A regulator that regulates the tool, not the mandate
On June 14, 2026, Israel's Privacy Protection Authority (PPA) published draft guidelines on "privacy protection in the use of age assurance measures" online, opening the document for public comment through July 14, 2026. The PPA is not ordering websites, apps, or platforms to verify anyone's age. What it is doing is telling any operator that chooses to deploy age checks — social networks, gaming platforms, adult-content sites, e-commerce services — that the method they pick is itself a privacy decision subject to Israel's Privacy Protection Law, and that the most invasive tools will rarely be justified.
That is a narrower, more defensible intervention than what other governments are attempting, and it deserves to be read as a template rather than a footnote.
The case for age checks, stated fairly
The PPA's own framing does not dismiss the child-safety rationale. Israeli commentary on the draft describes the purpose of age assurance as "blessed" — protecting minors from content and services that don't fit their age — while warning that irresponsible implementation endangers the privacy of minors and adults alike (law.co.il). That framing is worth taking seriously. Platforms that host pornography, gambling, or algorithmically-optimized feeds have a real interest — and in some jurisdictions a legal obligation — in knowing whether a user is a minor. A regulator that pretended age assurance served no legitimate purpose would be arguing against its own record: Israel's Privacy Protection Law already treats data about minors as warranting heightened care.
The three-tier test
Where the PPA earns its pro-innovation credentials is in how it structures the trade-off. According to the draft and law-firm summaries of it, age-verification methods fall into three risk tiers (law.co.il; Gornitzky GNY):
- Low risk — self-declaration, where a user simply states their age.
- Moderate risk — knowledge-based checks, credit-card or bank-statement verification, and third-party age-verification services that confirm an age bracket without exposing the underlying document.
- High risk — real-time biometric processing, user-profile behavioral analysis, and collection of government ID, passports, or driver's licenses.
The Authority's position is that high-risk methods will "almost always" exceed what is necessary to confirm someone is over or under a threshold age, and should be used only where a specific legal requirement exists or there is a documented, concrete risk to minors — not as a default. Operators that do use them are expected to run privacy-impact assessments, apply data minimization, use the collected information solely for verification, delete it (including copies held by third-party vendors) once the check is complete, and obtain informed consent rather than relying on implied consent.
Why the alternative is worse
Compare this to the trajectory in the UK, where the Online Safety Act requires "highly effective age assurance" and the Information Commissioner's Office has pointed to facial age estimation and ID-document matching as acceptable methods. The Open Rights Group's critique of that approach is the clearest warning of what Israel's tiering is designed to avoid: verification vendors like Persona have been found reusing age-check data far beyond its stated purpose — in one documented case running 269 separate verification checks on a single user, including screening against 14 categories of "adverse media" from terrorism to espionage (Open Rights Group). Mandate the high-risk tool, in other words, and you don't just check ages — you build a biometric and identity-verification layer across the open web that outlives its original justification and gets repurposed the moment it exists. Israel's guidance, by contrast, treats that outcome as the thing to be prevented, not tolerated as collateral cost.
The enforcement isn't hypothetical
This is not a toothless statement of principle. Amendment 13 to the Privacy Protection Law took effect on August 14, 2025, and gave the PPA the power to issue administrative orders, cease-and-desist directives, and monetary sanctions — including fines of up to ILS 320,000 per violation for security failures, with multipliers for large-scale or sensitive-data processing, and the ability to publish violators' names for up to four years (IAPP; BigID). A platform that scans faces or stockpiles ID scans to verify age, without a legal mandate or documented risk to justify it, is now exposed to exactly that enforcement track. Israel's Knesset Research and Information Center has separately reviewed comparative approaches to age-verification mandates for minors, reflecting that lawmakers are watching the same trade-offs the PPA is now trying to pre-empt with guidance rather than statute (Knesset Research and Information Center).
The right model, if it survives contact with comments
The draft's real innovation is refusing to conflate "protecting children online" with "maximizing the certainty of every age check." A regulator that instead asks platforms to justify the invasiveness of their method against the actual risk gives industry room to use low-friction, low-data tools like self-declaration or third-party attestation for most use cases, while reserving biometric and ID-based checks for the narrow cases — hardcore pornography, gambling, legally mandated contexts — where the risk to minors is concrete enough to bear the privacy cost. That is proportionality doing real work, not just appearing in a preamble. The month-long comment window closing July 14, 2026 is where industry groups, privacy advocates, and platforms should be pushing to keep it that way — because the version of this fight playing out in the UK shows what happens when a regulator instead treats invasive verification as the default "highly effective" answer.