Identity verification is becoming infrastructure
A year ago, age verification still looked like a policy fight.
Today, it looks like infrastructure.
Courts are clarifying what governments can require. Regulators are beginning to enforce. Platforms are being pushed to prove age, identity, and eligibility without turning every login into a document collection event.
That shift matters for CAIRL because it confirms the problem we have been building around: the internet needs proof, but users need control.
The first wave of verification put the cost on the user
The first wave of verification was built around the platform. A site needed proof, so the user handed over documents, selfies, dates of birth, addresses, or other sensitive data. The platform, or a vendor behind it, processed the check and stored enough information to satisfy a policy, reduce fraud, or pass an audit.
That model may solve a compliance problem, but it creates a trust problem.
The platform gets the answer. The user carries the risk.
The legal floor is moving
In June 2025, the U.S. Supreme Court upheld Texas's age-verification law for commercial websites publishing sexual content harmful to minors in Free Speech Coalition v. Paxton, applying intermediate scrutiny rather than the stricter test challengers had asked for. The decision is narrow on its face — it covers adult-content sites, not social media — but it signals that verification is no longer a fringe policy proposal. In some categories, it is becoming an operating requirement.
Across the Atlantic, the U.K. Online Safety Act moved from rule-making toward enforcement. By February and March 2026, Ofcom had issued penalties against adult services for failing to implement highly effective age assurance — including £800,000 against Kick Online Entertainment SA and £1.35 million against 8579 LLC — while reporting broader movement across the top dedicated pornography services and pushing platforms children use most to enforce minimum-age rules.
Australia banned under-16s from holding social media accounts in December 2025. By March 2026, the eSafety Commissioner was actively investigating Facebook, Instagram, Snapchat, TikTok, and YouTube for potential non-compliance. First decisions about possible enforcement action are expected by mid-2026, with possible court-ordered civil penalties up to 49.5 million Australian dollars.
The European Union is approaching the December 2026 deadline for member states to make EU Digital Identity Wallets available. The EUDI Wallet is built around user control and selective disclosure — the architectural pattern that lets a person prove an attribute without handing over the full record behind it. For regulated private-sector relying parties, acceptance obligations begin landing in 2027, with the AMLR and eIDAS timelines converging around customer due diligence and wallet-based identification.
Enforcement is no longer theoretical. Regulators are naming platforms, opening investigations, and issuing fines. That changes the buyer conversation from "should we verify?" to "how do we verify without creating a privacy liability?"
The breach math caught up
The problem is not that verification exists. The problem is that too much verification still depends on copying sensitive documents into too many systems.
In November 2025, a reported exposure at an identity-verification vendor was said to involve roughly one billion records — names, addresses, national ID documents, phone numbers across 26 countries. The vendor disputed key elements of the reporting, but the structural risk does not depend on which side is right about the specifics. Under GDPR, controllers share liability with processors. The institutions whose customers appear in such databases can carry regulatory exposure for a vendor decision they did not make.
The vendor model that returns raw PII to every integrating platform — and stores everything centrally to do so — accumulates a blast radius that grows with every integration. When something goes wrong, the radius distributes the liability across the customer base.
We built CAIRL on the opposite assumption. Integrating platforms receive verified claims, not raw documents. CAIRL holds the personal data; the integrating platform holds the answer. A reported exposure at the integrating-platform level cannot leak documents the platform did not receive. An exposure at the CAIRL level would be concentrated in one accountable identity layer, not distributed across every relying service that has ever connected.
That does not make CAIRL's responsibility smaller. It makes it larger. The trade is intentional: fewer platforms handling sensitive files, with one identity layer designed around encryption, retention limits, auditability, and minimal disclosure from the start.
The same architectural decision that makes us harder to monetize as a data network is the decision that makes the integrating platform less exposed when something goes wrong somewhere in the chain.
The standards layer moved
The standards layer is moving in the same direction. The EU's age-verification blueprint is designed to let users prove they are above a threshold without sharing unnecessary personal information, and it is intended to interoperate with future EU Digital Identity Wallets. That is the important signal: proof is becoming portable, selective, and protocol-driven.
In May 2025, the World Wide Web Consortium published the Verifiable Credentials Data Model 2.0 as a Recommendation — directly supporting cryptographically secure, privacy-respecting, machine-verifiable credentials. Selective disclosure cryptography — SD-JWT and BBS+ schemes that let a holder reveal one claim from a credential without revealing the rest — has moved from research papers into production-ready libraries.
The standard is moving toward the architecture CAIRL has been building around.
The law may create the first demand spike. The durable product is not compliance. It is reusable proof without reusable exposure.
The proof layer should ask for less
CAIRL is not trying to make identity verification louder.
We are trying to make it safer, reusable, and less invasive.
A user should not have to scatter a passport, driver's license, selfie, or birthdate across every platform that asks for proof. A business should not have to become a document vault just to know whether someone meets a requirement.
Each integrating platform should receive only the minimum answer required for its use case. Is this person over 18? Has this document been verified recently? Does this person match the identity claim? Is this proof still fresh?
Those are answers. They are not permission slips to collect, copy, and retain someone's full identity.
CAIRL is not trying to make the internet know more about people. We are trying to make it ask for less.
What this meant for our build choices
We did not predict the timing of these shifts. We chose a direction and built for it. That direction shaped specific decisions on the CAIRL roadmap that have already shipped or are shipping now:
- Pairwise identifiers on every integrating-platform connection. The same person verified on two relying services produces two different identifiers. The construction is designed to prevent cross-platform correlation through CAIRL. We covered this in the previous post — the architectural cost is that we cannot offer a cross-platform fraud signal. The architectural payoff is that no integrating platform implicitly joins a data network it did not consent to.
- A canonical claim registry with pricing tied to claim class. We priced verification by the claim issued, not the seat or the document. The unit of value is the answer crossing the boundary, not the file behind it. We believe this is the pricing model that aligns commercial incentive with the verified-claims architecture.
- Four certification levels that map to regulator-recognizable methodology. Stored, Verified, Certified, and Authenticated each has a defined verification pipeline that can be presented to a regulator independently of any specific certification status. This produces a defensible audit record without overstating compliance posture.
- Claims-first integration, not document forwarding. The claims API is designed to return verified answers rather than document images or extracted identity fields. The product boundary is the claim, not the file.
None of these decisions was a response to the regulatory shift of the last twelve months. We believe each is the right shape for that shift.
Why it matters
What changed: In the last twelve months, age and identity verification moved from policy debate toward operating requirement. The Supreme Court upheld a narrow age-verification law for adult-content sites, Ofcom began issuing penalties, Australia began enforcing social-media age restrictions, the EU moved toward wallet-based identity, and the W3C published Verifiable Credentials 2.0 as a Recommendation.
Why it matters: The verified-claims model is no longer just a privacy preference. It is becoming the architecture that law, standards, and breach risk are pushing the market toward.
What integrating platforms should ask: Does our verification vendor return raw PII or a claim? Does its identifier model create cross-platform correlation? Can its verification methodology be explained to a regulator without relying on vague trust language?
Where CAIRL fits: CAIRL is building for reusable proof, minimal disclosure, pairwise identifiers, and claim-level verification. The goal is not to make the internet know more about people. The goal is to let platforms ask for less.
Where this is going
That is the wedge.
Age verification may be the first forcing function. It will not be the last.
The long-term opportunity is a user-controlled proof layer for the internet: one place to verify, one place to manage consent, and one way for businesses to receive the answer they need without collecting more than they should.
That is what we are building.
— Dennis Huggins, Founder and CEO