Both technology experts and lawmakers are grappling with a defining challenge: the internet offers tremendous opportunities for learning and global connection, but giving young people unrestricted access can expose them to significant risks.
However, effectively limiting children’s exposure to harmful online content is no easy task, as doing so without also monitoring adult activity could seriously undermine digital privacy.
Some supporters view these regulations as essential steps to safeguard children online, but many cybersecurity specialists caution that the proposed and enacted laws often have implementation flaws, putting adult users at risk as well. In the U.S., 23 states had already passed age verification requirements by last month, and two more are set to follow in September. Over in the UK, the Online Safety Act began enforcement in July, mandating that various digital services must check users’ identities before allowing access.
Below is an overview of the current landscape regarding age and identity verification online.
What is age verification?
Modern age verification laws are far from the days of simply ticking a box to say you were old enough to join sites like Neopets. In the U.S., those basic checks stemmed from the Children’s Online Privacy Protection Act (COPPA) passed in 1998. As many remember, it was easy to bypass such checks by falsely claiming to be 13 years old.
The new wave of legislation generally demands users provide a government-issued ID or submit a biometric scan, like a facial recognition image, to a third-party service in order to confirm their age or identity.
Why require age verification?
Ultimately, online safety efforts aren’t about stopping kids from playing games—they’re focused on preventing young people from encountering inappropriate or dangerous material, such as pornography, information about illegal drugs, or social media spaces where they may be at risk from strangers.
These fears are not without merit. Parents have reported tragic outcomes after their children accessed drugs laced with fentanyl through Facebook, or took their own lives following relentless bullying on platforms like Snapchat.
With advances in technology, these threats continue to evolve: for instance, Meta’s AI chatbots have reportedly interacted inappropriately with children, and companies like Character.AI and OpenAI face lawsuits alleging their chatbots encouraged minors toward self-harm.
Still, the internet offers immense benefits. Without leaving your house or spending money, you can learn to play an instrument, pick up coding skills, connect with others worldwide, receive specialized remote healthcare, or get answers to nearly any question (for example, Madagascar’s capital is Antananarivo).
Lawmakers worldwide have settled on what they see as a reasonable solution: rather than restricting the entire internet, they require proof of adulthood to access certain content. This doesn’t mean just ticking a box; users must provide official identification or biometric data to gain entry.
Is it secure to submit your ID or biometric data for verification?
The security of any digital identity check depends on how well it is implemented.
For example, Apple’s Face ID is designed so that your facial scans never leave your device, limiting the risk of data theft by keeping them off the cloud.
Problems arise when verification systems involve transmitting data across networks. History has shown that security failures can lead to major breaches if the technology isn’t robust.
As the Electronic Frontier Foundation notes, “There’s no age verification approach that perfectly balances privacy and accuracy. Each method has its own risks, and none can be considered entirely safe or completely reliable.”
Recent incidents highlight the dangers of inadequate security.
The Tea app, for instance—a platform where women share information about men they meet on dating apps—required users to upload selfies and ID photos for verification. However, a vulnerability allowed users from the 4chan forum to access sensitive data, including government IDs, selfies, and private messages, leaving thousands exposed to harassment and revealing private details such as home addresses.
These breaches occurred even though Tea had assured users that their images would not be stored and would be deleted immediately, which turned out to be untrue.
Unfortunately, such incidents are all too common—just browse TechCrunch’s coverage on cybersecurity. And the problem isn’t limited to new players like Tea; even major governments and tech giants have fallen victim to data leaks.
Is losing online anonymity really a concern if I’m not doing anything wrong?
Widespread criticism of these laws isn’t just about privacy related to adult content.
In countries where sharing political opinions can lead to prosecution, anonymity enables open dialogue and the ability to challenge those in power without fear. Whistleblowers may be discouraged from reporting corporate misconduct if everything they do online is traceable, and survivors of domestic violence could find it harder to escape abusers.
Even in the United States, concerns about political persecution are gaining traction. Former President Trump has threatened jail for political rivals, and the government has taken action against international students who criticize Israel or protest its military actions, including revoking visas.
Which age verification laws are in force in the U.S.?
As of August 2025, 23 U.S. states have implemented age verification requirements, with two more states set to enact similar measures by September.
Typically, these laws affect sites hosting a certain percentage of content classified as “sexual material harmful to minors,” though the criteria differ by state.
In reality, this generally means that adult sites must confirm a visitor’s age before granting access. Some, like Pornhub, have opted to block users entirely from states with such laws.
“Since age verification tools collect highly sensitive personal information, there’s a significant risk of data leaks,” Pornhub wrote on its blog. “Regardless of intentions, governments have a poor track record of keeping this type of data secure.”
What is considered “sexual material harmful to minors”?
This term is defined differently depending on who is responsible for enforcing the law.
With LGBTQ rights being challenged in the U.S., advocates warn that such legislation could be used to label non-explicit LGBTQ-related information and basic sex education as “sexual material harmful to minors.” These fears are supported by the fact that the Trump administration has previously removed references to LGBTQ issues and civil rights from government websites.
Texas’s age verification statute—upheld by the Supreme Court in June—was introduced alongside other measures targeting LGBTQ rights, such as barring public drag performances and blocking gender-affirming care for minors. Notably, the drag show ban was later struck down for violating free speech rights.
How is age verification being handled in the UK?
The UK’s Online Safety Act, which went into effect in July 2025, requires many online services to confirm users’ identities before they can access certain content. If someone is determined to be underage, they are blocked from accessing those platforms. The law applies to a broad range of online services, including search engines, social media, video platforms, messaging, and cloud storage—essentially, any space where users can interact or consume media.
As a result, popular sites like YouTube, Spotify, Google, X, and Reddit are now requiring British users to verify their identity to view certain material. The rules don’t just limit access to adult or violent content; many people in the UK are also being blocked from important educational and news resources, raising concerns about privacy and access to information.
There isn’t a single, standardized method for verifying age or identity in the UK—each site can choose its own process, with Ofcom (the UK’s communications authority) overseeing enforcement. But as seen with the Tea app, no verification method can be assumed secure by default.
Consequently, users now have to decide between protecting their privacy and accessing online resources.
If I don’t live in the UK, do these laws affect me?
Even people outside the UK may be affected, as global tech companies often implement these requirements in advance of enforcement.
For example, YouTube in the U.S. has started using technology to estimate a user’s age based on activity, regardless of the age listed when an account was created.
Is it possible to bypass these restrictions using a VPN?
Yes, and evidence from the UK App Store shows this—after the Online Safety Act came into force, half of the top 10 free iOS apps were VPNs (Virtual Private Networks). A similar surge in VPN downloads occurred after Pornhub was blocked in multiple U.S. states.
When Pornhub was inaccessible in France, ProtonVPN reported a 1,000% surge in registrations within just 30 minutes—a spike even greater than when TikTok temporarily cut off U.S. users.
You might have previously used a VPN for work, or to watch UK television shows from the U.S. by masking your real location.
But this raises another concern: free VPN services may not always deliver the privacy protection they promise, despite their marketing claims.
If you’re seeking more details about VPNs, TechCrunch offers guides to help you understand VPNs and decide if you should use one.
