
The shift to privacy-first: The rise of zero-knowledge proof (ZKP)
Traditionally, identifying a user digitally requires users sharing full names, birthdates, addresses, and copies of government-issued IDs. In some cases, this is unavoidable; full KYC checks for banking or other regulated services, for example, legitimately require government ID verification.
Collecting more data than necessary, however, comes with risks, such as increasing the chance of data misuse or theft, adding to compliance obligations, and driving up costs under frameworks like GDPR. This is leading more organisations to choose to collect only what is essential, protecting users while reducing operational risks.
This is where concepts like zero-knowledge proof (ZKP), proportional identity, and the principle of minimum disclosure come in. They all describe the same idea: verifying identity while sharing only the data that is strictly necessary. Instead of treating digital identity as “all or nothing,” proportional identity allows verification to match the risk level of each transaction. Users can prove just enough to gain access—for instance, confirming someone is over 18 for an online alcohol purchase requires only the “18+” attribute, not their full date of birth or national ID numbers.
This blog explores zero-knowledge proof, proportional identity, and minimum disclosure, highlighting the advantages they offer businesses, regulations making them increasingly relevant, and potential use cases.
What are the risks of collecting full identity data?
Traditional identity verification often relies on collecting complete sets of personal data, such as full names, dates of birth, addresses, and copies of official documents. While comprehensive, this approach creates several significant problems:
Security risks
According to the
Privacy risks
EU regulations increasingly require proportional identity verification to protect the privacy of users. For instance, the EU’s Digital Services Act set strict requirements for age assurance in online platforms while mandating that they be achieved without over-collection of personal data. GDPR further reinforces this: Article 5.1(c) requires data minimisation, while Article 5.1(e) demands storage limitation, meaning companies should not retain data beyond the moment of verification. Regulators are acting on these principles: in 2023, the Irish Data Protection Commission
Customer experience
Asking users for extensive personal data increases friction in their journeys. Each additional field or document requirement creates a drop-off point in the customer journey. According to
Compliance and operational burden
Full identity verification places heavy demands on organisations regarding GDPR compliance requirements. This includes secure storage, controlled access, deletion policies, and detailed audit trails. This also requires organisations to respond to data subject requests and ensure all processing is lawful. Mistakes can carry steep
Beyond compliance, collecting large volumes of personal data adds significant operational complexity. Companies need to securely store, manage, and eventually delete sensitive information, which increases costs for infrastructure and staff resources. Inefficient handling can slow onboarding, create gaps in compliance, and delay responses to regulatory requests.
Reputational damage
Beyond direct costs, mishandling personal data can quickly erode consumer trust. A 2022 PwC survey found that
What are data minimisation and minimum disclosure?
Minimum disclosure and data minimisation are related concepts that aim to limit the amount of personal information exposed differently:
Data minimisation is a regulatory principle emphasised in laws like GDPR. It encourages organisations to collect only the data they actually need for a specific purpose to reduce risks of breaches. For example, a telecom company verifying a user’s age to sell a SIM card doesn’t need the user’s full residential history, but only confirmation that the user is over 18.
Minimum disclosure, on the other hand, focuses on what the user actively shares during an interaction. It’s about proving a fact without revealing unnecessary details. For example, this happens if someone can confirm that they are a student to access a discount without sharing their student ID number, date of birth, or university name. The user controls what is disclosed, while the verifier gets the assurance they need.
In a nutshell, minimum disclosure is the principle deciding what information should be revealed, while data minimisation is organisational practice, limiting what data is collected and stored overall.
What is proportional identity and how it works with zero-knowledge proof?
Proportional identity ensures that the level of verification matches the level of risk. Instead of requiring full identity documents for every interaction, users can verify just the attributes necessary (often referred to as single attributes). A real-world application of proportional identification can be found in Germany’s mobility sector, the “Deutschlandticket,” which requires proof of residence. With proportional identity, eligibility can be confirmed by verifying a single attribute—‘resident in Germany’—rather than storing full identity documents. This reduces friction while maintaining compliance.
