Nobody campaigns against protecting children. That’s precisely what makes “keep kids safe online” the most effective wrapper ever invented for expanding who has to identify themselves to use the internet. In 2026, that wrapper is everywhere at once — an EU age-verification app going live, Brussels drafting a bloc-wide social media ban for minors, Australia already enforcing one, and a thicket of US and UK laws demanding proof of age at the door. Some of it is thoughtfully built. Much of it quietly converts the open internet into a place where you show ID to speak.
Here’s what actually shipped this year, and where the seams are already splitting.
The EU builds the app itself
The European Commission isn’t waiting for platforms to figure out age checks. It’s shipping a reference age-verification app of its own. The second version of its technical blueprint landed in October 2025, and by mid-2026 the Commission described the app as “technically ready,” with rollout to pilot countries — Denmark, France, Greece, Italy, and Spain — over the summer.
Credit where due: the design is genuinely privacy-conscious. It leans on zero-knowledge-proof cryptography, so a site learns only that you’re “over 18” — not your name, not your birthday, not your exact age. Done right, that’s meaningfully better than uploading a photo of your passport to a random website. The app can also fold into the EU Digital Identity Wallet.
But note what’s non-negotiable and what isn’t. The much-cited December 31, 2026 deadline for every member state to make an age-verification solution available is a Recommendation, not a law — adopted April 29, 2026, with no fine attached. It’s an urging, not an obligation. The binding pressure comes from elsewhere: Article 28 of the Digital Services Act, which requires platforms accessible to minors to ensure “a high level of privacy, safety and security” for them. The same article says platforms shouldn’t process extra personal data just to check age — a data-minimization principle sitting in permanent tension with the demand to verify everyone. And security researchers reportedly found flaws in the Commission’s app within weeks of an early test release, a reminder that “privacy-preserving in theory” and “safe in deployment” are different claims.
Enforcement arrives: Meta, TikTok, Snapchat, Shein
The DSA is no longer a paper threat. Through 2026 the Commission stacked up preliminary findings and formal proceedings, each carrying fines of up to 6% of global annual turnover (note: that’s the DSA ceiling — GDPR’s is the lower 4%):
- Meta, April 29, 2026 — a preliminary finding that Facebook and Instagram failed to keep under-13s off the platforms, accepting false birth dates with no verification and burying the account-reporting tool behind as many as seven clicks.
- Meta, again, July 10, 2026 — a separate preliminary finding on addictive design: infinite scroll, autoplay, and engagement-driven feeds not adequately risk-assessed for minors’ wellbeing. Meta’s response: “We disagree with these preliminary findings.”
- TikTok, February 6, 2026 — the first DSA action aimed at platform architecture rather than illegal content.
- Snapchat, March 2026 — formal proceedings over weak age assurance and under-13 access.
- Shein, February 2026 — formal proceedings including addictive design and recommender transparency.
The Commission’s enforcement chief, Executive Vice-President Henna Virkkunen, framed the throughline: the DSA requires that a platform’s terms “should not be mere written statements, but rather the basis for concrete action to protect users — including children.” Hard to argue with as a principle. The question is what the “concrete action” turns into for everyone else who has to prove they’re allowed in.
From age checks to outright bans
The bigger shift in 2026 isn’t verifying age — it’s using age to lock people out entirely. According to the think tank Interface, 23 of the EU’s 27 member states were considering national age-restriction legislation as of May. The frontrunners:
- France advanced legislation to bar new users under 15 and delete existing under-15 accounts.
- Denmark reached a government agreement to ban social media for under-15s.
- Spain announced an Australia-style under-16 ban.
- Greece and Germany are moving in the same direction, thresholds still unsettled.
And Brussels is now openly weighing a bloc-wide version. On July 13, 2026, Commission President Ursula von der Leyen presented an expert report and endorsed “age-appropriate” restrictions with lines built for the clip reel: “Social media is not a toy,” and “Car manufacturers must make their vehicles safe… the very same must be true for big tech.” A formal EU-wide legislative proposal is expected after the summer, likely at the September State of the Union. As of this writing, it doesn’t exist yet — it’s intent, not law.
The live experiment everyone is watching is Australia, whose under-16 social media ban took effect December 10, 2025. Within weeks, platforms had deactivated or restricted 4.7 million accounts. By March 2026, the eSafety Commissioner had opened formal investigations into Facebook, Instagram, Snapchat, TikTok, and YouTube for suspected non-compliance. Early, softer reporting suggests a large share of under-16s simply kept getting online anyway — which is either a teething problem or the whole point, depending on who you ask.
