The State of Age Verification in 2026 — Aztec Labs
updates<br>blog.txt
Jun 23, 2026
The State of Age Verification in 2026
In the name of keeping children away from adult content, governments are pushing platforms to collect identity data on everyone using the internet. Platforms touching adult content, social media, gambling, and increasingly, any user-generated content now have to verify age, and the method each picks decides how much data it holds, where it sits, and how big a target it becomes.
Most of the solutions on offer today have fundamental flaws.
Why now
The honour system (self-policed "check the box" verification methods) held previously because the alternative meant friction and lost users, and regulators were content to let platforms self-police. Over the last several years, the societal impact of social media and seemingly more press coverage of the internet's darkest corners pushed a change of heart for regulators across the world. Age verification became a legal mandate in many places, with many more fast following.
In the UK, the Online Safety Act 2023 requires highly effective age assurance for adult content and a widening list of social features, enforced by Ofcom with real financial penalties. In the EU, the Digital Services Act obliges platforms to protect minors, and the eIDAS 2.0 framework has put the European Digital Identity Wallet on the critical path, with age verification as a cornerstone use case.
In the US, a patchwork of state laws now covers Texas, Louisiana, Utah and more than a dozen others, and in June 2025 the Supreme Court upheld Texas's age verification law. Australia has legislated a social media ban for under 16s. France, Germany and others are moving at different speeds, but in the same direction.
The result is the same across much of the world. Platforms that could previously ignore the age question can now be held legally responsible for not answering it appropriately.
Legacy age verification techniques
Three approaches dominate production today. Each one has major flaws, either failing to work correctly or collecting far more private information than the question requires.
Self-declaration
The checkbox is still everywhere. It is legally insufficient in most jurisdictions. No modern regulator accepts it on its own.
ID upload and manual review
Users photograph a passport or driving licence and a human or automated system checks it. Accuracy is high, but the byproduct is toxic. These systems result in centralised databases of verified government IDs, immense honeypots that are there for the taking.
As just one example of a digital platform that should never have held private information on its users: in October 2025, government ID photographs belonging to around 70,000 Discord users were exposed in a breach. Storing identity documents at scale has become a standing liability, with GDPR penalties for serious processing failures running into the hundreds of millions of euros.
Third-party identity platforms
Services like ID.me in the US, or national platforms like DigiLocker in India and BankID in the Nordics make verification fast once a user is onboarded. The real cost is data concentration and vulnerability. One platform holds verified identity for many organisations at once, so a single breach exposes all of them.
The 2024 National Public Data breach is a cautionary case. A US background check provider aggregating personal data from many sources was breached, exposing roughly 2.9 billion records including names, addresses, dates of birth and social security numbers. None of the businesses relying on that provider were hacked themselves. Their users were exposed anyway.
The common thread is collection. Every store of identity data is a target, and across enough platforms and enough years, the odds that none of them is ever breached fall to zero. Most of these companies are competent. It does not matter. When one person hands the same identity data to hundreds of services over decades, a breach somewhere becomes essentially guaranteed.
New types of age verification
The legacy model comes down to one bargain: hand over your ID and trust the platform to keep it safe. Its shared flaw is disclosure, forcing the user to reveal far more than the age question requires. The newer approaches refuse that bargain. Their shared aim is to answer the age question while learning nothing else. Two of these approaches have moved from concept into real deployment, and they take opposite routes to arrive there.
Biometric age estimation
Biometric age estimation skips documents entirely. A vendor like Yoti, VerifyMy or Incode takes a short selfie and returns an estimated age range, with no government ID and no account required. Ofcom has explicitly certified facial age estimation as highly effective age assurance under the Online Safety Act. It is the most widely deployed of the new methods in UK adult content compliance today.
The convenience of this method is...