On July 25th, the UK became one of the first countries to widely implement age verification. Its Online Safety Act requires sites hosting porn and other content deemed “harmful” — including Reddit, Discord, Grindr, X, and Bluesky — to verify that users are over the age of 18. The early results have been chaotic. While many services have complied, some have pulled out of the country rather than face the risk and expense. Users have tricked the verification tools or bypassed them with VPNs. It’s just a taste of the issues that many other countries might face as they launch their own systems, and it’s a situation that privacy and security experts have long warned about — to little avail.
Following a yearslong political push to make the internet safer for kids, age verification has started seeping into online spaces across the globe. Lawmakers in the US, Europe, Australia, and elsewhere have all passed age-gating rules, and platforms have begun to comply. The likely methods for verification are similar to those in the UK. Platforms typically ask users to either enter a payment card, upload a government-issued ID, take a selfie, or allow a platform to use their data (like account creation dates and user connections) to “estimate” their age. Most rely on third-party services: Bluesky uses the Epic Games-owned Kids Web Services; Reddit is working with Persona; and Discord has partnered with k-ID.
The outcome so far is an assortment of online services handling sensitive user information — a “privacy nightmare,” says Cody Venzke, senior policy counsel at the American Civil Liberties Union. “There is no standardization of how age verification is supposed to take place.”
Some age verification platforms promise to erase your data after a certain period of time, like the seven days that Persona says it will keep the information used to verify your age on Reddit. But there’s no guarantee every service will do this, and there are still massive security risks given how common data breaches have become. Last year, a security researcher found that AU10TIX — an identity verification solution used by TikTok, Uber, and X — left user information and driver’s license photos exposed for months, 404 Media reported.
Governments are plowing toward the future of an age-gated internet
“When uploading your ID … you are handing it over to a third party,” Venzke says. “You’re going to take their word that they’re going to delete it or remove it after they’re done using it.”
Despite these potential pitfalls, governments are plowing toward the future of an age-gated internet anyway. In addition to a crackdown in the UK, the European Union is hurdling toward a broad rollout of digital IDs, Australia is age-gating search engines, and users in many US states need IDs to access porn sites.
Age verification was long viewed as unconstitutional in the US, but the Supreme Court overturned that precedent earlier in 2025, concluding “adults have no First Amendment right to avoid age verification” if it’s meant to protect underage users from “obscene” content. Several states, including Alabama, Idaho, Indiana, Kentucky, North Carolina, and Texas, have implemented laws requiring verification measures on adult websites. Some have tried to extend this to social media or app stores as a whole, but so far, they’ve failed — lawsuits filed by NetChoice, a technology trade group backed by Google, Meta, X, Amazon, Discord, and other tech giants, have successfully blocked bills in California, Arkansas, Georgia, Ohio, and Florida.
As in the UK, there’s no guarantee against privacy and security breaches for states with age verification laws, and there’s little standardization in this bevy of rules. Efforts in the US also coincide with escalating government digital surveillance and attempts to declare expressions of LGBTQ sexuality, like drag shows, as obscene, raising the risks of handing over personal data even further.
Not all age verification efforts entrust users’ privacy to third-party services with a host of different methods. The EU is trialing not only age-gating requirements, but also government-managed digital IDs. It has started testing an age verification system prototype designed to “bridge the gap” before digital IDs arrive by the end of next year. The solution will allow users to upload their passport or government ID card to a government-built system, which then generates a “proof of age attestation” that is passed to sites. Sites can also use the customer identification methods employed by banks and mobile carriers. The goal is that users can upload sensitive information to a single system that can be held to a high privacy standard and is simple for sites to use.
Though having a centralized age verification solution may prevent users from having to pass their information through multiple verification services, plenty of questions remain regarding surveillance and accessibility. Aside from the ever-present possibility of data breaches, digital IDs may also restrict undocumented individuals from accessing content online. And, without the proper safeguards, digital identity systems may still “phone home” to the ID’s issuer when a user’s age is verified, potentially allowing providers to track online activity.
“If I pull up my ID at the liquor store, the DMV doesn’t know that, but with digital identification, there’s a potential for that,” says Alexis Hancock, the director of engineering at the Electronic Frontier Foundation (EFF).
Down the line, the EU says it plans to enhance the framework with technology called zero-knowledge proof (ZKP). This is a cryptographic verification method that allows a service to prove something is true or false without revealing any additional information, as outlined by the EFF. That means an app could verify that a user is over the age of 18 without disclosing their exact birthdate. Google has already built a ZKP system into Google Wallet and has since open-sourced the technology, which it’s encouraging EU members to adopt.
Even with ZKP in place, Hancock says that there are still concerns about what sites and apps can ask for information about a user’s age. “I haven’t seen anything remotely promising at the moment that actually reels in verifiers in particular,” Hancock says. “There’s not a lot of scope restriction on who can actually ask for this and if it’s even needed in some cases.”
Lawmakers and regulators have argued that there are overwhelming benefits to protecting children from harmful content or exploitative social media platforms. Melanie Dawes, the chief executive of Ofcom, the UK’s communications regulator, boasted that “prioritizing clicks and engagement over children’s online safety will no longer be tolerated in the UK,” and US lawmakers and regulators have declared porn and social media a public health crisis. “Putting in place commonsense guardrails that protect our kids from the dangers of social media is critical for their future and America’s future,” Sen. Katie Britt said in an announcement about the Kids Off Social Media Act.
While keeping kids safe online is important, this messaging downplays or ignores the ripple effects. Right now, there just isn’t any clear-cut way to verify someone’s age online without risking a leak of personal information or hampering access to the internet. Until lawmakers stop and think about the bigger picture, everyone’s privacy is going to be at risk.