Zero-knowledge proof (ZKP) is the technical foundation behind proportional identity. The broader definition of ZKP is the ability to prove whether or not a user has a single attribute without revealing the attribute itself. This is commonly achieved via specific cryptography that enables qualifying a user without revealing the underlying data. This enables organisations to implement minimum disclosure and data minimisation principles while still meeting verification requirements. The result is smoother, more trustworthy user experiences.
European regulations driving data minimisation and zero-knowledge proof
Europe is leading the way in drafting key regulations that shape the adoption of privacy-preserving digital identity solutions. These include:
General Data Protection Regulation (GDPR)
GDPR incorporates the principles of data minimisation and purpose limitation. Article 5.1(c) requires data minimisation, while Article 5.1(e) mandates storage limitation, meaning companies should not retain data beyond the moment of verification. This requires organisations to only collect data that is necessary for the intended purpose, and it must be used only for that purpose. Companies therefore cannot require full ID where verifying a single attribute, such as age or residency, would suffice.EU Digital Services Act (DSA)
The DSA, implemented in 2023, requires online platforms to take measures to protect minors from harmful content, including age-restricted services such as gaming, alcohol, and adult content. It does not mandate full identity verification, opening the door for privacy-preserving age checks, whereby users prove they meet age requirements without sharing personal information.eIDAS 2.0 & European Digital Identity Wallets
The upcoming eIDAS 2.0 regulation introduces the European Digital Identity Wallet, which will allow citizens to store verified, reusable attributes (e.g., age, nationality, professional qualifications) securely on their devices. The frameworkemphasises proportional verification , meaning the level of identity proof can be matched to the level of risk required by the service, enabling proving attributes without revealing full ID documents.
What are the most common use cases for minimum disclosure and ZKP?
Across Europe, sectors from eCommerce and adult services to marketplaces, ticketing, mobility, and streaming increasingly demand verification without full identification. With data minimisation and ZKP, organisations can deliver safer, smoother, privacy-preserving experiences:
Age verification: Users can prove they are at least 18 years old without sharing their full dates of birth or government IDs. This is useful for online alcohol or vape purchases, adult content platforms, age-restricted ticketing, and streaming services, where a single attribute can verify access eligibility without revealing a full identity profile. Platforms like
itsme ® Qualify or AgeChecked use attribute-based verification to confirm age securely, reducing friction and improving adoption rates.Eligibility verification: Students, employees, and other users can prove they belong to an institution or live in a certain geography to access discounts or special offers without having to share all their personal details. Platforms like UNiDAYS issue verified digital credentials that confirm eligibility with minimal disclosure, enhancing both user experience and trust. With
itsme ® Qualify , businesses can determine eligibility based on attributes like age, without exposing unnecessary personal information.Proof of humanity: Platforms such as Bol.com, Marktplaats, and Vinted can verify that sellers are legitimate individuals and buyers meet eligibility requirements without collecting full identity documents. Single-attribute verification via ZKP can confirm proof of humanity or geographic restrictions, reducing fraud while protecting user privacy.
Conclusion: Data minimisation as a strategic advantage
For years, many businesses have assumed that collecting full customer profiles equals more data and more insights. In practice, over-collection often creates friction, risk, and operational complexity, without improving insights.
When businesses view data minimisation as a strategic enabler rather than a compliance hurdle, privacy becomes a competitive advantage, showing customers that engaging with them means greater safety and transparency. As
Additionally, privacy and compliance are becoming drivers of innovation, enabling businesses to do more with less, unlocking features like age-restricted content, loyalty rewards, or digital health access without storing full identity data.
ortunately, organisations can harness these trends using existing tools and frameworks. Partnering with a trusted digital identity provider can deliver these benefits at scale. For example, integrating itsme® Qualify allows your users to securely prove specific attributes, such as age, while minimising customer disclosure, enabling seamless, trustworthy interactions.