The shift to privacy-first: The rise of zero-knowledge proof (ZKP)

Traditionally, identifying a user digitally requires users sharing full names, birthdates, addresses, and copies of government-issued IDs. In some cases, this is unavoidable; full KYC checks for banking or other regulated services, for example, legitimately require government ID verification. 

Collecting more data than necessary, however, comes with risks, such as increasing the chance of data misuse or theft, adding to compliance obligations, and driving up costs under frameworks like GDPR. This is leading more organisations to choose to collect only what is essential, protecting users while reducing operational risks. 

This is where concepts like zero-knowledge proof (ZKP), proportional identity, and the principle of minimum disclosure come in. They all describe the same idea: verifying identity while sharing only the data that is strictly necessary. Instead of treating digital identity as “all or nothing,” proportional identity allows verification to match the risk level of each transaction. Users can prove just enough to gain access—for instance, confirming someone is over 18 for an online alcohol purchase requires only the “18+” attribute, not their full date of birth or national ID numbers.

This blog explores zero-knowledge proof, proportional identity, and minimum disclosure, highlighting the advantages they offer businesses, regulations making them increasingly relevant, and potential use cases.

Traditional identity verification often relies on collecting complete sets of personal data, such as full names, dates of birth, addresses, and copies of official documents. While comprehensive, this approach creates several significant problems: 

According to the IBM Cost of a Data Breach Report 2025, the global average cost of a breach is $4.44 million. The more sensitive data is stored, the larger the attack surface, and the higher the cost when things go wrong. For example, in 2021, the T-Mobile breach exposed personal information of over 40 million customers, including names, dates of birth, and social security numbers. The more data an organisation collects, the more attractive it becomes to attackers, with each data point becoming a 'honeypot.

EU regulations increasingly require proportional identity verification to protect the privacy of users. For instance, the EU’s Digital Services Act set strict requirements for age assurance in online platforms while mandating that they be achieved without over-collection of personal data. GDPR further reinforces this: Article 5.1(c) requires data minimisation, while Article 5.1(e) demands storage limitation, meaning companies should not retain data beyond the moment of verification. Regulators are acting on these principles: in 2023, the Irish Data Protection Commission fined TikTok €345 million for failing to safeguard children’s data adequately, highlighting how costly missteps around proportionality and storage can be. 

Asking users for extensive personal data increases friction in their journeys. Each additional field or document requirement creates a drop-off point in the customer journey. According to Shopify, 18% of shoppers abandon their carts because the checkout process is too long or complicated. Minimising steps, such as reducing form fields or account creation requirements, can improve completion rates and create a smoother customer experience. 

Full identity verification places heavy demands on organisations regarding GDPR compliance requirements. This includes secure storage, controlled access, deletion policies, and detailed audit trails. This also requires organisations to respond to data subject requests and ensure all processing is lawful. Mistakes can carry steep penalties, reaching up to €20 million or 4% of global annual turnover. 

Beyond compliance, collecting large volumes of personal data adds significant operational complexity. Companies need to securely store, manage, and eventually delete sensitive information, which increases costs for infrastructure and staff resources. Inefficient handling can slow onboarding, create gaps in compliance, and delay responses to regulatory requests. 

Beyond direct costs, mishandling personal data can quickly erode consumer trust. A 2022 PwC survey found that 85% of consumers would stop doing business with a company following a data breach. In digital identity, trust is critical; a single incident can undermine years of relationship building. Reducing the amount of data collected and adopting approaches like zero-knowledge proof can help mitigate these risks, protecting both users and company reputation.

Continue reading: Current and potential applications for zero-knowledge proof

Minimum disclosure and data minimisation are related concepts that aim to limit the amount of personal information exposed differently: 

Data minimisation is a regulatory principle emphasised in laws like GDPR. It encourages organisations to collect only the data they actually need for a specific purpose to reduce risks of breaches. For example, a telecom company verifying a user’s age to sell a SIM card doesn’t need the user’s full residential history, but only confirmation that the user is over 18.  

Minimum disclosure, on the other hand, focuses on what the user actively shares during an interaction. It’s about proving a fact without revealing unnecessary details. For example, this happens if someone can confirm that they are a student to access a discount without sharing their student ID number, date of birth, or university name. The user controls what is disclosed, while the verifier gets the assurance they need. 

In a nutshell, minimum disclosure is the principle deciding what information should be revealed, while data minimisation is organisational practice, limiting what data is collected and stored overall. 

