When Australia switched on its under-16 social media ban on 10 December 2025, the open question was never whether it would work. It was whether it would spread. We now have the answer. In the six months since, Brazil, Greece, Turkey, and Malaysia have all moved to mandate age checks for social media, the EU is pushing for a bloc-wide framework by the end of the year, and the policy that was supposed to be a uniquely Australian experiment has become a template. The domino effect is real, and it is moving faster than the technology meant to underpin it.

What follows is a survey of where things actually stand in mid-2026 — and a reminder that every one of these laws shares a single, under-discussed mechanism. To keep children off a platform, you must determine the age of everyone who tries to use it. That is not a child-safety feature. It is population-scale identity verification, and it lands on adults first.

Australia: the precedent, now enforced

Australia’s Online Safety Amendment (Social Media Minimum Age) Act took effect on 10 December 2025. Age-restricted platforms — Facebook, Instagram, Snapchat, Threads, TikTok, Twitch, X, YouTube, Kick, and Reddit — must take “reasonable steps” to keep under-16s from holding accounts, with fines up to AUD 50 million. By mid-December, eSafety reported that platforms had removed access to roughly 4.7 million under-16 accounts.

The enforcement story since has been instructive. In late March 2026, the government opened investigations into Facebook, Instagram, Snapchat, TikTok, and YouTube, with the eSafety Commissioner alleging that platforms let already-flagged underage users simply retry age verification until they passed. The lesson is not that the law is too soft. It is that “reasonable steps” inevitably escalates toward harder identity proofing — facial age estimation, ID upload, document matching — because anything softer is trivially defeated. The ratchet only turns one way.

Brazil, Greece, Turkey, Malaysia: what was actually passed

It is worth being precise here, because the details differ and the laws are at different stages.

Brazil sanctioned its Digital Statute of Children and Adolescents (the “Digital ECA”) in September 2025, with rules taking effect in March 2026. It requires “effective and reliable” age verification — explicitly not self-declaration — and forces under-16s to link accounts to a legal guardian. Penalties reach 10% of Brazilian revenue, capped at USD 10 million per violation. This one is law and in force.

Malaysia is also live. From 1 June 2026, under its Online Safety Act 2025 and the new Child Protection Code, licensed platforms (Facebook, Instagram, TikTok, YouTube) must verify users are 16 or older. Critically, Malaysia’s code requires verification against government-issued records — not age estimation, but identity-document matching. Existing users are to be verified progressively over six months. Penalties run to RM 10 million.

Turkey’s parliament passed a bill in April 2026 restricting under-15s from major platforms, requiring users to verify identity through the state e-Devlet portal — the national government ID gateway. At the time of writing it awaits presidential signature, after which platforms have six months to comply. So: passed by parliament, tied directly to a state identity system, not yet fully in force.

Greece is the outlier on timing. Prime Minister Mitsotakis announced in April 2026 a ban for under-15s from 1 January 2027, with Parliament expected to legislate in mid-2026. As of now it is announced and drafted, not yet passed. Greece’s more consequential move was political: Mitsotakis wrote to Ursula von der Leyen calling for a unified EU-wide age-verification framework by the end of 2026, with platforms re-verifying every user’s age every two years.

Note the pattern in the framing. Turkey’s bill followed a school shooting. Greece and others lean on mental-health and child-safety arguments. The motivations are sympathetic and often genuine. That is exactly what makes the infrastructure they build so easy to wave through.

The EU, the UK, and the US states

For context: the UK’s Online Safety Act age-assurance duties came into force in 2025 and have already normalised face scans and ID checks for adult content and, increasingly, mainstream platforms. In the US, a patchwork of state laws — Texas, Utah, Florida, and others — mandates age verification, with the Supreme Court’s 2025 Free Speech Coalition v. Paxton decision having cleared the constitutional path.

The EU is the keystone. Under the Digital Services Act, the Commission is urging an age-verification rollout by the end of 2026, anchored to the forthcoming EU Digital Identity Wallet, with Denmark, France, Greece, Italy, and Spain piloting first. The selling point is that the EU app uses cryptographic proofs to confirm “over 18” without uploading an ID — genuinely better, in design, than handing your passport to TikTok.

The honeypot you are required to build

Here is where design meets reality. The EU’s flagship age-verification app, unveiled on 14 April 2026, was bypassed by a UK security researcher in under two minutes. The encrypted PIN protecting the identity vault was not cryptographically bound to the credentials it guarded; deleting a couple of entries from a local file and setting a new PIN handed over the original verified identity. A separate flaw, found in March, meant the system could not actually confirm that passport validation had happened on the user’s device. An Italian researcher reproduced the work and documented five more vulnerabilities.

The Commission’s defence — that this was an open-source reference implementation, not the hardened production app — is fair as far as it goes. But it concedes the deeper point. We are now mandating, across dozens of countries and hundreds of platforms, that a verified link between a real human identity and an online account be created and stored at population scale. Brazil and Malaysia tie accounts to government records and guardians. Turkey routes verification through a national ID portal. The EU is consolidating it into a single wallet. Each of these is, by construction, a database of who is who — and the two-minute hack is a preview of how those databases will be treated by people far less polite than a security researcher publishing a blog post.

Three harms compound. Honeypots: every verification store is a high-value target, and breaches of age-check vendors have already happened. Deanonymisation: to keep children out, you must positively identify the adults, ending pseudonymous participation for everyone. Scope creep: an identity layer built for “social media for under-16s” is a general-purpose identity layer, and it will be reused.

None of this means the impulse to protect children is wrong. It means the chosen mechanism — verify everyone, always — concentrates exactly the identity and biometric data that, once breached, cannot be un-breached. Australia lit the first domino. The five that have fallen since are not five separate child-safety wins. They are five new identity dragnets, built faster than anyone has figured out how to secure them.