In the early days of internet usage, social media was in a middle ground category, designed for adults or older teens, and available to anyone with a birthday to enter into the system. That era is over. The Online Safety Act was fully enforced in the UK from July 2025, social media has been completely prohibited for under-16s in Australia; and France has begun implementing age verification for social media, ahead of its under-15 restriction set for September 2026. The trend in Malaysia, New Zealand, and Germany.
In more and more jurisdictions, social media is now classified like alcohol, gambling and adult content, and that means platforms are going to need proper age verification software to support them specifically, not a date-of-birth dropdown.
For those still using lightweight gates on their platforms, the question is not: “will regulators come?For those still running lightweight gates on their platforms, the question is not: “will regulators come? It would be when they are ready.
The Law Changed. Most Verification Stacks Didn’t.
Australia’s social media ban came into effect on 10 December 2025, and platforms were required to show they were taking ‘reasonable steps’ to stop children under 16s from being able to have accounts. The punishment for the systemic non-compliance: up to AUD 49.5 million in fines.
The UK decided to play a different game and failed to specify a minimum age for social media, instead leaving age-appropriate design to be handled by Ofcom. Nowadays, platforms are required to implement age verification technologies and to periodically re-conduct age verification in a reliable manner. Ofcom has already started investigations in over 90 services and has slapped fines.
The issue is that a lot of platforms have improved their legal terms without actual upgrading of the technology. The UK Online Safety Act does not define ‘highly effective age assurance’ as a checkbox or self-reported birthdate. Even the eSafety Commissioner isn’t satisfied with it. What regulators are demanding is a robust and technically sophisticated system and not all platforms are ready.
Why “Good Enough” Age Gates Are Getting Teenagers In Anyway
Interesting point: when Australia announced its ban, the number of downloads of VPNs among Australian teenagers surged almost immediately. The Reddit threads that talk about bypassing age verification have gone from 1 in May of 2025 to 65 different threads in April of 2026.
Children do not have trouble accessing weak gates. They’re sharing instructions.
The strategies used at the moment are the most common, such as using a VPN, changing the device location, or using AI to alter the appearance of a selfie before posting it, in order to seem like a more relaxed country. These are not edge-cases. These include common practices that are well documented and ubiquitous that are being actively exploited by weak online age verification scams and evasion tactics.
Facial age estimation alone, without liveness check, without document fallback and without behavioral signals, is going to be facing a teenager, who has uploaded a GAN-aged photo of himself.
The Two Things Every Verification Stack Needs Right Now
There is no universal approach that encompasses all. There are different methods used in different countries, and minors have mastered the use of any one-method system. The real solution is a multi-step approach, with two things that are most important.
Beyond the selfie liveness detection. The days of a static photo are gone. Real-time interaction such as making a head turn, blinks or reading random words on screen is required for proper liveness checks to beat pre-recorded clips and AI-generated faces. This is the first line of defense against deepfake bypasses, a noted and evolving evasion technique.
Verification of documents as a last resort, not a first measure. Having to re-enter information every time a user logs in is an impediment to sign-up. If you don’t have any ID fallback at all, then when facial estimation is not sure you don’t have anywhere to escalate. The right architecture begins with low friction age estimation and progresses to document checks if the signals are not clear, or if the jurisdiction requires it.
Not only does it have a role in compliance, but it plays a role in conversion. Waterfall verification platforms take the quickest route first, then step up as appropriate, while those who front load the more onerous checks experience lower user drop-off.
Age Gating Is Not a One-Time Setup
UK Online Safety Act is one of the many regulations that make it clear that age verification is not the checkbox checked at registration and then forgotten about. Periodic re-verification of users is required by platforms. This means that the gate you create must function as a system, not as a one-shot sign-up check.
It has implications for practice. If they have signed up at 15 and now they are 16, they should be treated differently in Australia than in the UK, where it is 13. If the content category in your platform changes, a user who has verified through a document check will have to be rechecked in two years. If you are serving several markets, as most social sites do, those rules are not standardized, and you’ll need to be able to change rules by jurisdiction without having to completely rebuild the flow from the ground up every time.
Platforms that will be able to service this well are the ones that have created modular, configurable verification flows and not a single-market solution.
What the Scam Layer Adds to This Problem
But there’s a second issue to the age-gating problem that’s not talked about as much: minors are being restricted. Bad actors are also getting in through weak gates.
There has been a long history of fraudsters taking advantage of platforms that don’t have very strong identity checks. If an age identification scam is being conducted on a platform, it’s likely that the minor at the other end is the victim. The most common types of romance scams, investment fraud, and grooming occur on sites that didn’t properly verify the predator or the victim when they were signing up. By solving the compliance issue in the right way, age verification will also help in solving the safety issue as a platform that can verify that someone is who they claim to be will make it much more difficult for any fraudsters to operate on false identities.
The Real Question Is Architectural
The reason why most of the platforms are not failing is that they do not care about age verification. Their current structure is created to meet a regulatory climate that no longer reflects reality and they are suffering for that.
This is not a question of “do we have age verification?” but rather, “should we be asking for age verification? It’s true – can the existing system distinguish between a 14-year-old with a GAN facial image and a genuine adult? Is it possible to leverage UK rules for UK users and Australian rules for Australian users in the same flow? Is it able to re-verify users without having to re-register? Does it create the trail a regulator would be satisfied with?
If any of those answers are not sure, then the stack requires a rethink. The law has moved. The tricks for circumventing floppy gates have changed. The platforms that are using the basic online age verification systems that were developed three years ago now have real liability exposure in multiple countries at once.
The window for getting this right prior to enforcement is closing rapidly. This isn’t a forecast. It’s already happening.
