Showing your ID to get online might become a reality – a closer look at the EU’s new age verification app

“EU mini wallet” app planned to check the ages of people trying to access certain platforms and services

On 3 April 2025, EU officials unveiled the latest plans for what they’re calling the “EU mini wallet”. According to the European Commission, this will be a “white label” (multi-purpose, reusable) app, initially available in 3 EU Member States as soon as this summer.

Once fully rolled out, the app can be used by governments and companies across the EU to check the ages of people trying to access certain platforms and services. Whilst the Commission believe that this will make everyone safer, we argue that it’s not only unrealistic – but also unhelpful – to try to childproof the internet.

Age verification is *still* not a silver bullet – and creates a huge risk of scope creep

The EDRi network has repeatedly warned about the risks of age verification. We’ve seen lawmakers talking about age verification as if it’s a silver bullet to all issues of young people’s safety online, whilst broader issues of platform and service design, youth empowerment and holistic societal solutions are sidelined.

The reality is that these tools systematically leak data in ways that threaten the privacy and data protection rights of children and adults alike – whether they use government-issued identity cards, AI analysis to predict a person’s age or other methods. They create ways for people’s digital footprint to be constantly tracked, can have a chilling effect on everyone’s ability to access legitimate content, and frequently perpetuate discrimination and exclusion. Although this step from the European Commission is purportedly to age gate access to porn platforms, the plans that have been laid out show a clear intention to control access to a much wider range of platforms and services.

The new mini wallet: more problems than solutions?

At a public event earlier this year, a lead official for the ‘mini wallet’ (age verification app) project stated that because the wallet is only a temporary solution, it does not need to have such high levels of privacy and security. This is an absurd presumption.

Since the mini wallet relies on digital identities to verify people’s ages, based on government-issued IDs, the highest security and privacy standards should apply. Digital identities, and the European digital identity (EUDI) wallet that will be rolled out in 2026, are governed by a related law, the eIDAS 2 Regulation. Crucial technical details relevant to the implementation of eIDAS 2 and the EUDI wallet are currently being negotiated, but currently lack essential protections against online surveillance for anyone that uses the wallet.

Despite these ongoing technical negotiations, and the fact that the EUDI wallet is set to be rolled out already next year, the Commission charges ahead with its plans to make digital identity-based age verification available already this summer.

Now that more details about the app are available, here’s our first take on what to expect:

• The app’s specifications name important principles to protect users’ privacy and anonymity, including data minimisation, unlinkability, and measures to secure user data and prevent the unauthorised interception of personal data. However, many of these measures to protect users’ privacy are not necessary requirements, but optional.
• The Commission puts a lot of faith in ‘Zero Knowledge Proofs’ (ZKPs) to resolve privacy concerns. ZKPs provide a cryptographic way to prove that a given statement is true without sharing any additional information. Although ZKPs are in theory a better way to protect users’ privacy than many other approaches, it is also a brand-new system. Testing the roll out of ZKPs, at scale, with data as sensitive as government-issued IDs, is risky at best.
• Many people will be excluded from this form of age verification. The app as described in the available specifications will require people to have access to modern smart phones and government issued IDs – two requirements that will shut a lot of people out, risking to cut off access to information and services for potentially millions of Europeans. As always with these flawed digitalisation efforts, we know that people who already face high levels of structural discrimination and digital exclusion will be disproportionately harmed as a result.

Lawmakers and regulators must take a holistic human rights lens to children’s digital rights in upcoming guidelines

In the coming weeks, the European Commission will publish guidelines on Article 28 of the Digital Services Act (DSA). These guidelines are expected to clarify what big platforms need to do to make their tools safe for young people online – or face big legal penalties.

We hope that these guidelines will take a nuanced approach, recognising that age verification doesn’t just mitigate risks – it actually creates many new ones.

We also urge lawmakers and regulators to remember that the internet has a lot of benefits for young people and adults alike – and so any measures which aim to keep children safe must not cause collateral damage. Any new measures must make sure that parental supervision doesn’t lead to parents snooping on their children, ensure that young people aren’t prevented from accessing informative content, and that all people who rely on online anonymity – for example to organise / protest, to blow the whistle, to seek healthcare, and any other legitimate reason – are not prevented from exercising their rights.

Contribution by: Ella Jakubowska (She/Her), Head of Policy, EDRi & Svea Windwehr, EDRi member, Electronic Frontier Foundation (EFF)