Seems like if you just disclose and make assurances that "you take security seriously" then it's fine.

HIPAA doesn't have a private cause of action so if a violation happens, it's a wealth transfer to the government, it doesn't mean anything to you or any individual.

And most companies can simply price it in as cost of doing business at this point.

unfortunately, even if the fine seems harsh, if it is less than the profits generated the fine is an operating expense and not a deterrent.

>cards don't work perfectly as age verification either.

there are 0 "perfect" age verification systems.

plenty of minors can have their brother/sister/parents supply their id, or do the verification video. the on-device verification discord rolled out was, within hours, broken. i remember news reports of kids submitting photos of their dogs and being verified as of-age.

credit card solves most of the problem with much less downside than submitting my face (i am already okay putting my card info into most sites)

Prepaid cards can't masquerade as credit cards as there are easy ways to differentiate them (the numbers have meaning) and a minor getting access to the family credit card is the parents giving them permission. I'm not convinced credit card for age verification is a good solution for all cases but for cases where you've already used a credit card to access the service it would be perfect.

Age of account was sufficient for Google and third-party services for verification until recently. My gmail account is almost 22 years old, in continuous use. I have a credit card on file with Google Pay. Why would I need to submit a photo to engage with a private service, outside of volunteering to help train a surveillance apparatus?

Is there any forum short of a senate subcommittee that the public can ask companies these questions? The silence is deafening.

Probably because the transfer of accounts (typically for reasons of better spamming, but in this case for adult access) is possible.

However, that makes me wonder what mechanism might "unverify" an account holder's age upon transfer. I suppose it's simply a need to re-verify (take a new photo) upon every login, but then folks could transfer the session cookie to avoid needing the new owner to perform a login (unless a new device ID/fingerprint makes the old cookie useless).

It's not like they were really doing a very good job anyway. My data has been leaking for two decades now.

How much money did the CFPB actually give back to wronged consumers?