Age verification should be one of the simplest use cases for privacy-enhancing digital credentials.
If the question is “are you over 18?”, the answer should not require a person to disclose their full identity.
That is the promise of selective disclosure. A person should be able to prove only what is necessary for a specific transaction, without oversharing personal information. In the case of age verification, that could mean proving eligibility — yes, this person is over 18 — without revealing their full name, date of birth, address, document number or photo.
This is why recent regulatory developments are worth examining together.
Under the new AML/CFT Identity Verification Code of Practice 2026, an accredited Digital Identity Services Trust Framework credential can be used to verify a person’s full name and date of birth for bank onboarding. Importantly, this does not necessarily require the credential to carry or display a photo. Binding assurance can happen behind the scenes, while personal information remains minimised.
At the same time, alcohol-related age verification reforms are opening the door for digital credentials in lower-assurance settings. But if the practical design response becomes a digital “18+ photo ID”, we risk recreating the oversharing habits of physical identity documents in digital form.
That would invert the principle of data minimisation.
Opening a bank account is a higher-assurance process than proving age at a point of sale. If digital credentials can support bank onboarding without displaying a photo, then an age check should not default to requiring more personal information than necessary.
This is not just a technical design issue. It is a trust issue.
People are more likely to adopt digital identity tools when they can see that those tools protect their privacy and give them agency. If digital credentials simply make it easier to request, collect and display more personal information, public confidence will be weakened.
The better model is privacy by design. Selective disclosure should make “over 18? yes/no” one of the easiest things to prove with the least data. The technology exists to support that. The question is whether policy, implementation and market practice will make use of it.
For Aotearoa, this is an opportunity. As accredited digital credentials become recognised across more use cases, we can design verification pathways that are safer, more efficient and more respectful of personal information.
That requires early consultation with the digital identity community, privacy experts, Māori data sovereignty leaders, regulators, businesses and people who will actually use these systems.
The channel has modernised. Now the design defaults need to catch up.