Croatia’s Ministry of Economy has submitted a proposal to amend the Trade Act for public consultation, introducing additional regulation of alcohol sales. Alongside the previously announced option for cities and municipalities to restrict late-night alcohol sales in physical stores, the key change concerns online sales: merchants will be required to verify the age of buyers through automated reading of an identity document.
Specifically, the proposed law stipulates that a merchant selling alcohol online must implement a technical solution that enables age verification by reading the machine-readable zone (MRZ) of an identification document.
If the buyer refuses such verification, the merchant must deny the sale. This fundamentally changes the existing practice, where age in online purchases was most often confirmed simply by ticking a box stating “I am over 18 years old“, while the actual check was deferred to the moment of delivery.
The regulatory intent is understandable and justified. It concerns protecting minors from alcohol. However, the specific technical solution the proposed law envisions raises serious questions: is OCR reading of the machine-readable zone of an ID card actually a sufficient mechanism? And does such a system need to compromise user privacy?
What is actually proposed and why it falls short
The proposed law places OCR, or optical character recognition of the MRZ zone on the back of an ID card, at the centre of its technical solution. This zone allows precise extraction of a date of birth, which is a step in the right direction technically.
But OCR on its own does not resolve the fundamental problem of authenticity.
A minor could print a forged identity document with a false date of birth on a home printer, and such a forgery passes an OCR check easily because the system reads printed text and does not verify the document itself. Equally, someone could OCR a parent’s or an adult friend’s card. Since OCR cannot establish either document authenticity or the identity of the person presenting it, the solution envisioned by the proposed law will be relatively easy to circumvent.
Beyond the question of effectiveness, there is also the question of proportionality in data processing. When a user proves they are of legal age, the only information relevant to that purpose is: I am over 18 years old. The date of birth, name, address, and other attributes readable from the document are not required for that goal. Collecting them may constitute excessive processing contrary to the data minimisation principle under the GDPR. If the system works by having the user present a document that is OCR-read on the merchant’s side, the user has no guarantee that additional data was not collected in the process.
3 core challenges every serious system must address
This discussion takes place in the context of a broader technical problem. Every age verification system must address 3 structurally distinct challenges, of which the proposed law explicitly resolves only one.
1. The accuracy problem is present in systems that rely on algorithmic age estimation through facial analysis. A user takes a selfie and an algorithm estimates whether they are over 18. Such algorithms can be off by two to three years, meaning a fifteen-year-old could realistically pass the check. Without document verification and an exact date of birth, the system provides an estimate, not a confirmation. This is precisely the path taken by the United Kingdom, and it proved insufficient.
2. The authenticity problem, as described above, is not resolved by OCR alone. Reading a date does not prove the document is genuine or that the person presenting it is who they claim to be.
3. The data scope problem may be the most significant, yet it is almost entirely absent from the public debate around the proposed law. Collecting data beyond the minimum required to establish adulthood is not only a privacy issue but a question of GDPR compliance.
The solution that addresses all three dimensions: Digital ID Wallet and selective disclosure
The answer to all 3 challenges is Digital ID Wallet technology and selective data sharing, a solution that is technically more rigorous and more private than document OCR.
A user creates a digital ID wallet once, through a strictly controlled process, storing their personal and identity data inside it. That data is encrypted with a key held exclusively by the user. Neither the service provider nor any third party has access to that data without the user’s explicit consent.
The key difference from OCR: during the initial creation of the ID Wallet, a thorough biometric and documentary authenticity check is performed.
Storing a forged or someone else’s document is technically not possible, which eliminates precisely the vulnerability that OCR cannot address.
At the point of online purchase, the user does not send an ID card and does not share a date of birth. A request appears on the interface: “Merchant X wants to confirm you are over 18. Do you approve of sharing this information?” The user confirms and the verification is complete. The merchant receives only a binary confirmation of adulthood, with no additional attributes. This mechanism is called selective disclosure: the user autonomously determines which data they share, with which party, and at what time.
Such a system is in full compliance with the GDPR data minimisation principle: only the data strictly necessary to fulfil the purpose is processed, nothing more.
The technology already exists and is already in use in Croatia
This is not a concept waiting for implementation. This technology is already operationally deployed in Croatia. Around 100,000 Croatian citizens hold their own Digital ID Wallet. The Identyum platform applies precisely this model: the digital ID wallet and selective data sharing, as a production solution used daily, primarily in the financial sector for digital onboarding and KYC processes.
For use in the context of age verification in online alcohol sales, the technical implementation on the merchant side is straightforward. For citizens, the Identyum digital ID Wallet and age verification service are available free of charge.
The regulatory framework must keep pace with technological possibilities
The proposed amendment to the Trade Act asks the right regulatory question: how to protect minors in online alcohol sales. But the technical solution it envisions, basic OCR reading of the MRZ zone, does not answer that question adequately. It is easy to circumvent, and in the context of the GDPR it also raises questions about the proportionality of personal data processing.
A technological framework that delivers both high authenticity and privacy protection exists, is operationally deployed, and is available. The proposed law therefore presents an opportunity: rather than prescribing a specific technology that is structurally vulnerable, the legislative framework could define functional requirements, meaning the required level of authenticity, data minimisation, compliance with eIDAS and GDPR standards, and in doing so open the door to advanced solutions.
As long as “age verification” and “identity disclosure” are treated as inseparable concepts in the regulatory discussion, every proposal aimed at protecting minors will face legitimate opposition from a privacy protection standpoint. The Digital ID Wallet and selective data sharing bridge exactly that gap: confirming adulthood and protecting privacy are not in conflict. They can and should be achieved at the same time.
Prepare for the new obligations under the Trade Act with a solution that meets regulatory requirements while protecting your customers’ privacy. The Identyum Digital ID Wallet integrates seamlessly into your online store, enabling buyers to verify their age without disclosing any additional personal data. Contact us at [email protected].