Yup! Which is why institutions that already handle identities (governments, banks, etc) should be involved. The way I see it: an institution verifies your identity as a human and has your personal details (such as DoB). A tool (similar to, e.g. Sweden't BankID) is available to the user. When a website says "you must be 18 years old to access this", a QR code is generated. You scan the code with your tool, and agree to send *only* the information about whether or not you're an adult. Not the DoB, not anything else, just a token of "yup, adult". If a website has a strong anti-bot policy, same same goes for your "proof of human". This can be set up in a way that guarantees the user's privacy (e.g. by just not storing any logs).