The new Danish regulation - what is it about?
Until now, e-commerce stores in Denmark selling alcohol and cigarettes have allowed customers to "verify" their age by merely answering a pop-up prompt. However, starting October 1st, 2024 this is no longer sufficient due to new legislation.
As a result, many online retailers will need to overhaul their IT systems and implement new, more reliable methods of age verification. The updated system must ensure that individuals under the legal age cannot complete purchases of these restricted goods.
Why it's good, but still can compromise privacy
While businesses are free to choose how they comply with the new regulations, they must now adopt more effective age verification methods. One potential solution is integrating MITID(i.e., the Danish national electronic identity system) into their systems, or requiring customers to log in using identification such as a passport or driver's license.
Although this change is part of a broader initiative aimed at preventing minors from accessing alcohol and nicotine, it also ties into the larger conversation around the EU Digital Identity Wallet. Set to be mandated by 2026, this initiative will enable EU citizens to have greater control over their personal data, while enhancing digital security across Europe (read more about the EU Digital Identity Wallet here).
The use of MITID could streamline age verification, but if companies opt for methods requiring passport uploads there is a risk of exposing too much personal information. Furthermore, how will businesses ensure the protection of the sensitive data they collect?
To comply with these new rules, many e-commerce platforms will need to update their IT systems. While the law doesn’t state specific solutions, businesses must adopt methods that genuinely confirm the customer's age.
Balancing age verification and privacy
While systems like MitID and document uploads might solve the immediate problem of preventing minors from purchasing online, a larger issue takes shape:
Data tracking.
Let’s have a look at how MitID functions.
Every time a customer uses MitID for age verification, the system contacts a broker (such as NemLog-in) to confirm the user’s date of birth.
In doing so, the broker learns not only that the individual is a certain age but also that a specific user is making a purchase in a specific shop. Thereby, brokers can track how a certain identity is used.
Similarly, when a customer uploads a passport or driver's license, their information - such as a driver's license number - can be linked across purchases. This creates the potential for businesses to track customer behavior, preferences, and purchasing habits over time. Now imagine two companies sharing this data. The merging of data could give these companies even deeper insights into individual consumer behavior, raising significant privacy concerns.
At Partisia, we fully support the new age verification regulations to prevent minors from accessing alcohol and nicotine products online. However, we also believe it is critical to address the broader issue of data privacy. As digital identity systems like the EU Digital Identity Wallet come into play, governments must consider how to protect citizens' data from misuse. We’ve already provided our formal feedback on this initiative (read about the feedback here).
Although this change serves an important purpose in protecting minors, it also introduces privacy concerns. The conversation extends beyond age verification - it touches on data security, particularly as the EU moves towards implementing the EU Digital Identity Wallet by 2026.
This initiative will give EU citizens more control over their personal data, improving digital security across the region.
A look into the future with Zero-knowledge proofs
Fortunately, the technology to protect citizens’ privacy already exists. Zero-Knowledge Proofs (ZKP). offers solutions that allow for age verification without exposing unnecessary personal information.
Zero-Knowledge Proofs, can be used to prevent the above issue which is commonly referred to as linkability. That is, using this technology a business would be able to verify that a customer is of legal age without knowing who they are or being able to track their purchasing behavior.
So what is a Zero-knowledge Protocol?
A Zero Knowledge (ZK) protocol (often also referred to as a ZK proof) is a protocol that involves two parties:
1) a prover wanting to prove the correctness of a claim and
2) a verifier who needs to be convinced about the correctness of the claim.
For a protocol to be considered zero-knowledge, it must satisfy three properties:
Completeness: If the prover's claim is true, they should be able to complete the protocol successfully.
Soundness: The verifier should only be convinced if the prover’s claim is indeed true.
Zero Knowledge: The verifier learns nothing beyond the fact that the claim is true.
Want to know more about ZK?
By adopting these technologies, companies can comply with the law while maintaining privacy safeguards that protect citizens from excessive data collection and tracking.
The new legislation requiring stronger age verification for online purchases of alcohol and nicotine is a step in the right direction. However, it’s crucial to balance this with robust data privacy protections.
Partisia encourages governments to incorporate advanced privacy-preserving technologies, such as Zero-Knowledge Proofs, into the forthcoming EU Digital Identity Wallet to ensure that citizens can verify their age without sacrificing control over their personal information.
The tools for protecting privacy are available today - we just need to implement them.
Sign up to our newsletter and be the first to hear about exciting updates, events and other interesting news.