Age verification: How laws, platforms, and devices are changing

Age verification is becoming a standard part of how people access online services. What began as a policy tool aimed at restricting children’s access to certain content is now moving through platforms, devices, and national identity systems.

Given the profound implications for personal privacy, Proton has been covering this shift from multiple angles: how laws are written, how companies implement them, and what happens when identity checks become embedded in everyday digital infrastructure.

What age verification actually means

Age verification is often described as a simple safeguard to confirm whether someone is old enough to access a service. In practice, the term covers a wide range of systems, from self-declared birthdates to government ID checks and third-party identity services.

The gap between the language and the implementation matters. As these systems expand, verification often involves collecting more personal data than people may expect, including official identification documents or biometric signals.

How age verification laws are expanding

Governments in multiple regions have introduced or proposed laws requiring platforms to verify user ages before granting access to certain types of content or services. These policies are typically justified as child protection measures.

Our reporting has focused on what happens after these laws are implemented. Requirements tend to expand over time, and enforcement often pushes platforms toward more invasive forms of identity collection. In some cases, access to online services becomes tied to verification systems that were not originally part of the product design.

There are also broader effects. As verification becomes more common, it can affect how people access information online, including content that is not restricted but still routed through systems that require identity checks.

What happens after age-verification laws take effect

Age verification on platforms

Platforms have begun introducing age verification systems globally in response to regulatory pressure. Discord, for example, introduced a “teen-by-default” verification approach in parts of its service.

These systems require people to confirm their age before accessing certain features or content. The process often depends on external verification providers or identity submission.

The security implications became more visible after a breach involving age verification data exposed tens of thousands of government IDs submitted through a platform integration. The incident highlighted the risks associated with centralizing identity documents for access control.

70,000 government IDs leaked in Discord data breach

Age checks moving into operating systems

Age verification is no longer limited to individual apps or websites. It is increasingly being integrated into operating systems and device-level settings.

When verification moves to the OS layer, it changes how access control works. Instead of each app handling verification independently, the operating system can act as the gatekeeper for age-related permissions across services.

Apple has begun introducing age-related verification features in the UK, where regulatory pressure has increased. This shifts part of the responsibility for identity checks from apps to device manufacturers.

Apple’s UK age verification brings identity checks to the iPhone

Digital identity systems and national policy

Governments are moving toward broader digital identity frameworks that could be used across services, not just for age checks.

The UK’s proposed digital ID system is one example. It is framed as a way to streamline access to services and improve verification processes. Critics have raised concerns about scope expansion and the potential for identity systems to become embedded in everyday online activity.

Australia has also introduced policies affecting how people access social media, with implications for identity verification and platform compliance. While these measures are focused on specific harms, they contribute to a broader trend toward identity-linked access control.

Australia’s world-first social media ban: Why the ban might be even worse for privacy

Security risks in real-world systems

Age verification systems rely on sensitive personal data. In many cases, that includes government-issued identification or biometric information.

Security incidents have already shown the risks involved. An age verification application used in the EU was compromised shortly after release, raising questions about how quickly these systems can be attacked once deployed. Other breaches involving platforms using identity checks have exposed large volumes of personal data.

These events point to a structural issue: Systems designed to verify identity also create high-value targets for attackers.

Alternatives to identity-based verification

There are approaches that attempt to confirm age without requiring full identity disclosure, such as on-device estimation techniques and systems designed to minimize data sharing with third parties.

These models are still developing and are not widely adopted in regulation. Most current laws and implementations rely on identity verification or equivalent methods that require personal data submission.

Where this shift leads

Age verification is increasingly embedded across multiple layers of the internet, from legislation to platforms to operating systems. Each layer introduces its own implementation, but the overall direction is consistent: more online access is being tied to identity checks.

The practical result is a shift in how privacy, anonymity, and access coexist online. Systems designed for targeted protections are expanding into general infrastructure.

This collection of reporting tracks that progression as it continues to unfold.

The rise of age verification: What governments, platforms, and devices are changing