Next time someone asks to see your ID in a store, all they likely need is proof you’re over 18. What they get instead: your full name, address, date of birth, license number, and organ donor status.

This gap between what’s needed and what’s shared defines our relationship with data privacy and it’s about to become a much bigger problem. We overshare data points that comprise our identity every single day.

Digital identity has been a hot topic lately, with Apple recently making headlines for issuing digital credentials linked to your passport. A major benefit is selective sharing: instead of giving third parties access to every piece of personally identifiable information (PII) on your ID by default, you choose what to share, reducing the risk of sensitive data falling into the wrong hands.

What excites me about this is the potential for this to go even further. For example, a bar might request my date of birth or age when I tap my phone, but all they really get is confirmation that I’m over 18 (or 21 in the US). Nothing more.

With digital identity, the potential to provide abstracted validations like this without revealing the raw PII behind the scenes could be another leap forward in data privacy. The tech most often associated with this is called ZK, or “Zero-Knowledge” Proofs.

Apple and Google’s incumbent position as the devices and platforms running our digital lives gives them prime opportunity to educate consumers and take this kind of tech mainstream in a way that others cannot.

They are uniquely positioned to provide the necessary building blocks for 3rd parties to integrate, and just as importantly, have the leverage to be patient with regards to user adoption.

We’ve seen this play out before, where adoption starts really slowly and then accelerates once an inflection point has been hit. In mobile payments, Apple Pay launched in 2014, and its U.S. inflection point was COVID-19 six years later.

Passkey technology has been around since 2016, but the wave of data breaches in the 2020s pushed websites to adopt it, especially as most people still struggle to create strong, unique passwords. Still, outdated security questions like “First Concert Attended” or “First Pet’s Name” remain far too common for a generation born online.

With ZK tech, I can’t help but wonder if AI will be that inflection point. In a coming world where AI agents are making purchase decisions, running business workflows and taking other actions on our behalf, it becomes incredibly important that any data points and authorization necessary to execute those actions are available and confirmable.

This could open new avenues for exposing PII and sensitive data unless privacy-preserving solutions are built into AI tools, platforms, and partnerships. An option to “Hide My PII,” similar to Apple’s “Hide My Email” feature, which creates tokenized burner email addresses, would be incredibly appealing to me.

There is also another risk here though. The problem isn’t necessarily the tech, but more so what is deemed important or necessary to validate. By making it easier to request PII information, even if abstracted away from the specifics, we may see companies that don’t actually need this information requesting it in their apps and websites simply because they can.

OpenTable now tells restaurants whether you’re a ‘big spender’ or ‘often late’ before you even arrive for dinner. Your iPhone’s battery level can be used to track you across the web. A fitness app’s anonymized running data exposed secret military bases.

It’s going to be a wild few years (and decades) ahead in data privacy, especially when I think about all the various data points that will likely be required to deliver an outcome where autonomous agents can effectively act on our behalf, all day, every day.

And unlike handing your ID to a person in a store, you may not even know what data your AI agent is sharing, or with whom, unless privacy tech is built in from the start.