ActaVerum.
// DIGITAL POLICY · ANALYSIS

Age checks are becoming the new internet control layer

The UK, Brazil, Australia, Spain, and California are pushing the web toward age checks. Protecting children is necessary; turning everyone into a verified identity is a different bargain.

By Newsroom·Jul 10, 2026·Privacy
a young person using a phone
Illustrative photo: a young person using a phone, used here to represent age verification and social media. dlxmedia.hu / Unsplash

Age verification is no longer a silly pop-up on adult sites. In 2026, it has become the central tool in a new internet policy: if children and teenagers are at risk online, platforms will be forced to prove who is a minor, who is an adult, and who can see what.

This is no longer a local experiment. The UK has tightened strong age checks for adult and harmful content, and is moving toward a social media ban for under-16s. Australia has become the most aggressive test case. Spain wants to ban under-16s from social networks and even create criminal liability for executives when algorithms amplify illegal content. California passed a law that moves age signals into the operating system. And Brazil entered the same phase through its Digital Child and Adolescent Statute, widely known as the Lei Felca.

The political question sounds simple: how do you protect children from platforms that profit from attention, automated recommendation, and data collection?

The technical question is harder: how do you do that without turning the whole internet into an identity counter?

Brazil has entered the wave

In Brazil, the Lei Felca is not just "show ID before entering a social network." The logic is broader. According to El País coverage of the Digital Child and Adolescent Statute taking effect on March 17, 2026, the law requires platforms to create effective age-verification mechanisms, bans age self-declaration for minors, prohibits personalized ads for users under 18, and limits features that encourage compulsive use, such as autoplay or endlessly repeated videos.¹

It also requires maximum protection by default for teen accounts, imposes obligations on digital betting platforms and search engines, demands periodic reports from platforms with more than 1 million registered children or teens, and allows fines of up to R$50 million per violation.¹

The nickname matters. The law became associated with Brazilian creator Felca because his video about the sexualization and adultification of children made visible a problem many families felt but could not translate into public rulemaking: children treated as adult audiences, used as content, exposed to exploitation, predatory recommendation, and monetized attention.

That is the law's strongest case. The argument that "parents should handle it" ignores scale. A family cannot audit an algorithm, know which ads a child received, see every DM, control infinite scroll, or negotiate with a global platform. When the product is designed to capture time and data, child protection has to move beyond parental settings and into service design.

But the remedy carries risk. To know who is a minor, a platform has to estimate, infer, or verify age. Any system that separates minors from adults tends to collect sensitive signals: ID, face, card, bank account, phone number, account history, behavior, device data. The line between protection and surveillance infrastructure appears there.

The Australian laboratory

Australia has shown both the promise and the problem. The country banned under-16s from holding accounts on major social media platforms, and since December 2025 services such as Instagram, Facebook, TikTok, YouTube, Snapchat, X, Reddit, and others have had to act.

The government says more than 5 million accounts held by under-16s have been removed, deactivated, or restricted since the rule began.² At the same time, enforcement was not enough. In June, Australia announced plans to double penalties for systematic breaches from A$49.5 million to A$99 million and give the eSafety Commissioner stronger investigative powers.²

The reason is straightforward: many children stayed online. A University of Newcastle study, reported by The Guardian and published in the BMJ, followed 408 young people aged 12 to 17 and found more than 80% of under-16s still using social media three months after the law took effect.³ The conclusion was blunt: limited implementation, incomplete compliance, and substantial circumvention.³

The technical detail is even more revealing. Although two-thirds of teens reported some kind of age check, only 5% of 12- to 13-year-olds and 11% of 14- to 15-year-olds had to provide a photo of official ID.³ The most common checks were declaring an age or uploading a selfie. Fake accounts and VPNs appeared as escape routes.³

That does not prove age verification is useless. It proves that a ban without robust architecture becomes theater. Robust architecture, in turn, requires more collection. Government tightens rules because the system fails; platforms collect more because government tightens rules; users look for VPNs because they distrust the collection. The spiral is predictable.

The UK, Spain, and California are converging

In the UK, the current phase began with adult and harmful content. As of July 25, 2025, sites and apps that allow pornography needed strong age checks, and Ofcom made clear that ticking a box to say "I am over 18" would no longer be enough.⁴ The regulator listed options including facial age estimation, open banking, digital identity wallets, credit-card checks, email-based estimation, mobile-network checks, and matching a photo ID to a selfie.⁴

That menu shows the scale of the tradeoff. The measure targets adult content and child protection. But it also normalizes adults handing a face, bank signal, document, phone signal, or email history to intermediaries to access legal content. Ofcom says strong checks can be done privately and that data protection remains under the ICO.⁴ Still, the social shift is large: proving age becomes a condition of browsing.

