Between July 2025 and March 2026, age verification shifted from a compliance edge case to a structural layer of the consumer internet. The UK introduced wide-scale online age verification on July 25, 2025, through the Online Safety Act, and Australia started imposing stricter age verification rules on March 9, 2026. By 2025, roughly half of U.S. states now mandate some form of age gating for adult content or social media access, and additional laws are expected to take effect in 2026. What began as targeted restrictions on pornography sites has metastasized into a patchwork of technical mandates affecting social media, gaming platforms, app stores, and any service that minors might access. The question is no longer whether these systems will exist, but what they will cost users who had no say in their design.
What Actually Happened
The UK’s Online Safety Act, which received Royal Assent in October 2023 and entered phased enforcement through 2024 and 2025, is the most comprehensive age verification mandate currently in force. Platforms hosting adult or other harmful content must now perform robust checks to stop minors from accessing it, with accepted methods including photo ID, facial age estimation, and checks through banks or mobile providers. In early 2026, the UK Information Commissioner’s Office fined Reddit $14.5 million for failing to adequately protect children’s data and relying heavily on self-declaration.
Australia’s social media ban for under-16-year-olds was passed on 28 November 2024, and came into force on 10 December 2025. In January 2026, Australia required social networks including TikTok, YouTube, and Instagram to ban users under 16 altogether or pay heavy fines, and as of March 2026, the ban also applies to porn sites and the online aspects of explicit video games, with platforms facing fines up to AUD 49.5 million for non-compliance.
The United States lacks federal legislation, but state action has been aggressive. Age verification laws are active in exactly 25 states. In the United States, more than 25 states now require age checks to access adult content, following the Supreme Court’s decision to uphold Texas’ age-verification law. Enforcement varies: some laws target only adult content, others extend to social media, and a few propose device-level verification at the operating system layer. One of the most significant developments for 2026 is the proposal to shift age verification responsibility from individual websites to operating systems, with Colorado lawmakers considering legislation that would require age verification at the operating system level.
On 28 March 2026, Indonesia banned social media for children under the age of 16, becoming the first country in Southeast Asia to enforce a social media ban, with platforms such as YouTube, TikTok, X, Facebook, Instagram, Threads, Roblox and Bigo Live the first to be banned. In September 2025, Brazil passed a law that would require social media companies to implement age verification and link accounts under 16 with their parents, which came into effect on March 17, 2026.
The Actual Technical Mechanisms in Deployment
What does “age verification” mean in practice? The implementations vary, but three methods dominate.
Age verification techniques always involve submitting personal or sensitive data, from scanning a photo ID to inputting your payment card details. Document-based verification requires users to upload a driver’s license or passport. The user begins the verification process by scanning their ID and taking a selfie, while OCR technology automatically captures the document’s date of birth to calculate the age. These documents are either stored by the platform, passed to a third-party verification service, or allegedly deleted after a cryptographic token is issued. Each model shifts the locus of risk without eliminating it.
Facial recognition for age verification is a technology that estimates a person’s age by analyzing their facial features; instead of requiring you to upload a driver’s license or passport, the system uses sophisticated algorithms to look at a live image or video of your face and identifies key characteristics to determine if you meet a specific age threshold. Biometric face analysis can achieve an impressive 95-99% accuracy in estimating whether a person is 18 years old or higher, blocking up to 100% of underage users from getting access to adult material. The claim of 100% effectiveness is vendor marketing, not independent evaluation. It also ignores circumvention entirely.
Third-party attestation systems involve banks, mobile carriers, or government digital identity wallets vouching for a user’s age without revealing their full identity to the requesting site. The EU Digital Identity Wallet will become available in 2026, steering the debate toward identity-based solutions. The European Commission rushed a “mini AV” app out ahead of schedule this year, citing an urgent need to address concerns about children and the harms that may come to them online; however, this proposed solution directly tied national ID to an age verification method. The infrastructure built for age verification is reusable for other verification purposes. Mission creep is a feature, not a bug.
The Circumvention Reality and Policy Response
Opponents of age verification laws often claim that it’s easy to subvert age restrictions, noting that all kids need to do is use a VPN to change their location to a country with different laws, with VPN downloads skyrocketing in Australia soon after its age verification laws went into effect. Anecdotally, the youth of Australia treat the law as a joke, circumventing it by very simple mechanisms.
Legislators have noticed. In 2025, Wisconsin lawmakers escalated their war on privacy by targeting VPNs in A.B. 105/S.B. 130, an age verification bill that requires all websites distributing material that could conceivably be deemed “sexual content” to both implement an age verification system and also to block the access of users connected via VPN. The Wisconsin bill initially introduced age verification and sought to block VPN access to certain sites, though an amendment on February 19, 2026, removed VPN bans from the bill, while age verification remains and the bill is due to be signed into law.
