UK Government to Impose Age Verification on Social Media
The UK government has announced a new regulation to ban individuals under 16 from accessing social media platforms. This regulation is slated to be introduced before Christmas and will come into effect in spring 2027.
To enforce this regulation, social media platforms will be required to verify the age of their users. This will likely result in new account holders needing to prove they are over 16 by submitting an ID or undergoing a facial age scan.
Long-standing accounts are largely exempt; however, new registrations will trigger verification, effectively ending the creation of anonymous accounts in the UK.
Security and Privacy Concerns
Security and privacy experts caution that these controls are not foolproof. They argue that the measures are easy to bypass and may expose everyone’s identity and biometric data to potential breaches. Furthermore, they criticize the speed at which these regulations were implemented, noting a lack of thorough policy review.
The Announcement
Prime Minister Keir Starmer unveiled the plan on June 15, following extensive national consultations that gathered over 116,000 responses from parents, children, and experts.
The government claims that 90% of parents support a ban on under-16s using social media, and two-thirds of young people agree that under-16s should be restricted from accessing certain platforms.
“That’s why we’re going further than any other country in the world by banning social media for under-16s and putting in place broader protections to give children back their childhood,” Starmer stated.
Technology Secretary Liz Kendall presented it as a challenge to tech companies: “Tech companies have had countless opportunities to keep children safe, but they have failed to act. This is why we are taking power away from tech giants and putting it back in the hands of parents.”
What is Covered
The UK regulation is modeled after Australia’s, which took effect in December 2025, marking a pioneering approach.
The regulation will apply to user-to-user platforms “whose purpose is to enable social interaction” and which operate algorithmic feeds. Specific platforms identified include Instagram, YouTube, TikTok, Snapchat, Facebook, and X. Messaging services like WhatsApp and Signal are not included, nor is YouTube Kids.
Exemptions will be narrowly defined for educational services, e-commerce, and music streaming.
The UK plans to extend restrictions beyond Australia’s model.
High-risk features such as live streaming and allowing strangers to contact children will be limited on a wider range of services, encompassing gaming sites like Roblox, where features like chat will be restricted.
In order to prevent a “cliff edge at 16,” these restrictions on contacting strangers and live streaming will also apply by default to 16 and 17-year-olds.
Moreover, “romantic companion” AI chatbots simulating sexual relations or role-playing will require a minimum age of 18, with intimate functions limited to those under 18 on AI chatbots more generally.
The government is also consulting on nighttime curfews and infinite scrolling breaks for under-18s, with details expected in July.
The Trap for Adults: New Accounts
The government reassures that most adults will not face new checks.
According to a fact sheet, an account is considered low risk if it has been open for more than 16 years, linked to a credit card, or linked to an email that has already been age-verified. Those verified under existing e-safety law will not need to repeat the process.
However, this exclusion is a grandfather clause and does not apply to new accounts.
If you create a social media account from scratch once the rules take effect (for instance, if you want a new handle or are a new user), these passive signals do not apply. The fallback is as the fact sheet describes: facial recognition verification or identity upload. This regime essentially transforms what is presented as child protection into a rule that no adult can open a new account without proving their age.
This is somewhat less stringent than the adult content regime, for now.
Since July 25, 2025, the Online Safety Act has required adult and other sensitive sites to perform “highly effective” age checks (typically an ID upload or facial age selfie) for each user, without grandfathering.
Enforcement has been aggressive. By February 2026, Ofcom had opened investigations into over 90 platforms and issued six fines, extending its remit to services like Reddit, X, Discord, Bluesky, and AI.
The social media age limit does not yet go as far, but normalizes similar mechanisms. Ofcom has been tasked with a rapid review of methods to verify if someone is over 16.
The VPN Flaw
A well-documented weakness is that a VPN can bypass these regulations. The Online Safety Act targets sites, not users, allowing a user to avoid scrutiny by connecting through a server outside the UK.
Some VPN providers have reported registration spikes of up to 1,800% since the enforcement of adult site rules began.
Any age group on social media inherits this same flaw, as confirmed by the Australian experience. Research revealed that over 60% of children continued using social media months after the country’s ban.
The UK government has limited options to address this flaw. A blanket ban on VPNs for the entire population has been ruled out.
In October 2025, Technology Minister Baroness Lloyd informed the Lords that there were “currently no plans to ban the use of VPNs,” citing their legitimate uses.
A crackdown specific to children is a different matter. In February 2026, the government announced its welfare consultation would consider “options for age-restricting or limiting VPN use by children.” In January 2026, the House of Lords delivered a defeat to the government, voting 207 to 159 for an amendment to the Children’s Wellbeing and Schools Bill to require ministers to ban VPN providers from serving Britain’s children.
To differentiate children from adults, this measure would effectively require providers to verify each user’s age. The amendment led to public petitions against it.
The Commons rejected it in several rounds of parliamentary debate, and the legislation that received royal assent (became law) in April instead gave ministers broad power to restrict children’s access online through regulation.
For now, there is nothing preventing a determined adult, or a determined 15-year-old, from circumventing the regulation.
What Security and Privacy Researchers Say
The cybersecurity objection is not about the objective but concerns the enforcement mechanism creating new risks while the controls themselves are ineffective.
Dr. Siamak Shahandashti, a lecturer in cybersecurity and privacy at the University of York, referenced recent empirical work from Politecnico di Milano testing age verification methods deployed on adult sites.
The researchers found low to moderate robustness for almost all methods except credit card checks. Most could be circumvented with tools and knowledge accessible to “motivated miners.”
Their stark conclusion, cited by Shahandashti: Mandatory age verification currently acts as “compliance theater.” He added that controls linked to real physical identity could be made sufficiently robust if clear standards were set.
Dr. Richard Gomer, a lecturer in computer science at the University of Southampton, focused on the second-order risk. Applying a ban on under-16s means limiting everyone’s age, and that process is inherently risky.
Handing over a passport or driving license to platforms, he warned, exposes individuals to identity theft or blackmail when those records inevitably leak, a concern already observed under the rollout of the Online Safety Act.
He also highlighted the lower cost of regulation that moves the Web away from its initial ideals of anonymous and open communication.
This risk of data breach is not hypothetical.
In response to the ban, the Open Rights Group (ORG) warned that those over 16 will now have to provide identity documents or biometric data to unregulated age verification companies. Discord was singled out as a platform that experienced a significant data breach following the introduction of age checks.
James Baker, who leads ORG’s Platform Power and Freedom of Expression programme, argues that the measures target the symptoms rather than the cause—engagement-driven business models that reward harmful content—and has previously warned that the underlying powers had been “rushed through without adequate time for policy review.”
The platforms do not agree either.
Meta and YouTube both argue that these bans push teens into less regulated spaces rather than making them safer. Meta believes that age controls should remain on the device so users do not have to hand over identities to each service individually.
The Wider Direction of Movement
It is important to consider where this fits into the broader picture. Since January 2025, the government has introduced a GOV.UK wallet and digital driving license, promoted partly as a way to prove your age online and in person using the facial recognition features of modern phones.
This development is separate from and predates this announcement. However, together they suggest a future direction where proving your age becomes increasingly necessary for being online in the UK.
For more detailed information, visit the source Here.
Security teams record 54% of successful attacks and alert on only 14%. The rest move around your environment without being seen.
The Picus white paper shows how breach and attack simulation tests your SIEM and EDR rules so that threats stop evading detection.
Get the white paper
“`