Now the UK wants to go further. In June, The Guardian reported that the country plans to have an under-16 social media ban in place by spring 2027, following Australia but adding more restrictions.⁵ The same trend is visible elsewhere: France, Norway, Malaysia, Indonesia, Canada, and proposals inside the European Union all belong to the same map.⁵

Spain accelerated this week. On July 2, 2026, El País reported government amendments to the bill on protecting minors in digital environments: a social media ban for under-16s, exceptions for educational or demonstrably low-risk platforms, and criminal liability for executives when algorithms are knowingly maintained to amplify illegal content.⁶ The proposal still has to secure parliamentary support, but the political message is clear: the network is no longer being treated only as a private product; it is becoming a regulated environment for childhood.

California points to another route: moving age signals into the operating system. AB 1043, approved on October 13, 2025 and set to become operative on January 1, 2027, requires operating-system providers and app stores to ask for age or birth date at account setup and send apps an age-bracket signal: under 13, 13 to 15, 16 to 17, or 18+.⁷

In theory, that model avoids every app asking for ID. But it creates another power: an age layer built into the device itself. The app may not see your full identity, but it receives an official signal strong enough to trigger legal obligations. For giants such as Apple, Google, Microsoft, and Meta, this may be manageable. For open-source software, alternative systems, and small developers, it becomes a heavy regulatory cost.

Why control looks necessary

There is a reason so many governments are moving in the same direction: self-regulation failed. Social networks were designed to maximize screen time, engagement, and advertising inventory. A child is not only a user. A child is data, audience, creator, target, and sometimes product.

The problems are familiar: recommendation of sexualized content, self-harm, eating-disorder material, bullying, contact from unknown adults, scams, image exploitation, betting, loot boxes, personalized ads, and compulsive scroll. Some of this is crime. Some of it is design. Some of it is a gray zone that exists because keeping a person on-screen is profitable.

So there is a strong case for public intervention. Children should not depend on the goodwill of a company that profits from their attention. Parents need real tools. Platforms should face a duty of care, reporting, audits, high default protections, limits on behavioral advertising, and fast reporting channels. Brazil was right to target compulsive design too, not only age.

The problem comes when every protection becomes an identity check.

The cost of mandatory identity

Age verification changes the internet for adults too. To block minors, a platform has to check everyone. That means an adult who only wants to access legal content may have to hand over an ID, face scan, bank account, card, phone number, or email history to a service they may barely know.

It is the same social asymmetry we saw with Meta Glasses, reached from a different direction. A technology sold for a legitimate case creates effects for people who did not buy the product: people who are not children still have to be classified; people who are not trying to access banned content still pass through the identity funnel.

This connects directly with our piece on where your data goes when you install an app. Data rarely stays where users imagine. It moves through SDKs, vendors, anti-fraud providers, analytics systems, intermediaries, brokers, and auditors. An age system creates a new class of valuable data: proof that a given person, device, or account belongs to a specific age bracket.

Even when the technology promises minimization, operational risk remains. Whoever stores ID can leak ID. Whoever uses facial estimation can make unequal errors across groups. Whoever relies on banks or cards excludes people without formal access. Whoever uses account history creates profiling. Whoever centralizes a digital wallet creates a single point of failure. Whoever outsources age assurance transfers trust to an invisible company.

Recent research supports the concern. A study of the UK's Online Safety Act found sharp increases in VPN and privacy discussion after regulatory milestones, with users framing the issue as surveillance and distrust of intermediaries rather than simple rule-dodging.⁸ Another paper on European adult-site age-verification systems found systemic weaknesses under cheap, realistic attacks.⁹ The exchange is uncomfortable: more sensitive collection for a barrier that can still fail.

That is the link to minimum viable privacy. When regulation pushes users toward VPNs, it is not always childish defiance from people who want blocked content. Sometimes it is a response to a design that asks for too much data to access the ordinary internet.

The false comfort of a simple ban

Banning minors from social media sounds clear. In practice, teenagers create fake accounts, use a parent's document, download VPNs, move to smaller apps, enter through browsers, use someone else's device, or shift to less-moderated communities. Australia has already shown part of this.³

The risk is that the state creates a feeling of protection that does not match real behavior. The young person remains online, but in a place that is less visible to parents, schools, and regulators. The big platform improves compliance; the conversation migrates to smaller venues. The problem disappears from the official dashboard, not from life.

