As the New Year dawned in Louisiana in the United States, its 4.5 million residents woke to a new rule that restricts their access to the Internet — a measure aimed at stopping children from viewing pornography online.
Act 440, which requires residents to submit a digital driver's licence for third-party age verification before they can access adult websites, is among a clutch of new laws in the US, Europe and Britain seeking to protect children on the internet.
"Young people are very vulnerable online, and we really do''t think the online platforms do enough," said Lisa Hallgarten, head of policy and public affairs at Britain's Brook Health Centre, which advocates for children's online safety.
Campaigners hope the advent of laws requiring age verification to access certain online content or particular websites could mark a turning point.
The European Union's Digital Services Act and Britain's Online Safety Bill require age verification in order to stop targeted advertising for young people and block their access to adult and other content deemed harmful to minors.
At the same time, some large tech companies have introduced age verification measures, partly to ensure young children cannot open social media accounts.
Children's safety campaigners welcome such laws and safeguards, but data experts warn that age verification and other forms of identity checking threaten the privacy of Internet users of all ages through data gathering, storage or possible leaks.
"As this becomes standard — social compliance essentially — with more sites requesting ID validation, it normalises the behaviour and consequently increases the risk of this information getting into the wrong hands," said James Walker, chief executive of UK-based consumer data action service Rightly.
Age verification methods are not new. In 1990s, the US Communications Decency Act restricted online pornography and gambling websites by requiring users to submit credit card information as a way to stop under-18s from accessing them.
As Internet use increased and concern grew about phishing attacks targeting credit card users, companies tried to find less risky ways of detecting users' ages.
Some adopted trust-based systems, such as a button confirming that a user is over 18 — a mainstay of pornography websites, but such controls have been criticised for being too easy to evade.
Last year, Meta's Instagram platform rolled out social vouching, whereby three mutual followers confirm how old another user is.
The company also uses artificial intelligence to estimate a user's age from their posts, interactions with other accounts, and certain types of content.
Digital rights experts say that method highlights how much data tech firms can access.
Meta also uses Yoti, a tool that scans video selfies, to analyse users' age. It says the data is deleted as soon as the verification check is completed.
But accessing users' cameras is inherently invasive, according to the French National Commission on Informatics and Liberty (CNIL).
CNIL noted last year that face scans, especially if required for pornographic websites, may be used for blackmail, and has condemned all current forms of age verification.
Measuring reliability, data privacy and whether the systems worked across all ages, the group found that there is "currently no solution that satisfactorily meets these three requirements (and) all the solutions proposed can easily be circumvented".
The success of online age verification is heavily constrained by the way the Internet has been built, primarily through closed digital worlds of numerous, private-user accounts, posing a significant risk to user rights, experts say.
"Consumers hand over their email addresses to companies they don't know, click on emails from organisations they aren't familiar with, or sign up to competition sites without thinking of the consequences of sharing data," said Walker at Rightly.
"Gathering personal information for age verification does run an inherent risk because the only person who can take back control of your data is you," he added.
Young people's data has already fallen into the wrong hands in an attempt to provide age verification measures.
In November, a database of 28 million children's learning records was used by gambling websites to help develop age verification checks.
The database included a child's full name, date of birth, and gender, with optional fields for email address and nationality.