you?
  4. What is your per-check price, and how does it move as my volume grows?
  5. When a state changes its retention rules, what do I have to change? (With a no-storage method, the answer should be "nothing.")

UIP's answers, for the record: never; a signed pass/fail; yes; $0.01 a call; and nothing. The output is standards-based — you store the cryptographic proof, not the customer's PII — and the same model extends to court-admissible signatures under the ESIGN Act and UETA when you need them. Onboarding is self-serve: read the docs, ship the same day, no setup fee and no per-integration contract. Signing up comes with a $20 launch credit and no card required, so you can run real checks before you commit a dollar. That last part is the whole point of building this as a protocol rather than a platform.

The compliant move and the safe move are finally the same move. See exactly what a private age check costs on the pricing page, or read the docs and have a private age check running before the next statute lands.

D
Written by
Dlovan Sharif

Building UIP — an open protocol for verified digital identity. Find more notes at /blog.

Keep reading

More from
the field.

Standards

The Mobile Driver's License for Business

The mobile driver's license is now in Apple and Google Wallet. Here's what it means for any business that verifies customers — and why it beats a plastic ID.

Read
Field notes

Why identity needs an open protocol

National identity schemes are closed, expensive, and stop at the border. The web needs a small, stable substrate for verified identity — a protocol, not a platform.

Read
All field notes
Live now

Your identity,
everywhere.

Download the UIP app and create your verified credential in minutes. Free, forever, for individuals.

Get started For businesses