Technologists and policymakers are reckoning with a generation-defining problem on the internet: While it can be a revolutionary force for unprecedented education and connection across the globe, it can also pose dangers to children when they have completely unfettered access.
There is no simple way, however, to monitor children’s internet access without surveilling adults, paving the way for disastrous online privacy violations.
While some advocates praise these laws as victories for children’s safety, many security experts warn that these laws are being proposed and passed with flawed implementation plans, which pose dangerous security risks for adult users as well. In the United States alone, 23 states have enacted age-verification laws as of last month, with two more states following suit in September. Meanwhile, the United Kingdom’s Online Safety Act, which took effect in July, requires many online platforms to verify users’ identities before granting access.
Here’s a primer on where the debate over age and identity verification stands.
What exactly is age verification?
When we talk about age verification laws, we aren’t talking about when you made a Neopets account as a kid and checked a box to affirm that you were at least 13 years old. In the United States, those types of age checks are a result of the Children’s Online Privacy Protection Act (COPPA), an internet safety law passed in 1998. But, as you already know, if you had a Neopets account when you were 10, COPPA-era age checks are very easy to navigate around. You simply click a box that says you’re 13.
In the context of the laws that have cropped up during the 2020s, age verification usually refers to a user uploading an official ID to a third-party verification system to prove who they are. Users might also upload biometric facial scans, like the ones that power Face ID on iPhones.
What is the point of age verification?
Of course, internet safety is not really about preventing children from playing games like Neopets. Parents and lawmakers are concerned about children accessing content that’s potentially dangerous for minors, like online pornography, information about illicit drug use, and social media sites where they may encounter strangers with bad intentions.
Techcrunch event
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Sequoia Capital, Elad Gil — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before Sept 26 to save up to $668.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Sequoia Capital, Elad Gil — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before Sept 26 to save up to $668.
San Francisco
|
October 27-29, 2025
REGISTER NOW
These concerns are not unfounded. Parents have turned to lawmakers to share horrific stories of how their children died after purchasing fentanyl-laced drugs on Facebook, or how they took their own lives after facing incessant bullying on Snapchat.
As technology becomes more sophisticated, the problem is getting worse: Meta’s AI chatbots have reportedly flirted with children, while Character.AI and OpenAI are facing lawsuits over the suicides of children who were allegedly encouraged by the companies’ chatbots.
We know the internet isn’t all bad, though. Without leaving your home or spending any money, you can learn to play guitar or write code. You can forge meaningful friendships with people from the other side of the world. You can access specialized telehealth care, even if you live somewhere where no doctor is trained in your diagnosis. You can find the answer to just about any question you want at any given moment (the capital of Madagascar is Antananarivo, by the way).
This is how global lawmakers have arrived at what they believe to be a sound compromise: They won’t nuke the whole internet, but they’ll just put certain content behind a gate that you can only unlock if you can prove you’re an adult. But in this case, you’re not just clicking a box to confirm your age — you’re uploading your government ID or scanning your biometric data to prove you can access certain content.
Is it safe to verify your identity by uploading a government ID or a biometric scan?
The safety of any digital security measure depends on its implementation.
Apple builds out products like Face ID so that these biometric scans of your face never leave your iPhone — they’re never shared over the cloud, which massively limits the potential for hackers to gain access.
But when any sort of connection to another network gets involved, that’s when identity verification can get fishy. We’ve already watched how these measures can play out poorly when the technology is anything but rock-solid.
“No method of age verification is both privacy-protective and entirely accurate,” the Electronic Frontier Foundation writes. “These methods don’t each fit somewhere on a spectrum of ‘more safe’ and ‘less safe,’ or ‘more accurate’ and ‘less accurate.’ Rather, they each fall on a spectrum of ‘dangerous in one way’ to ‘dangerous in a different way.’”
In recent memory, we have some strong examples of how badly things can go when a company slips up on its security.
On Tea, an app that women use to share information about men they meet on dating apps, users have to upload selfies and photos of their IDs to prove that they are who they say they are. But users on 4chan, a misogynistic web forum, found that Tea left users’ data exposed, meaning that bad actors could access tens of thousands of users’ government IDs, selfies, and even direct messages on the platform, where women shared sensitive information about their dating experiences. What was once purported to be an app for women’s safety ended up exposing its users to vicious harassment, giving bad actors access to personal information like their home addresses.
These hacks were possible despite Tea’s promise that these images were not stored anywhere and were deleted immediately (evidently, those claims were false).
