The short answer is yes, it can.

I actually think the best method is to put the onus on parents to parent in the way they think best, while giving them effective tools with which to do it. Parental controls should be baked into the OS, and sites should be required to hook into these parental controls via an API. The system could even have the capability, optionally, to block based on a crowd-sourced list, so it can still be effective against non-compliant sites. There would be no privacy problems, because no private information is ever shared. There isn’t even a middleman who has to see any identification at any point.

However, if the goal is to have specific age verification that actually enforces age, it’s still possible. I know of two main ways.

Here’s the first: https://crypto.stackexchange.com/a/96283

It has the downside of requiring a physical device like a passport or some specific trusted long-running locally-kept identity store held by the user. But it’s otherwise very good.

Another option does not require anything extra be kept by the user, but does slightly compromise privacy. The Government will not be able to track each time the user tries to access age-gated content, or even know what sources of age-gated content are being accessed, but they will know how many different sites the user has requested access to. And sites requiring age verification will not get access to any information they didn’t already have other than the simple answer to the question “is this user old enough?” It works like this:

1. The user creates or logs in to an account on the age-gated site.
2. The site creates a token T that can uniquely identify that user.
3. That token is then blinded B(T). Nobody who receives B(T) can learn anything about the user.
4. The user takes the token to the government age verification service (AVS).
5. The user presents the AVS with B(T) and whatever evidence is needed to verify age.
6. The AVS checks if the person should be verified. If not, we can end the flow here. If so, move on.
7. The AVS signs the blinded token using a trusted AVS certificate, S(B(T)) and returns it to the user.
8. The user returns the token to the site.
9. The site unblinds the token and obtains S(T). This allows them to see that it is the same token T representing the user, and to know that it was signed by the AVS, indicating that the user is of age.
10. The site marks in their database that the user has been age verified. On future visits to that site, the user can just log in as normal, no need to re-verify.

All of the moving around of the token can be automated by the browser/app, if it’s designed to be able to do that. Unfortunately a typical OAuth-style redirect system probably would not work (someone with more knowledge please correct me), because it would expose to the AVS what site the token is being generated for via redirect URLs. So the behaviour would need to be created bespoke. Or a user could have a file downloaded and be asked to share it manually.

The AVS could also be private third parties rather than governments, if necessary. Since it probably relies on government ID, I think it’s better for the government to do it, but technologically there’s no problem with private companies doing it. They would still not gain any information about which sites you access. Only that a user with this ID card tried to access an age-gated site.

There’s also a potential exposure of information due to timing. If site X has a user begin the age verification flow at 8:01, and the AVS receives a request at 8:02, and the site receives a return response with a signed token at 8:05, then the government can, with a subpoena (or the consent of site X) work out that the user who started it at 8:01 and return at 8:05 is probably the same person who started verifying themselves at 8:02. Or at least narrow it down considerably. Making the redirect process manual would give the user the option to delay that, if they wanted even more privacy.

The site would probably want to store the unblinded, signed token, as long-term proof that they have indeed verified the user’s age with the AVS. A subsequent subpoena would not give the Government any information they could not have obtained from a subpoena in an un-age-verified system, assuming the token does not include a timestamp.