The bill currently on the agenda of the Turkish Grand National Assembly is preparing to tighten age limits and related verification obligations for children’s access to digital services. Its stated aim is to protect children from age-inappropriate content, toxic interactions, and uncontrolled spending. However, the current approach carries several risks, most notably the risk of unintentionally weakening Türkiye’s ecosystem that exports games to the world.

The core method being adopted is conventional identity and age verification: asking users for their date of birth, identity document, or national ID number, and making this a condition of access to the service. While this approach creates a verifiable threshold, it also entails significant risks.

First, any platform that collects identity data becomes a larger target for cyberattacks. When a breach occurs, the company’s reputation, regulatory exposure, and investor appetite are all affected. Every additional step inserted into the registration flow reduces customer conversion and makes it harder for small studios to grow. In the end, the regulation could push domestic game companies abroad and drive global distributors away from the Turkish market.

Age verification is not the same thing as identity identification. In most scenarios, the information needed is not who the person is, but whether they are above a certain age threshold. Under the zero-knowledge authentication approach, which the EU is also moving toward, the user does not provide identity information to the platform. Instead, they cryptographically prove the result “I am over 15.” The platform sees only whether the user passes or fails; no stockpile of personal data is created.

To make this possible, the user obtains an age attribute once through the state’s digital identity infrastructure or through licensed providers. Upon logging in, the cryptographic wallet on the user’s device generates proof that verifies only the relevant age threshold. The child-protection objective is achieved without sharing identity information, data minimization is ensured, and both the cybersecurity burden and compliance costs are reduced.

In the legislation before Parliament, it is important not to lock age verification into a single model. A risk-based framework could apply stronger safeguards for content with higher age ratings and lighter measures in lower-risk areas. A common verification infrastructure and certification mechanism are also essential. Requiring every studio to develop its own separate system would increase both costs and barriers to market entry.

Türkiye’s gaming sector has grown on a global scale. The right steps should be taken to protect children without trapping the country in a heavy system that collects everyone’s identity data. Zero-knowledge authentication is one of the rare solutions that makes it possible to preserve both child protection and competitiveness at the same time. Embedding this approach into the legal framework would be a more defensible choice in terms of both public interest and economic rationality.