This kind of thing happens all the time — just look at TechCrunch’s security coverage. But it’s not just happening to new apps like Tea. World governments and trillion-dollar tech giants are certainly not exempt from data breaches.
Does it really matter if I lose my anonymity on the internet? I’m not doing anything shady
These laws have inspired much backlash, but it’s not just because people are shy about linking their porn viewership to their government IDs.
In places where people can be prosecuted for political speech, anonymity is vital to allow people to meaningfully discuss current events and critique those in power without fear of retribution. Corporate whistleblowers could be unable to report a company’s wrongdoing if all of their online activity is linked to their identity, and victims of domestic abuse will find it even more difficult to flee dangerous situations.
In the U.S., the idea of being prosecuted for one’s political beliefs is becoming less theoretical. President Trump has threatened to send his political opponents to prison, and the government has revoked visas from international students who have criticized the Israeli government or participated in protests against the country’s military actions.
What age-verification laws have gone into effect in the U.S.?
In the United States, 23 states have enacted age-verification laws as of August 2025, while two more states have laws slated to take effect in late September 2025.
These laws mostly impact websites that host certain percentages of “sexual material harmful to minors,” which varies from state to state.
In practice, this means that pornographic websites must verify a user’s identity before they can access the website. But some sites, like Pornhub, have opted to simply block traffic from certain states.
“Since age verification software requires users to hand over extremely sensitive information, it opens the door to the risk of data breaches,” Pornhub wrote on its blog. “Whether or not your intentions are good, governments have historically struggled to secure this data.”
What counts as “sexual material harmful to minors”?
The definition of this term varies depending on who is enforcing the law.
At a time when LGBTQ rights are under attack in the U.S., activists have warned that laws like this could be used to classify non-pornographic information about the LGBTQ community, as well as basic sex education, as “sexual material harmful to minors.” These concerns appear well-founded, given that President Trump’s administration has removed references to civil rights movements and LGBTQ history from some government websites.
Texas’ age-verification law — which was upheld in a Supreme Court ruling in June — was passed around the same time the state imposed other legal restrictions on the LGBTQ community, including limits on public drag shows and bans on gender-affirming care for minors. The drag show law was later deemed unconstitutional for violating the First Amendment.
What’s going on with age verification in the U.K.?
The United Kingdom enacted the Online Safety Act in July 2025, requiring many online platforms to verify a user’s identity before allowing them access. If a user is identified as a minor, they won’t be allowed on certain websites. The Act applies to search engines, social media platforms, video-sharing platforms, instant messaging services, cloud storage sites — pretty much anywhere that you may encounter media or talk to someone.
In practice, this means that websites like YouTube, Spotify, Google, X, and Reddit are requiring U.K. users to verify their identity before accessing certain content. These requirements don’t just apply to pornographic or violent content — people in the U.K. have been barred from viewing vital education and news sources, making it difficult to access information without exposing themselves to potential privacy concerns.
The U.K. does not use one specific way of verifying one’s identity — individual websites can decide what mechanism to use, and Ofcom, the U.K.’s communications regulator, is supposed to oversee this implementation. But as we explained with the Tea example, we can’t trust that any given authentication tool will be safe.
Now, users who are subject to identity verification must decide if they want to freely access information or if they want to expose themselves to privacy risks.
Does the U.K. age verification law affect me if I live elsewhere?
Even if you don’t live in the U.K., you may be impacted by tech platforms that are pre-complying with these regulations.
In the U.S., YouTube has already begun to roll out technology that is supposed to estimate users’ ages based on their activity, regardless of what age they listed when registering their account.
Can’t you just use a VPN to get around these barriers?
Yes, and the App Store charts in the U.K. prove it — after the Online Safety Act took effect, half of the top 10 free apps on iOS were VPNs (virtual private networks). We also saw VPN downloads spike after Pornhub access was blocked in many U.S. states.
When Pornhub was suspended in France, Proton VPN said that registrations had spiked by 1,000% within half an hour — the company said this was a bigger spike than when TikTok temporarily blocked American users.
You may have used a VPN before if you logged into your office desktop computer remotely, or if you spoofed your location so that you could watch British sitcoms for free from the U.S.
This introduces another issue: Free VPNs don’t always have great privacy practices, even if they are advertised as such.
If you want to learn more about VPNs, TechCrunch has guides on what you need to know about VPNs and how you can decide if you need to use one.
On top of this, there are the security concerns.