Qualify clients safely while minimising data collection with itsme^®  Qualify

Proportional identity ensures that the level of verification matches the level of risk. Instead of requiring full identity documents for every interaction, users can verify just the attributes necessary (often referred to as single attributes). A real-world application of proportional identification can be found in Germany’s mobility sector, the “Deutschlandticket,” which requires proof of residence. With proportional identity, eligibility can be confirmed by verifying a single attribute—‘resident in Germany’—rather than storing full identity documents. This reduces friction while maintaining compliance. 

Zero-knowledge proof (ZKP) is the technical foundation behind proportional identity. The broader definition of ZKP is the ability to prove whether or not a user has a single attribute without revealing the attribute itself. This is commonly achieved via specific cryptography that enables qualifying a user without revealing the underlying data. This enables organisations to implement minimum disclosure and data minimisation principles while still meeting verification requirements. The result is smoother, more trustworthy user experiences. Studies show that KYC verification using ZKPs cuts the amount of exposed user data by 97%.

Europe is leading the way in drafting key regulations that shape the adoption of privacy-preserving digital identity solutions. These include:

• General Data Protection Regulation (GDPR)  
  GDPR incorporates the principles of data minimisation and purpose limitation. Article 5.1(c) requires data minimisation, while Article 5.1(e) mandates storage limitation, meaning companies should not retain data beyond the moment of verification. This requires organisations to only collect data that is necessary for the intended purpose, and it must be used only for that purpose. Companies therefore cannot require full ID where verifying a single attribute, such as age or residency, would suffice.

• EU Digital Services Act (DSA)  
  The DSA, implemented in 2023, requires online platforms to take measures to protect minors from harmful content, including age-restricted services such as gaming, alcohol, and adult content. It does not mandate full identity verification, opening the door for privacy-preserving age checks, whereby users prove they meet age requirements without sharing personal information. 

• eIDAS 2.0 & European Digital Identity Wallets 
  The upcoming eIDAS 2.0 regulation introduces the European Digital Identity Wallet, which will allow citizens to store verified, reusable attributes (e.g., age, nationality, professional qualifications) securely on their devices. The framework emphasises proportional verification, meaning the level of identity proof can be matched to the level of risk required by the service, enabling proving attributes without revealing full ID documents. 

Continue reading: How can your organisation move to ZKP? An expert answers

Across Europe, sectors from eCommerce and adult services to marketplaces, ticketing, mobility, and streaming increasingly demand verification without full identification. With data minimisation and ZKP, organisations can deliver safer, smoother, privacy-preserving experiences:

• Age verification: Users can prove they are at least 18 years old without sharing their full dates of birth or government IDs. This is useful for online alcohol or vape purchases, adult content platforms, age-restricted ticketing, and streaming services, where a single attribute can verify access eligibility without revealing a full identity profile. Platforms like itsme^® Qualify or AgeChecked use attribute-based verification to confirm age securely, reducing friction and improving adoption rates.

• Eligibility verification: Students, employees, and other users can prove they belong to an institution or live in a certain geography to access discounts or special offers without having to share all their personal details. Platforms like UNiDAYS issue verified digital credentials that confirm eligibility with minimal disclosure, enhancing both user experience and trust. With itsme^® Qualify, businesses can determine eligibility based on attributes like age, without exposing unnecessary personal information. 

• Proof of humanity: Platforms such as Bol.com, Marktplaats, and Vinted can verify that sellers are legitimate individuals and buyers meet eligibility requirements without collecting full identity documents. Single-attribute verification via ZKP can confirm proof of humanity or geographic restrictions, reducing fraud while protecting user privacy. 

Verify what matters, without over-collecting client data with itsme^® Qualify

For years, many businesses have assumed that collecting full customer profiles equals more data and more insights. In practice, over-collection often creates friction, risk, and operational complexity, without improving insights. 

When businesses view data minimisation as a strategic enabler rather than a compliance hurdle, privacy becomes a competitive advantage, showing customers that engaging with them means greater safety and transparency. As PwC notes, consumers “will take their business elsewhere if they don’t trust a company is handling their data responsibly,” and in digital identity, that trust directly drives higher adoption and engagement. 

Additionally, privacy and compliance are becoming drivers of innovation, enabling businesses to do more with less, unlocking features like age-restricted content, loyalty rewards, or digital health access without storing full identity data. 

ortunately, organisations can harness these trends using existing tools and frameworks. Partnering with a trusted digital identity provider can deliver these benefits at scale. For example, integrating itsme^® Qualify allows your users to securely prove specific attributes, such as age, while minimising customer disclosure, enabling seamless, trustworthy interactions. 

itsme^® Qualify allows businesses to confirm specific attributes without requiring users to disclose their full identity. It applies ZKP verification and aligns with GDPR principles like data minimisation and storage limitation. The underlying personal data are not stored, which reduces retention risks for the relying service. To learn more, visit the link.