If the laws were really about protecting children, they would have passed a law requiring browser vendors to provide age check support in a privacy-protecting way.
It’s one thing to argue intent, but could you clarify exactly how that is done in a privacy-protecting way? I’d like some kind of guarantee what they need to collect and verify will remain secure. Especially about children. That it will not be hacked. Or even sold under more obvious corporate abuse. How many are stepping up to do that? How many really could, even if they wanted to?
That's an implementation detail. The one thing that is certain is that only the browser can do this in a way that doesn't provide the government or a quasi-government entity with information about what site you went to, because if you send credentials to a website, it will have to know what website to handshake with, and it will know who you are. And even if you do some interesting privacy-protecting handshake in JavaScript, it is too easy to modify to compromise privacy, and you'll never know it if one of a hundred verification sites does this. With a browser, there would be only a single-digit number of interesting implementations worldwide, so monitoring them is practical.
My first thought is that a best-effort approach is good enough. You provide your photo ID once, and if the website requires additional validation, the browser can also require you to take a picture with your webcam once for verification purposes.
After you verify your identity, you should have a choice between leaving the browser permanently authorized on a non-shared computer/device or requiring a passcode/Touch ID tap/Face ID scan on a per-use basis, at your option, for a multi-user device. Either way, that decision must be in the user's hands, rather than the browser's, the website owner's, or the government's hands, or else it becomes psychologically abusive, and a tactic for discouraging use of certain sites.
The browser then verifies the photo (on-device), if applicable, uses OCR to determine the issuing authority, and sends a random nonce to the issuing authority along with an image of the photo ID (not a photo of the user, because that could reveal where the user is, what the user is wearing, and other potentially privacy-violating details, depending, making that an unreasonable thing to do).
The authority signs the nonce provided by the browser and then sends back the signed nonce. The browser then verifies issuing authority's public key against a periodically updated shared database of issuing authority root certs, and sends back the fully validated request to the requesting website, which should also validate the signature against its shared database of issuer certs.
For this to be secure and privacy-protecting, you need a few guarantees:
- The photo used for verification, if required, never leaves the device (and this practice should be strongly discouraged).
- The retrieval of the issuing authority's public key must always be from a local root store, not by retrieving it directly from the authority at the time of access, to prevent information leaks through timing attacks.
- The issuing authority must use multiple overlapping signatures to ensure a reasonable transition period when signing keys/certificates change, so that sites can update their local root store on a weekly (or, ideally, monthly) basis.
- There must be a central authority providing either downloadable root stores or downloadable lists of URLs for per-country root stores (the details of this part of the implementation are not that important).
- No issuing authority may have fewer than a few million users.
- Browsers must encourage users to verify their age as soon as the feature is added (or afterwads, whenever the user first runs the browser), and periodically after that, so that age verification does not create any presumption that the user is actually going to what any particular country considers to be "adult" sites.
In an ideal world, you'd go one step further and have the website provide the nonce. Then you'd use some sort of zero-knowledge proof to prove that a certifying agency trusted by the browser knows the nonce without revealing which certifying agency it is, thus preventing it from revealing anything about the user, including the user's country/state, but I'm not entirely sure how you'd pull that off in a way that doesn't require trusting the browser to not be compromised with fake authorities, so that optional next step is left as an exercise for the reader.