Okay, i'm not very good at coding, especially web.

It seems to me that the "logical" solution to this is some sort of local key like "sudo" that the user enters/has access to. This key is on a cookie or request or something that says "This request is being done by a verified adult" and then the website goes "cool here's your data". If the request does not have it, then the website says "Sorry you need one of these keys/permissions to access".

I see this as elegant because like modern IDs, YES THEY COULD GET AROUND IT, but at least it gives parents and users who want to abide and try the ability. Kids get fake id's, they get stuff they shouldn't. So long as audits show that the businesses are trying to catch this and punishing those who ignore procedures properly, things are "fine".

How infeasible is this from a coding perspective? I get that we're fucking with standards here, but I figured it would make most sane users and companies happy. Companies don't have to keep PII, just a log of "yes this access from this IP was approved, but we discovered is was used falsely and banned that key", and users have a tool that's setup once locally (or refreshed when you want a new key).

I guess you'd need some way to authenticate these as if it's too easy to spoof whats the point, but it strikes me as leagues better of "store everyone's colonic map"

How off base am I here? Is the theory somewhat sound or is this just dead from the ground up?