Comment by mindslight

You go to the store. You give the clerk many quarters, and get the maximum number of tickets. You go online and sell the lot, perhaps for $20. Since the system preserves privacy, doing this carries no risk for you.

Eventually this becomes common knowledge and "something must be done". Facebook (the corpo sponsoring these age verification laws to absolve their own liability) and their ilk decide that the token system no longer meaningfully proves age. They switch to demanding full government ID in cleartext, as there is still no comprehensive privacy law that would prevent such a thing.

Every single approach that puts the onus on the company to verify age falls apart this way, possibly including a de facto mandate for remote attestation (ie say good bye to libre operating systems and browsers that aren't MSIE, Safari, or Chrome). The only workable systems are ones in which the onus remains on parents giving their kids networked computing devices to enable parental controls and/or otherwise monitor their kids' usage, with those parental controls based on information flowing strictly from the website to the user agent (eg a content tag that asserts "this page is suitable for kids").

(and I say this as a parent who is staring down having to deal with this problem in a short year or two)