There is also expansion risk. First age verification applies to pornography. Then to self-harm content. Then to social networks. Then to chats with strangers. Then to games. Then to sensitive political forums. Each step can have its own justification. Together, they can produce an internet where anonymous access to legal content becomes the exception.

That is the real critique of network control. Regulating platforms is not censorship by itself; letting platforms operate without rules is also a political choice. But bad regulation can give governments and companies too powerful a lever: classify users, condition access, and pressure content in the name of safety.

What a better path looks like

The best version of this agenda does not start with the document. It starts with the product.

Banning behavioral advertising to minors, limiting infinite scroll, turning off autoplay, preventing unknown adults from contacting children, restricting geolocation, blocking impulsive purchases, requiring fast reporting channels, auditing recommendation systems, publishing transparency reports, raising penalties for noncompliance, and requiring high privacy defaults all target platform design. They do not require every adult to prove identity to read the internet.

When age verification is unavoidable, it needs hard limits: minimum information, no central identity database, multiple providers, independent audits, reviewable code and protocols, short retention, a ban on commercial reuse, a right to challenge errors, alternatives for people without ID or bank access, and narrow scope. The signal should prove "over X" or "under X," not become a general passport for browsing.

Political honesty matters too. If the goal is to reduce child exploitation, good: focus on exploitation, predatory contact, abusive advertising, data collection, and compulsive design. If the goal is to control speech, say that plainly and face constitutional debate. Mixing the two under the label of child protection makes policy easier to sell and more dangerous to operate.

Protection cannot become a password for the whole internet

Lei Felca, the Online Safety Act, Australia, Spain, and California are symptoms of the same turn. After fifteen years of letting platforms decide for themselves, governments are taking power back over the social architecture of the internet. Some of that was inevitable. Some of it is necessary. Children cannot be left alone in front of systems designed by trillion-dollar companies to capture attention.

But age is too sensitive a key to treat like a captcha. The internet should not require every adult to prove who they are so governments and platforms can filter who is a child. The legitimate goal is protecting minors; the risk is creating identification infrastructure that outlives the original problem and is reused for other forms of control.

The test for the next laws is this: do they reduce real harm with less collection, less centralization, and more platform accountability? Or do they merely transfer the cost to users, parents, and teenagers, while companies gain more data and governments gain more control?

Protecting children is an obligation. Turning ordinary browsing into an identity queue is a choice. And that choice should be much harder than clicking "I am over 18."

Sources

  1. Brasil prohíbe los vídeos infinitos para menores para que no se enganchen a las redes sociales · El País · https://elpais.com/america/2026-03-17/brasil-prohibe-los-videos-infinitos-para-menores-para-que-no-se-enganchen-a-las-redes-sociales.html · 17/03/2026.
  2. Australia to double penalty for social media ban breaches to $99m as tech giants accused of 'not doing enough' · The Guardian · https://www.theguardian.com/australia-news/2026/jun/27/australia-under-16-social-media-ban-tech-companies-penalty-double · 27/06/2026.
Show 7 more sourcesHide sources
  1. Four in five under-16s in Australia using social media despite ban, study shows · The Guardian · https://www.theguardian.com/media/2026/jun/24/australia-under-16-social-media-ban-no-substantial-effects-study · 24/06/2026.
  2. Age checks for online safety – what you need to know as a user · Ofcom · https://www.ofcom.org.uk/online-safety/protecting-children/age-checks-for-online-safety--what-you-need-to-know-as-a-user · 26/06/2025.
  3. 'Tech firms are losing the public': social media age bans near tipping point · The Guardian · https://www.theguardian.com/world/2026/jun/28/tech-firms-are-losing-the-public-social-media-age-bans-near-tipping-point · 28/06/2026.
  4. El Gobierno pide hasta 4 años de cárcel para los directivos de plataformas que no actúen contra los algoritmos que amplifican contenidos ilícitos · El País · https://elpais.com/sociedad/2026-07-02/el-gobierno-pide-hasta-4-anos-de-carcel-para-los-directivos-de-plataformas-que-no-actuen-contra-los-algoritmos-que-amplifican-contenidos-ilicitos.html · 02/07/2026.
  5. AB-1043 Age verification signals: software applications and online services · California Legislative Information · https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1043 · published 14/10/2025.
  6. Online Safety Regulation Increases Privacy Risk: Evidence from the UK Online Safety Act · Mehta et al. · arXiv · https://arxiv.org/abs/2606.05273 · 03/06/2026.
  7. X-rated Compliance Theater: An Empirical Evaluation of European Age Verification Systems in Adult Websites · Lavermicocca, Carminati, Longari · arXiv · https://arxiv.org/abs/2606.08667 · 07/06/2026.

— Newsroom

Comments 0