A global identity standards body has opened a public review of a proposal aimed at limiting how much personal data is shared online, as governments move to enforce stricter age-verification requirements. The system is designed to address privacy and security concerns that current age-verification systems collect too much personal data.
The OpenID Foundation on March 16 launched a 45-day comment period on a draft specification. The review period runs through April 30, with a formal vote scheduled for May 1–15. The proposal (OpenID Connect Advanced Syntax for Claims (ASC) 1.0) would allow systems to verify attributes such as whether a user is over 18 without transmitting underlying data such as a birthdate.
The efforts come as governments are moving to require stricter age checks online, driven by concerns over minors’ access to addictive or harmful content on social media and mobile apps. In the U.S., proposals such as the Kids Online Safety Act and the Children and Teens’ Online Privacy Protection Act would expand protections for minors, while similar laws in the U.K. and Australia already mandate age verification. Critics warn these measures could force companies to build large stores of sensitive personal data, creating new privacy and security risks.
A Shift in How Data is Shared
Under most current login systems, users who sign in through a third-party provider – such as a major technology platform – often share more information than necessary. A website requesting confirmation of age may receive a full birthdate, along with other profile data.
The ASC draft seeks to change that model.
One mechanism would allow identity providers to send only the answer to a request. For example, the system would confirm a user is over 18 without disclosing the underlying data. A second mechanism would halt a transaction entirely if it cannot be completed in a privacy-preserving way, rather than defaulting to broader data sharing.
The OpenID Foundation said the goal is to enable “more granular data minimisation,” reducing unnecessary data exposure during authentication.
Regulatory Pressure Builds
The proposal arrives as governments worldwide accelerate efforts to enforce age checks online.
Australia has moved to restrict social media access for users under 16. The United Kingdom’s Online Safety Act requires platforms to verify user ages. Several U.S. states are advancing similar laws.
These measures often lead companies to collect and store large volumes of personal data to verify identity — creating new security risks.
At the same time, Europe is building a continent-wide digital identity system under eIDAS 2.0. The initiative will require EU member states to offer digital identity wallets by 2026, enabling users to prove attributes such as age without revealing full personal details.
The ASC proposal is designed to complement such efforts by adapting existing login systems to support more limited data sharing.
Competing Approaches Emerge
The draft enters a crowded and evolving standards landscape.
The Internet Engineering Task Force in 2025 published SD-JWT (RFC 9901), which enables selective disclosure of identity claims through cryptographic methods.
Separately, the World Wide Web Consortium has advanced Verifiable Credentials 2.0, a framework that allows users to present digital credentials without relying on a central identity provider.
Governments and technology companies are also deploying mobile driver’s licenses based on ISO standards that support selective disclosure of identity data.
ASC differs in approach. Rather than replacing existing systems, it extends OpenID Connect, a protocol widely used for online authentication, allowing organizations to adopt data-minimization features without overhauling infrastructure.
Debate Over Control and Visibility
The proposal also reflects a broader debate over how identity systems should function.
OpenID Connect relies on centralized identity providers, which can observe where users authenticate. Critics argue that model concentrates visibility and control.
By contrast, emerging frameworks such as verifiable credentials and digital identity wallets aim to reduce reliance on intermediaries and limit tracking of user activity.
The ASC draft addresses how data is shared but does not change the role of the identity provider in the transaction, a distinction that continues to divide experts in the field.
Less is Better
Standards groups and policymakers have increasingly emphasized data minimization as a core principle.
The European Commission has promoted digital identity wallets as a way for users to “share only the necessary data” when proving identity or attributes.
Similarly, efforts within the Internet Engineering Task Force and other bodies highlight selective disclosure as a key feature of next-generation identity systems.
The public comment period for the ASC draft runs through April 30. Following that, members of the OpenID Foundation will vote on whether to advance the specification.
Participation requires signing a contribution agreement and submitting feedback through the group’s mailing list.
Optional Adoption
The proposal does not mandate adoption, and its impact will depend on whether major technology providers and enterprises implement it. But its timing underscores a broader shift.
As regulators demand stronger identity checks and privacy rules limit data collection, identity systems are being redesigned to verify users while exposing less information.
The outcome of that effort – and how competing standards evolve – will shape the next phase of digital identity infrastructure.
