The shift to privacy-first: The rise of minimum disclosure and ZKP

Traditionally, identifying a user digitally requires users sharing full names, birthdates, addresses, and copies of government-issued IDs. In some cases, this is unavoidable; full KYC checks for banking or other regulated services, for example, legitimately require government ID verification. 

Collecting more data than necessary, however, comes with risks, such as increasing the chance of data misuse or theft, adding to compliance obligations, and driving up costs under frameworks like GDPR. This is leading more organisations to collect only what is essential, protecting users while reducing operational risks. 

This is where concepts like zero-knowledge proof (ZKP), proportional identity, and the principle of minimum disclosure come in. They all describe the same idea: verifying identity while sharing only the data that is strictly necessary. Instead of treating digital identity as “all or nothing,” proportional identity allows verification to match the risk level of each transaction. Users can prove just enough to gain access—for instance, confirming someone is over 18 for an online alcohol purchase requires only the “18+” attribute, not their full date of birth or national ID numbers.

This blog explores zero-knowledge proof, proportional identity, and minimum disclosure, highlighting the advantages they offer businesses, regulations that are making them increasingly relevant, and potential use cases across industries.

Traditional identity verification often relies on collecting complete sets of personal data, such as full names, dates of birth, addresses, and copies of official documents. While comprehensive, this approach creates several significant problems: 

The more data an organisation collects, the more attractive it becomes to attackers, with each data point becoming a 'honeypot. For example, in 2021, the T-Mobile breach exposed personal information of over 40 million customers, including names, dates of birth, and social security numbers. The more sensitive data is stored, the larger the attack surface, and the higher the cost when things go wrong. According to the IBM Cost of a Data Breach Report 2025, the global average cost of a breach is $4.44 million. 

EU regulations increasingly require proportional identity verification to protect the privacy of users. For instance, the EU’s Digital Services Act set strict requirements for age assurance in online platforms while mandating that they be achieved without over-collection of personal data. GDPR further reinforces this: Article 5.1(c) requires data minimisation, while Article 5.1(e) demands storage limitation, meaning companies should not retain data beyond the moment of verification. Regulators have begun acting on these principles: in 2023, the Irish Data Protection Commission fined TikTok €345 million for failing to safeguard children’s data adequately, highlighting how costly missteps around proportionality and storage can be. 

Asking users for extensive personal data increases friction in their journeys. Each additional field or document requirement creates a drop-off point in the customer journey. According to Shopify, 18% of shoppers abandon their carts because the checkout process is too long or complicated. Minimising steps, such as reducing form fields or account creation requirements, can improve completion rates and create a smoother customer experience. 

Full identity verification places heavy demands on organisations regarding GDPR compliance requirements. This includes secure storage, controlled access, deletion policies, and detailed audit trails. This also requires organisations to respond to data subject requests and ensure all processing is lawful. Mistakes can carry steep penalties, reaching up to €20 million or 4% of global annual turnover. 

Beyond compliance, collecting large volumes of personal data adds significant operational complexity. Companies need to securely store, manage, and eventually delete sensitive information, which increases costs for infrastructure and staff resources. Inefficient handling can slow onboarding, create gaps in compliance, and delay responses to regulatory requests. 

Beyond direct costs, mishandling personal data can quickly erode consumer trust. A 2022 PwC survey found that 85% of consumers would stop doing business with a company following a data breach. In digital identity, trust is critical; a single incident can undermine years of relationship building. Reducing the amount of data collected and adopting approaches like zero-knowledge proof can help mitigate these risks, protecting both users and company reputation.

Minimum disclosure and data minimisation are related concepts that aim to limit the amount of personal information exposed differently: 

• Data minimisation is a regulatory principle emphasised in laws like GDPR. It encourages organisations to collect only the data they actually need for a specific purpose and no more in order to reduce risks of breaches. For example, a telecom company verifying a user’s age to sell a SIM card doesn’t need the user’s full residential history, but only confirmation that the user is over 18.  

• Minimum disclosure, on the other hand, focuses on what the user actively shares during an interaction. It’s about proving a fact without revealing unnecessary details. For example, this happens if someone can confirm that they are a student to access a discount without sharing their student ID number, date of birth, or university name. The user controls what is disclosed, while the verifier gets the assurance they need. 

In a nutshell, minimum disclosure is the principle deciding what information should be revealed, while data minimisation is organisational practice, limiting what data is collected and stored overall. 

