Every law that requires documents to browse the web builds the infrastructure that tomorrow’s regimes will use
In the US federal Congress, the KIDS Act passed the House of Representatives with 267 votes in favour and 117 against on 30 June 2026, and is now awaiting Senate consideration, where its prospects remain uncertain. The bill – which, according to EFF’s analysis, will in practice push online services to verify the age of all users across much of the web – comes with an explicit paradox: the text includes a clause stating it does not mandate age verification, yet the “should have known” liability structure will lead most platforms to verify every user’s identity rather than bear the legal risk. Over the same period, California stepped back from an expansion of its own age-gating law (the Digital Age Assurance Act, AB 1043), after civil-society pressure and constitutional objections made the trajectory politically costly. The two movements – one advancing, one retreating – offer a direct comparison between the legislative logic that produces these laws and the resistance that slows them down.
The question no supporter of these measures can answer satisfactorily is this: who keeps the register? Every mandatory age-verification system requires a technical infrastructure that collects, cross-references and stores users’ identifying data. That infrastructure, once built, exists independently of its stated purpose. The intentions of Californian legislators or of the US Congress may be genuine; the architecture they produce remains available for future uses that today’s legislators can neither authorise nor prohibit in advance, because they will not control tomorrow’s institutions.
The Electronic Frontier Foundation has documented the mechanism precisely: mandatory age-gating laws turn every website into an identity checkpoint, and the data collected by verification systems – run by private third parties or public bodies – become targets for data breaches, government access requests and commercial aggregation. The EFF explicitly urged the Senate to reject the KIDS Act (EFFector 38.13), noting that the bill’s structure would produce exactly this kind of national-scale identity-control infrastructure, because platforms will be pushed to verify all users in order to reduce legal liability risk. California’s partial retreat shows that this pressure can produce course corrections, though the pre-existing regulatory framework in California (AB 1043) remains intact.
The financial parallel clarifies the architectural logic. Banking KYC was introduced to combat money laundering: an objective presented as urgent, narrow and proportionate. What it produced is a pervasive financial surveillance network that records every transaction, identifies every user, and gives states permanent access to the population’s economic behaviour. The European expansion through DAC8 extended this framework to digital assets: the directive – in force since 1 January 2026 – imposes due-diligence and user-identity data-collection obligations (de facto KYC) on crypto-asset operators for the purpose of automatic reporting to tax authorities. Same logic, same mechanism, new targets. Digital-identity KYC is the version applied to access to information.
Those who defend these laws invariably respond with the same objection: “children must be protected,” or “tax evasion must be fought.” Child protection is a legitimate policy objective; mandatory identity verification at national scale is a disproportionate instrument that pursues that objective while generating permanent externalities. Online child protection is achievable through alternative tools – parental controls, civil liability for platform operators, digital literacy education – that do not require building a digital passport for every adult user.
The same protective rhetoric regularly accompanies surveillance expansions in the financial and communications domains. Chat Control, the European proposal enabling the scanning of private messages, was defended with identical arguments – protecting children from abuse – as Atlas21 reported while following the reinstatement process initiated by the EU Council and concluded with the regulation being brought back into force until 2028: the European Parliament, despite 314 votes against versus 276 in favour, did not reach the absolute majority required (361 votes) to block it, triggering the automatic reinstatement of the measure.
California’s move toward partial withdrawal demonstrates an important point: civil and legal resistance works. First Amendment objections raised by organisations such as the EFF made it politically costly to proceed with the expansion. The same pattern has blocked or slowed analogous laws in several US states, where courts have found that age-verification requirements impose disproportionate burdens on adults’ freedom of expression – as in the case of Texas’s law on pornographic platforms, initially blocked as unconstitutional under the First Amendment, and in those of several other states whose laws were vetoed or challenged on similar grounds. The right to read without identifying oneself is an extension of freedom of expression – a principle that US courts have historically protected with considerably more vigour than European institutions do, let alone when CBDCs enter the picture.
The federal KIDS Act, now before the Senate after clearing the House, attempts to standardise at national scale what individual states have struggled to impose without incurring judicial censure. The ambition is proportional to the problem it creates: a federal law produces a federal infrastructure, with compliance obligations falling on every American web operator and a verification system that, at best, is managed by private actors with no public accountability, and at worst is directly accessible to the state. The market response to stringent identity regulation tends to be disintermediation, distributed asymmetrically: it advantages those who already have the resources and technical skills, and leaves everyone else inside the control system.
The question that remains open, and that no bill answers, is simple: when a universal digital identification infrastructure is built to protect today’s children, who decides for what purposes it may be used on tomorrow’s citizens?





