Age Verification Technology

Every platform claims a minimum-age policy. Almost none meaningfully enforce one. The result: COPPA's 13+ rule is widely bypassed, state laws have raced ahead of the technology that could enforce them, and a Supreme Court decision in 2025 reshaped the legal terrain. Here's what age-verification technology can and can't actually do.

40%

of US 8-12-year-olds who use social media despite 13+ minimum

Source: Pew Research 2024

6-3

FSC v. Paxton SCOTUS ruling upholding Texas HB 1181

Source: June 27, 2025

19

State age-verification laws enacted as of May 2026

Source: State legislatures

Why the β€œ13+” on the sign-up form means nothing

COPPA (the Children's Online Privacy Protection Act, 1998) requires parental consent for data collection from users under 13. Every major platform addresses this with a self-declared date-of-birth field on sign-up. If you type any year that makes you 13 or older, you're in.

This is not age verification. It's an attestation. Platforms have known this for two decades. Internal documents released in the 42-state AG litigation against Meta (MDL 3047 in N.D. Cal.) include Meta's own estimates that as many as 4 million Instagram users were under 13β€” and that Meta's recommendation models were tuned using those accounts' data.

Pew Research's 2024 teen survey found that 40% of US 8-to-12-year-olds use social media platforms despite the 13+ minimum, with TikTok and Instagram the most common.

The four methods, ranked by friction

When platforms or states do require age verification, they pick from a small menu of mechanisms. Each trades off accuracy, privacy, and exclusionary impact differently.

1. Self-declared age

Status quo

The DOB field. Accuracy: near-zero for users motivated to lie. Privacy cost: minimal. Exclusionary impact: none. What it stops: nothing.

2. Credit card or government-ID upload

UK / Texas HB 1181 standard

User uploads a photo of a driver's license or enters a credit card. The underlying claim is that minors typically don't have either. Accuracy: high. Privacy cost: significant β€” the platform or AVP now holds a sensitive document. Exclusionary impact: undocumented adults, unbanked adults, and privacy-sensitive adults all opt out.

3. Facial age estimation

Yoti, Persona, Incode

A selfie is processed by a model trained to estimate age within a band (typically Β±2 years). Accuracy: ~98% for the 13/15 boundary per vendor claims; performance degrades on darker skin tones and non-Western training set demographics. Privacy cost: data is processed but typically not retained (UK ICO has issued guidance on retention limits). Exclusionary impact: lower than ID-upload.

4. Device-level age signals

Apple, Google proposals 2024-25

Apple's β€œDeclared Age Range” (announced February 2025) and Google's equivalent let the device pass an age signal to apps without the app seeing the underlying ID. The parent sets up the child's account once; downstream apps query the OS. Privacy cost: lowest of the four. Accuracy depends on parental setup honesty. Adoption depends on platforms accepting the signal (most have not committed yet).

FSC v. Paxton β€” what the Supreme Court actually decided

Texas HB 1181 (2023) required pornography websites to verify visitor age via government ID or transactional data. The Free Speech Coalition sued, arguing the law was an unconstitutional burden on adults' First Amendment right to access protected speech.

On June 27, 2025, the Supreme Court ruled 6–3 in Free Speech Coalition v. Paxton that intermediate scrutiny (not strict scrutiny) applies to age verification for sexually explicit content, and that HB 1181 survives intermediate scrutiny. The decision was authored by Justice Thomas; Justice Kagan dissented.

What the ruling did:permitted Texas's law to take effect and signaled to other states that similar laws targeting sexually explicit content would likely survive challenge under intermediate scrutiny.

What the ruling did not do: address age-verification mandates for social-media platforms generally (which carry First Amendment concerns of a different kind β€” protected speech that is not sexually explicit). Lower-court challenges to general social-media AV laws in California, Arkansas, Mississippi, Ohio, Utah, and Indiana remain unsettled.

The state-law landscape (May 2026)

Track active state bills on the GuardKids legislation tracker. High-level state of play:

  • Adult-content AV (post-Paxton): Texas, Louisiana, Mississippi, Utah, Arkansas, Montana, North Carolina, Virginia, Indiana, Tennessee, Florida, Kentucky, Georgia, Alabama, Idaho, Kansas, South Carolina, Oklahoma, Nebraska β€” laws in force.
  • Social-media AV (still contested): California AB 2273 (Age-Appropriate Design Code Act, partially enjoined), Utah Social Media Regulation Act (modified), Arkansas Social Media Safety Act (struck down), Ohio Parental Notification by Social Media Operators Act (struck down).
  • App-store-level AV: Utah SB 142 (2024) requires app stores to verify and share age signals with apps. Other states modeling on this approach.
  • Total social-media bans for under-16:Florida HB 3 (2024, partially in force), with bills pending in additional states modeled on Australia's 2024 national ban.

Federal action β€” KOSA, TAKE IT DOWN, and the COPPA 2.0 gap

At the federal level, two enacted or near-enacted laws touch age verification:

  • TAKE IT DOWN Act(Public Law 119-12, signed May 19, 2025) β€” requires platforms to remove flagged nonconsensual intimate imagery within 48 hours. Doesn't mandate AV, but creates a takedown obligation that is much harder to comply with at scale on platforms that don't know which users are minors.
  • Kids Online Safety Act (KOSA) β€” S.1748 in the 119th Congress. Imposes a duty of care on platforms to mitigate harms to minors and requires safer defaults for under-17 accounts. KOSA does not mandate age-verification technology, but the duty-of-care obligation is widely read to require platforms to know who their minor users are β€” implying some form of AV beyond the DOB field.
  • COPPA 2.0 (S.1418):would raise the protected-data threshold from under-13 to under-17 and require β€œactual knowledge or fair implication” that a user is a minor β€” implicitly imposing an AV obligation. Pending.

What works β€” and what doesn't

The honest answer about age-verification technology in 2026 is that no single method is privacy-preserving, accurate, and inclusive at the same time. A combination produces the best outcomes:

  • Device-level signals as the default:Apple/Google's approach is the highest-privacy option. Platforms accept the OS-passed age band; users never upload ID. Requires platform buy-in, which lags.
  • Facial estimation as a fallback: for users without device- level signals, vendor-side facial age estimation with strict retention limits (no images stored post-decision) is the next-best privacy posture.
  • ID upload as last-resort: reserved for high-risk verticals (adult content) where the friction is acceptable and the False Positive cost of a minor getting through is highest.
  • Mandatory transparency:if a platform uses any AV mechanism, it should publish how often it's applied, the false-acceptance and false-rejection rates by demographic group, and the data-retention policy.

Where each major platform stands on AV

Quick map to the platform report cards:

Sources

  • Free Speech Coalition v. Paxton, 605 U.S. ___ (2025), decided June 27, 2025.
  • Pew Research, Teens, Social Media and Technology 2024.
  • In re: Social Media Adolescent Addiction, MDL 3047 (N.D. Cal.) β€” pleadings re: Meta's estimate of under-13 users.
  • Apple, Declared Age Range API, developer documentation, February 2025.
  • UK Information Commissioner's Office, Age Appropriate Design Code and 2024 facial-estimation guidance.
  • S.1748 β€” Kids Online Safety Act (119th Congress).
  • Public Law 119-12 β€” TAKE IT DOWN Act.
  • S.1418 β€” COPPA 2.0 (Markey-Cassidy), 119th Congress.
  • Texas HB 1181 (2023); Utah SB 142 (2024); Florida HB 3 (2024).

Related investigations

If you suspect child abuse:πŸ“ž 1-800-843-5678