Open almost any app or site that touches something sensitive right now, and there is a good chance it asks for your age before anything else. Sometimes that is a simple checkbox.
Age verification is becoming a mandate during the signup process. Interestingly, it is not limited to the user selecting a date, month, and year.
Increasingly, it is a request for a government ID, a selfie, or a face scan that gets checked against a database you never agreed to be part of.
This shift did not happen overnight, but it moved fast. Age verification is now required by law across a growing list of US states, the UK, and soon the EU.
The real question is not whether age verification is coming. It already arrived. The question is what happens to the data once you hand it over. How does that data get managed, and how long does it stay in the databases?
TL;DR: Age verification is now law across much of the US, the UK, and soon the EU, and most checks still mean handing an ID or face scan to a vendor you did not pick. Those vendors keep getting breached. Apple and Google built lighter APIs that share only an age range, and the EU is testing an app that proves your age without exposing your identity. Until that spreads, the safest move is giving up the least data a check will accept.
Why age verification is suddenly everywhere?
The short version is that lawmakers won this round. Roughly half of US states now require some age gating for adult content or social platforms, and the Supreme Court ruled in 2025 that these laws are constitutional.
The UK has gone further than most. Under the Online Safety Act, Ofcom can fine non-compliant platforms up to 10 percent of global revenue, and on the first day of enforcement, providers processed 5.7 million checks.
This change regarding age verification for online platforms is not just limited to the US and UK. The European Commission has pushed platforms toward stronger checks under the Digital Services Act.
India is weighing its own mandatory age rules for social and dating apps, though there is currently no law to enforce them.
Some states are getting more specific. Utah’s SB 73 ties age checks to physical presence rather than IP address, which we broke down in our Utah VPN law guide.
The pattern repeats everywhere a law lands. A government passes a gating rule, people reach for a VPN to mask their location, and lawmakers try to close that gap next.
| Jurisdiction or platform | Approach | Status |
|---|---|---|
| US states | ID or face scan for adult content and social platforms | Law in roughly half of states |
| UK | Highly effective age checks under the Online Safety Act | Enforced, fines up to 10% of revenue |
| Utah | Age checks tied to physical presence, not IP address | Law |
| EU | Zero knowledge proof verification app | Piloting in 7 countries |
| India | Mandatory KYC and age rules proposed | Not yet passed by law |
| Apple | Declared Age Range API shares age category only | Available |
| Play Age Signals API shares age category only | Available in beta |
What these age checks actually ask for?
Most age checks still fall into one of two buckets.
Either you upload a document such as a valid and genuine government ID or scan your face through a third-party vendor. The operating system itself may hand over a narrow signal about your age range.
Apple‘s Declared Age Range API shares only a category, such as under 13, 13 to 15, 16 to 17, or 18 and over. It does not collect a birthdate.
Google‘s equivalent on Android, the Play Age Signals API, works the same way and bans developers from using that data for ads, profiling, or analytics.
Neither system verifies identity on its own. They lean on whatever already confirmed your age, a parent’s settings, a banking app, or a government ID checked once upstream.
The Internet privacy trade-off nobody fully explains
The lighter APIs are the exception, not the rule. Most platforms still route verification through a third party that asks for an ID photo, a selfie, or both, and that data has to live somewhere even briefly.
Discord found out what that means in practice. A 2025 breach exposed roughly 70,000 government IDs after attackers compromised a third-party vendor handling Discord support tickets.
Discord later moved that work to a different vendor, Persona, which the Electronic Frontier Foundation says fell short of Discord’s own on-device standard for facial checks.
I have skipped signing up for things specifically because the prompt wanted a face scan instead of a checkbox, and I doubt that instinct is rare. Each new vendor is another place that data can leak from.
Long privacy policies may seem assuring, but in practice, there is no guarantee of the safety of the personally identifiable data such as a photo or fingerprints, which can be gravely misused if they fall in the wrong hands.
The privacy-preserving alternative everyone is watching
There is a model that avoids most of this, and the European Commission built it.
The EU’s age verification app uses zero-knowledge proof cryptography to confirm you are old enough without sharing who you actually are.
You set it up once, using a passport, a national ID, or a banking app, and after that the app stops talking to whatever confirmed your age. No name, birthday, or document gets stored.
When a site asks, the app answers a single question. Are you over this age, yes or no. The site never learns your identity, and the app keeps no record of which sites you used it on.
Seven countries are piloting it now, with broader availability expected by the end of 2026. It is the closest thing yet to proof that privacy and compliance do not have to cancel each other out.
Frequently asked questions
Do I have to give my ID every time a site asks for my age?
Not always. Apple’s Declared Age Range API and Google’s Play Age Signals API let some apps check just an age category instead of a document.
Is my information safe with these verification services?
Not always. Discord’s 2025 breach exposed roughly 70,000 government IDs after a third-party vendor was compromised, and its next vendor, Persona, also drew criticism.
What is the EU doing differently?
The EU’s app uses zero-knowledge proof technology, so it only tells a site whether you are old enough without sharing your name, birthday, or identity.
Does a VPN get around age verification laws?
It used to work in many places, but Utah’s SB 73 ties checks to physical presence rather than IP address, which closes that specific gap.
When will the EU’s privacy-preserving option be available everywhere?
It is piloting in seven countries now, with broader availability across the EU expected by the end of 2026.
What to actually do when you hit one of these prompts
You will not get to choose whether a site asks. You can still choose how much you hand over when it does.
Give the least information a check will actually accept. If a platform offers an age range option instead of a document upload, take it.
Ask, even briefly, what gets collected, who can see it, and how long it stays around. A privacy policy that cannot answer your internet privacy woes plainly is telling you something.
A general purpose privacy tool still has a place here too. If you are weighing options beyond what your browser already does, our Mozilla VPN review is a useful starting point for what these services actually deliver versus what they promise.
None of the steps above fix the underlying problem. The data still has to go somewhere, and somewhere is exactly where the last few breaches happened.
