they could, but a law enforcement agent looking for a suspect will send a lot of subpoenas to every porn site. When a porn site says "we wipe that data instead of storing it," the law enforcement agent will say "what do you mean you wipe KYC and identity verification trails once you get them? Are you letting sanctioned people use your site and covering your tracks?"
Similar thing happened to Valve; people were trading gun skins, and regulators fined them for not having AML/KYC controls because the state argued "the business didn't do enough to stop money laundering."
This trickles out to porn companies (and the vendors that use them for identity verification), and implies that they need to store this data to prove that they didn't delete it to help terrorists.
It is possible to design a system where there are three parties, you, the site R that is requesting you prove your age, and a site D that you are willing to show documentation that will prove your age, with these properties:
1. There is no direct communication between R and D related to your proof of age. You will receive a message from R, send a message to D, receive a message from D, and send a message to R.
2. R gets no information other than (1) your age information, (2) what site D checked your documents, (3) the timestamps of when you exchanged messages with them.
3. The site D just gets (1) the documents you provide to prove your age, (2) a binary blob that you generate that is for all practical purposes random to anyone other than you [1], and (3) the timestamps of when you exchanged messages with them.
If someone compromises D all they get is copies of your documents (assuming D kept them) and those for all practical purposes random blobs (if they kept them), and timestamps. They don't get the identity of R, the site you were verifying your age to.
If someone compromises both R and D, they might try to match up timestamps to try to figure out who people really are. If D is busy enough and you add some delays in your message sending it should be possible to make this risk negligible.
[1] The blob is some data you receive from R, transformed by a random permutation chosen by you. To anyone who does not know the random permutation it is indistinguishable from random.
Yes. It is possible to implement zero-knowledge age verification securely. There are just exponentially more ways to do it insecurely, and we can assume that by default this is what will happen.
Similar thing happened to Valve; people were trading gun skins, and regulators fined them for not having AML/KYC controls because the state argued "the business didn't do enough to stop money laundering."
This trickles out to porn companies (and the vendors that use them for identity verification), and implies that they need to store this data to prove that they didn't delete it to help terrorists.