> 📥 The full one-pager is available as a PDF (Danish). Download it at the top of the page — plan distinction, data tiering, and the grown-up answer in five steps.
A client asked me whether they should drop Claude because of the new ID verification starting July 8. That's the wrong question. The right one is two-part. Which plan are you on? And which data should ever touch a US model in the first place? Here's the overview I'm using right now.
1 · Facts about the ID verification
From July 8, 2026, Anthropic may ask you to verify age or identity through the third party Persona before certain Claude features work.
- It applies to the consumer plans Free, Pro, and Max.
- It does not apply to Team, Enterprise, or the Developer Platform/API. Those run on Commercial Terms — a separate agreement.
So the first question isn't who owns or backs Persona. It's which plan you're on.
2 · The plan distinction is the key
| Plan type | What it means |
|---|---|
| Consumer plans (Free / Pro / Max) | Consumer terms. ID verification. Your data can be used to train the model unless you actively opt out. No data processing agreement. Never use these for business data. |
| Team / Enterprise (commercial agreement) | You are the data controller, Anthropic the processor. They may not train on your content. You keep your inputs and own your outputs. A DPA with SCCs is included by default. No ID verification. |
If you use Claude seriously, use a business account. Including when developers code with Claude Code. Never a personal account for work data.
3 · What actually matters: jurisdiction
A US vendor is subject to US law regardless of where the servers sit. The CLOUD Act (2018) reaches the parent company, not the server room in Frankfurt. EU Data Boundary and similar moves the data location, not the jurisdiction. This is neither new nor unique to Anthropic. It applies to your US cloud and your US CRM in exactly the same way.
Fleeing to Chinese models doesn't solve it. You don't trade the risk away. You trade it for one that's harder to see through.
GDPR angle: claude.com is a third-country transfer (Chapter V). It can today rest on the Data Privacy Framework (in force since July 2023), but that basis is fragile. It's under appeal at the Court of Justice (case C-703/25 P) and rests on a US presidential order that a future administration can change.
So: keep an SCC fallback ready. The SCCs are already in Anthropic's DPA, and if you want data inside the EU, route through e.g. AWS Bedrock EU (Ireland or Frankfurt).
4 · Which data should touch a US model?
| Tier | Examples |
|---|---|
| 🟢 GREEN — usually fine | When input is cleaned of personal data: strategy and analysis, marketing, internal knowledge, design, coding without trade secrets. |
| 🟡 YELLOW — prefer EU | Route via EU hosting: customer-service content, personalization and recommendations, vendor data. |
| 🔴 RED — not US | Not on US infrastructure: customer personal data, HR data, sensitive contracts, special categories like health and biometrics. |
5 · The grown-up answer (do this)
1. Find out which plan you're on. Consumer plan or commercial agreement (Team/Enterprise). It decides both the ID requirement and the terms your data is processed under.
2. Read your DPA (GDPR art. 28). Where does data land, who are the sub-processors, and is the vendor DPF-certified? Check the official list at dataprivacyframework.gov.
3. Decide data tiering. Which data should ever touch a US model? Personal data, special categories (art. 9), trade secrets, and customer data don't necessarily belong in the same place. Write it down.
4. Keep an SCC fallback ready. If DPF falls at the Court, the companies best positioned are those that already have SCCs and a transfer impact assessment in place. Don't wait for the ruling.
5. Regulated sector or supplier to a public authority? Bring in your DPO or a lawyer now, not after the decision is made.
> ⚠️ Disclaimer. This is general practical guidance, not legal or compliance advice, and I am not a lawyer or a compliance specialist. Don't use it as a sole basis for decisions. Always involve your own compliance or legal team and your DPO on your specific situation before making a vendor or data decision. Timelines and case law shift: verify dates and status against primary sources (EUR-Lex, the European Commission, Datatilsynet). Status as of June 2026.
📬 Subscribe to the newsletter "AI, Built Human" on Substack — the field here changes every week.
Stefano Vincenti · AI Advisor & External Lecturer, IT University of Copenhagen · Cofounder & CTO BotTellMe · Partner, TryZone · aitrainer.dk