EU Executive Vice-President Henna Virkkunen didn’t need to explicitly use the phrase “VPN ban” to spark concern among cybersecurity experts and privacy advocates; what was once considered a drastic measure reserved for authoritarian regimes is increasingly being framed as a logical next step for democratic regulators as age verification becomes a global norm, with Virkkunen saying during a press conference on April 29, “Of course, it’s an important part of the next steps also to look at that it shouldn’t be circumvented,” responding to questions regarding how regulators might prevent children from bypassing the EU’s new age verification app using a VPN. MPs have called for a VPN ban, alongside age checks for the privacy tools, and the House of Lords voted to ban VPN use for children with the UK government currently undergoing a consultation.
The EPRS paper acknowledges that current age-assurance methods are “relatively easy for minors to bypass,” but offers no technical workaround to prevent VPN circumvention. The sequence is revealing: mandate age verification, observe circumvention via VPN, propose restricting VPNs. The initial justification was child safety. The expanded justification is enforcement of the child safety measure. The actual outcome is a generalized reduction in the ability to access the internet anonymously.
What This Costs Email Users and Why It Matters Now
Email providers have not yet been swept into most age verification mandates. The UK Online Safety Act applies primarily to platforms with user-to-user interaction and user-generated content. The state laws in the U.S. focus on adult content and social media. But the trajectory is clear. Freedom House’s 2025 Freedom on the Net report identified age-verification mandates as a growing factor in the global decline of internet freedom, warning that online anonymity, long considered a foundation of free expression, is increasingly under pressure.
Email services that allow account creation by minors, or that fail to demonstrate they exclude minors, will face pressure to implement age assurance. In jurisdictions where “duty of care” language is adopted, platforms may be held liable for harms to users they know or should have known are minors. Even though KOSA does not require age verification directly, platforms must still distinguish between minors and adults in order to apply appropriate protections, and many experts believe that platforms will ultimately need reliable age assurance and identity verification mechanisms to demonstrate compliance with the law. This creates an incentive to verify everyone.
The result is a landscape where anonymous account creation becomes structurally difficult. The email address, historically a low-friction pseudonymous identifier, becomes a node in an identity graph. Providers that refuse to implement verification will be excluded from regulated markets or face intermediary liability. Providers that do implement verification become custodians of sensitive data or dependent on third-party verification infrastructure they do not control.
Age verification systems have been criticized for privacy and computer security risks, with data breaches including AU10TIX (2024), Discord/5CA (2025) and Persona (2026). These are not edge cases. They are the expected outcome of mandating that identity data flow through new intermediaries at scale.
What Architecture Mitigates This
Decentralized, jurisdiction-resistant infrastructure limits exposure to mandate creep. Services operating over Tor, accepting cryptocurrency, and designed without centralized identity stores do not collect what they cannot be compelled to verify. Services that require no verification during signup, no phone number, and no recovery email operate architecturally to minimize custodial data exposure.
Open-source post-quantum cryptography projects such as PQCServer, released under AGPL-3.0, provide reference implementations for email encryption that do not depend on centralized key escrow or identity verification. By making encryption tooling available without requiring accounts tied to verified identities, such projects distribute the capacity for private communication outside the boundaries of regulated platforms.
These are not solutions to the policy problem. They are architectural mitigations to the technical and privacy consequences of the policy. The distinction matters. Age verification mandates will continue to expand. The platforms that comply will become checkpoints. The platforms that do not will serve users who understand that compliance and privacy are increasingly in tension.
Where This Leads
By 2026, age verification is likely to be a default requirement across much of the consumer internet, and the central question is no longer whether verification will exist, but how it will be implemented, and at what cost to privacy and access. The cost is distributed but predictable: more data breaches, more identity infrastructure controlled by a smaller number of intermediaries, more barriers to anonymous access, and more justification for restricting tools designed to preserve anonymity.
The enforcement of age verification is already fragmenting the internet, with smaller platforms exiting regulated markets due to compliance costs and legal exposure, while larger platforms have resorted to broad access blocks. The rules have already had visible consequences, with PornHub withdrawing from France rather than implement the required system.
The policy discourse frames this as a tension between child safety and privacy. The technical reality is simpler: systems built to verify identity can be used to verify identity for any purpose a regulator specifies. Age verification today is the precedent for political affiliation verification, location verification, and device integrity verification tomorrow. The mechanisms are interchangeable. The justification will vary. The outcome is a network that knows who you are before you speak.