• Proportional identity ensures that the level of verification matches the level of risk. Instead of requiring full identity documents for every interaction, users can verify just the attributes necessary (often referred to as single attributes). A real-world application of proportional identification can be found in Germany’s mobility sector, the “Deutschlandticket,” which requires proof of residence. With proportional identity, eligibility can be confirmed by verifying a single attribute—‘resident in Germany’—rather than storing full identity documents, reducing friction while maintaining compliance. 

• Zero-knowledge proof (ZKP) is the technical foundation behind this approach, using cryptography to verify information without revealing the underlying data. This enables organisations to implement minimum disclosure and data minimisation principles while still meeting verification requirements, creating smoother, more trustworthy user experiences. 

Europe is leading the way in drafting key regulations that are shaping the adoption of privacy-preserving digital identity solutions. These include:

• EU Digital Services Act (DSA)  
  The DSA, implemented in 2023, requires online platforms to take measures to protect minors from harmful content, including age-restricted services such as gaming, alcohol, and adult content. It does not mandate full identity verification, opening the door for privacy-preserving age checks, whereby users prove they meet age requirements without sharing personal information. 

• eIDAS 2.0 & European Digital Identity Wallets 
  The upcoming eIDAS 2.0 regulation introduces the European Digital Identity Wallet, which will allow citizens to store verified, reusable attributes (e.g., age, nationality, professional qualifications) securely on their devices. The framework emphasises proportional verification, meaning the level of identity proof can be matched to the level of risk required by the service. This approach supports minimum disclosure principles, enabling proving attributes without revealing full ID documents. 

• General Data Protection Regulation (GDPR)  
  GDPR incorporates the principles of data minimisation and purpose limitation. Article 5.1(c) requires data minimisation, while Article 5.1(e) mandates storage limitation, meaning companies should not retain data beyond the moment of verification. This requires organisations to only collect data that is necessary for the intended purpose, and it must be used only for that purpose. Companies therefore cannot require full ID where verifying a single attribute, such as age or residency, would suffice.

Across Europe, sectors from eCommerce, adult services, and peer-to-peer marketplaces to ticketing, mobility, and streaming increasingly require user verification without full identification. By applying data minimisation and ZKP, organisations can create a safer, smoother, and privacy-preserving customer experience:

• Age verification: Users can prove they are 18+ to access online alcohol or vaping without sharing their full date of birth or government ID. This also applies to adult content platforms, ticketing platforms for age-restricted events, and streaming services, where verifying the suitability of content or access for viewers can be done via a single attribute rather than a full identity profile. Platforms like itsme^® Qualify or AgeChecked use attribute-based verification to confirm age securely, reducing friction and improving adoption rates.

• Discount or eligibility verification: Students and employees can verify their affiliation with an institution to access discounts or special offers without sharing full personal details such as date of birth or address. Platforms like UNiDAYS issue verified digital credentials that confirm eligibility with minimal disclosure, enhancing both user experience and trust. With itsme^® Qualify, businesses can also determine eligibility based on attributes like age, without exposing unnecessary personal information. 

• Seller and buyer verification in eCommerce and peer-to-peer marketplaces: Platforms such as Bol.com, Marktplaats, and Vinted can verify that sellers are legitimate individuals and buyers meet eligibility requirements without collecting full identity documents. Single-attribute verification via ZKP can confirm proof of humanity or geographic restrictions, reducing fraud while protecting user privacy. 

For years, many businesses have assumed that collecting full customer profiles equals more data and more insights. In practice, over-collection often creates friction, risk, and operational complexity, without improving insights. 

When businesses see data minimisation as a strategic enabler rather than a compliance hurdle, they turn privacy into a competitive advantage by showing customers that engaging with them involves greater safety and transparency. As PwC notes, consumers “will take their business elsewhere if they don’t trust a company is handling their data responsibly,” and in digital identity, that trust directly drives higher adoption and engagement. 

Additionally, privacy and compliance are becoming drivers of innovation, enabling businesses to do more with less, unlocking features like age-restricted content, loyalty rewards, or digital health access without storing full identity data. 

Fortunately, organisations can leverage these trends without reinventing the wheel. Partnering with a trusted digital identity provider can deliver these benefits at scale. For example, itsme^® Qualify allows users to securely prove specific attributes, such as age, while minimising customer disclosure, enabling seamless, trustworthy interactions. 

itsme^® Qualify allows businesses to confirm specific attributes without requiring users to disclose their full identity. It applies ZKP verification and aligns with GDPR principles like data minimisation and storage limitation. Neither verification outcomes nor underlying personal data are stored, which reduces retention risks for both the provider and the relying service. To learn more, visit the link.