The world’s age verification laws show digital identity remains broken
In December 2025, Australia did what everyone said was impossible and banned teenagers from social media.
In a few days, Meta, X and other platforms had removed 4.7 million accounts. The Australian approach sparked a chain that has seen dozens of countries follow with their own versions or efforts to introduce bans.
France announced plans for a 15-year threshold by September 2026. Portugal passed legislation in February. Malaysia, Norway and then Brazil followed. In the United States, 25 states now have age verification laws on the books and the first state in India is doing the same.
Protecting the young from the full-blown nature of social media is core, but these regulations go beyond that. These programmes are the largest coordinated deployment of digital identity verification the world has ever seen.
While there has been success, the messy rollout is also exposing fundamental gaps in how we prove who we are online.
What the pioneers reveal
Australia, as the first mover, is the country with the most complete data and it paints a mixed picture of success.
Four months into the ban’s introduction and recent surveys suggest that one in five teens is still able to access TikTok and Snapchat despite the restrictions. Platforms are enforcing the rules, but teenagers are bypassing them using a combination of VPNs, borrowed credentials and fake birth dates.
A mass hurdling of content gates has been seen before.
In 2021, China restricted minors to three hours of gaming per week, a policy that used verification through mandatory real-name registration tied to national ID. That was extended further still to restrict playtime to 8-9pm on Fridays, Saturdays, Sundays and public holidays. Then in 2023, it was updated to cover live-streaming and other video social media.
China’s approach is one of the most robust digital identity enforcement any country has ever deployed, and estimates on results vary wildly. A 2022 report suggested 75% of minors spent three hours or less playing games per week. A survey two years later claimed more than half of Chinese parents would let their children use their ID to play games.
What’s more certain is that this level of dependence on state surveillance infrastructure is a step that most democracies wouldn’t go to. But both examples show that enforcement without proper identity infrastructure is little more than a game of whack-a-mole.
A fragmented global response
The approaches vary wildly, revealing zero consensus on what age verification should look like.
Australia chose a hard ban.
Under-16s in the country are barred entirely, with no parental consent exceptions. There are fines of up to A$49.5 million for platforms that fail to comply. But there’s no penalties for users, and enforcement depends entirely on platforms identifying underage accounts.
Portugal, meanwhile, opted to use existing infrastructure to implement its ban.
Its Digital Mobile Key (DMK) is already used for government services, and it now handles parental consent for teens aged 13-16. The system is privacy-preserving and it doesn’t require any biometric scans but enforcement depends entirely on parents actively managing access.
The UK went about its age restrictions through a piece of legislation rather than a ban.
It pushed platforms to introduce proactive content moderation, age verification and risk assessments for all online content. Some companies, including image hosting site Imgur, opted to block access to UK users in response. Already there’s a proposal to extend the law and follow Australia with an outright ban on minors using social media.
The US is a patchwork, like many things in politics due to its federal system.
California’s law requires operating system providers and app developers to implement age-verification for users starting on January 1 2027. Last year, Florida banned children aged 13 and younger from creating social media accounts and introduced parental consent for those aged 14 and 15. Utah, meanwhile, has seen its proposed age verification law is being challenged in court and Louisiana’s was deemed unconstitutional.
No single verification method is flawless
Despite the variance, every tool that’s been deployed comes with significant flaws.
Document verification, the process of uploading IDs, is accurate but it comes with serious security liabilities.
Messaging platform Discord made headlines when its security vendor had 70,000 government IDs exposed in a breach this year. Then there’s also the issue of IDs themselves. More than 15 million Americans lack any ID, for example, with the number disproportionately high among minorities and immigrants.
Facial estimation, or scanning selfie photos to estimate age, is a quick method but it is not perfect and can be less accurate for women and people of colour. Using this, adults that are flagged as minors must repeatedly submit selfies in order to pass. The more verification happens, the more biometric data accumulates and must be stored or disposed of correctly.
Digital identity wallets, such as Portugal's DMK or the forthcoming EU Digital Identity Wallet, are more robust and privacy-preserving verification options but they are dependent on governments issuing them and platforms integrating them, as we noted recently.
Technology may offer better options
There’s been reticence in adopting new technologies for identification, despite the industry making huge strides with solutions that can preserve privacy more effectively.
Zero-knowledge proofs (ZKPs) sound incredibly technical but they have the potential to answer the problem.
ZKPs verify a statement without requiring or revealing the data that proves it. In simple terms: one central ‘proof’ holds the information, in this case confirming the user’s age, and then proof of that is all that is needed for verification.
That means a platform can confirm ages without needing photos, IDs, biometrics or other data that could be lost or stolen. The technology works in the right setup, but adoption has been slow. That could change with Google introducing it into its wallet platform to prove age and ID.
Verifiable credentials work in a similar way. A user holds a cryptographically signed credential from a trusted issuer, such as a government, school or parent, which proves their age. Online platforms then verify authenticity without needing to contact the issuer or storing their personal data.
The upcoming EU Digital Identity Wallet, which is expected to launch before the end of 2026, is building toward this model. If it works as planned, it will offer a user-controlled and privacy-first identification that’s interoperable across many services. That could become the global standard worldwide.
But, there’s a caveat for that success to go truly international. It will require international coordination. A credential that’s issued in Portugal, for instance, will need to work in France, Australia, and California. Right now, that coordination doesn't exist.
Answering who we are online
Age verification laws continue to grow at a pace. Brazil introduced its own set this month, and the likes of Canada, India and Indonesia are among the countries that are investigating possibilities or have bills in progress.
Age verification is forcing answers to the long-asked question of how we prove identity online without sacrificing privacy. Governments want platforms to verify users. Parents want protections. Platforms want to avoid liability. But the infrastructure to do all of this safely doesn't exist yet.
The pioneers are showing us what happens without it. Australia proves that enforcement without identity infrastructure is whack-a-mole. Portugal shows that existing government systems can be leveraged for privacy-preserving verification. The UK shows that heavy-handed regulation drives platforms to geo-block entire countries.
If we want age verification to work, we need trusted infrastructure to support it. Verifiable credentials. Zero-knowledge proofs. International standards. Privacy by design, not as an afterthought.
Digital identity is evolving whether we're ready or not. Age verification is just the forcing function.