The UK’s cautionary tale
Britain got there first, and its experience is the warning label. Age checks under the Online Safety Act went live in mid-2025, and the immediate result was a stampede to circumvent them: VPN providers reported daily UK signups spiking by four figures — Proton cited a surge exceeding 1,800% — as adults routed around the checks rather than hand over ID. A parliamentary petition to repeal the Act gathered hundreds of thousands of signatures. By early 2026, Ofcom had 90-plus services under investigation and had issued its first fines, while the government floated going after VPN providers that marketed themselves as a workaround.
The pattern is instructive: age verification doesn’t make determined teenagers disappear. It makes everyone — teenagers and adults alike — reach for tools that hide their traffic, which is the opposite of the transparency the law promised.
America’s split screen
The US courts have drawn a sharp, revealing line. In Free Speech Coalition v. Paxton (June 2025), the Supreme Court upheld Texas’s age-verification requirement for adult-content sites, applying intermediate scrutiny and holding the law only “incidentally” burdens adults’ protected speech. That greenlit a wave of pornography age-gating across 20-plus states.
But the same logic keeps failing when applied to general social media:
- Nebraska’s social media age-verification law was largely blocked by a federal judge in 2026.
- Virginia drew a preliminary injunction in February 2026.
- Age-gating laws in Arkansas, Utah, Ohio, Texas (the SCOPE Act), and Louisiana have been enjoined, mostly on First Amendment grounds.
- A handful — Florida, Mississippi, Tennessee, New York’s SAFE for Kids Act — are at least partly in effect, and the status shifts month to month.
The takeaway: American courts will tolerate ID-to-view-porn but keep striking down ID-to-use-Instagram, because the latter sweeps in vast amounts of ordinary, protected adult speech. That distinction is doing enormous constitutional work — and it’s exactly the distinction the EU’s broader approach doesn’t draw.
Why privacy advocates keep saying no
The objection isn’t that children’s safety doesn’t matter. It’s that mandatory age verification imposes concrete, permanent costs on everyone, and the costs don’t stay contained:
- Every age check is a data-breach waiting to happen. As EFF puts it, “a person who submits identifying information online can never be sure if websites will keep that information or how that information might be used or disclosed.” Even well-intentioned systems leave users “highly vulnerable to data breaches.”
- It kills anonymous speech. Age verification “undermines anonymous internet browsing,” EFF notes — and courts have repeatedly held anonymity is part of the freedom of speech.
- It chills lawful behavior. Requiring ID to read or post “will deter adult users from speaking and accessing lawful content,” because plenty of people won’t hand over identity documents to a website, full stop.
- It normalizes identity-to-browse. Even the good implementations — zero-knowledge, no-data-stored — train an entire population to expect an age gate on the way into ordinary parts of the internet. Today it’s “over 18.” The gate, once built, is trivially re-pointed at other questions.
What to do about it
- Prefer real zero-knowledge systems, and read the fine print. If a service uses the EU-style “over-18 token” model that stores nothing, that’s genuinely less bad than uploading your ID. If it asks you to upload a passport photo to a third-party verifier, understand you’re trusting that vendor’s security with your identity.
- Use a reputable VPN — but know what it does and doesn’t do. A VPN can route you around a clumsy regional age gate, but it’s not magic, and some jurisdictions are now targeting circumvention. Choose a no-logs provider and understand your own legal context.
- Engage where the laws are actually written. The US social media cases are being won on First Amendment grounds; the EU-wide ban is still just a proposal. These outcomes are not settled, and public comment during the drafting window is where the privacy-preserving version gets chosen over the identity-harvesting one.
The pattern
Age verification is the rare surveillance expansion with a genuinely sympathetic motive, which is exactly why it’s so hard to bound. “Protect the children” is unanswerable as a slogan, so the fight moves to the mechanism — and the mechanism, over and over, turns out to require that adults identify themselves to do things they were previously free to do anonymously. The best version of this, the EU’s zero-knowledge token, proves the concept can be built without harvesting identity. The worst version is already live in a dozen places, leaking data and pushing users toward VPNs. The difference between the two isn’t the goal. It’s whether anyone insisted on the details — and 2026 is the year to insist.



