How does age verification work?

Current methods include government ID scanning, facial age estimation AI, credit card verification, and database cross-referencing. Each method requires sharing personal information with third-party verification services, creating new data stores that can be breached or subpoenaed.

Is age verification a privacy risk?

Yes. Every age verification system creates a record linking your identity to the content you accessed. These databases become targets for data breaches and can be accessed by law enforcement without a warrant in many jurisdictions. Privacy advocates describe it as building mass surveillance infrastructure one ID scan at a time.

Can you bypass age verification?

Technically yes — VPNs can circumvent geographic restrictions, and some verification methods have known weaknesses. However, new OS-level verification (as proposed in California and Colorado) would make bypassing much harder, as it would check age before you even open a browser.

Age Verification Laws in 2026: Every New Rule, Every Privacy Risk

Q: Which US states require age verification in 2026?

As of May 2026, approximately 25 US states enforce some form of age verification for adult content or social media. Key states include Texas, Utah, Virginia, Arkansas, Louisiana, Mississippi, Montana, and Indiana. California SB 976 and a Colorado copycat bill go further, requiring age verification at the operating system level by end of 2026.

STATUS: Mass rollout in progress AFFECTED POPULATION: Every internet user in approximately 25 US states, all of Australia, and soon every Discord user globally CORE PROBLEM: Each new age verification law builds another piece of surveillance infrastructure, and your government ID scan is the raw material --- The numbers as of May 2026 Roughly half of US states now mandate some form of age gating for adult content or social media access. The Free Speech Coalition tracks active enforcement in approximately 25 states, with additional laws scheduled to take effect throughout 2026 and into 2027. The states with active enforcement include Texas, Utah, Virginia, Arkansas, Louisiana, Mississippi, Montana, Indiana, Idaho, Kansas, North Dakota, Oklahoma, South Carolina, Florida, Alabama, Georgia, Nebraska, and others. Several more have passed laws currently facing court challenges. The pace has accelerated dramatically. In 2023, only a handful of states had active age verification laws. By early 2025, the count had doubled. By mid-2026, it has nearly doubled again. Additional laws are expected to take effect in 2026, including Nebraska's Parental Rights in Social Media Act (effective July 1, 2026) and Missouri's administrative rule (effective November 2025). There is no federal age verification law. There is no federal opt-out. The patchwork grows state by state. California SB 976: Age verification at the OS level California's SB 976, the "Protecting Our Kids from Social Media Addiction Act," represents the most aggressive approach in the country. Rather than requiring individual websites to verify age, SB 976 shifts the burden to the operating system itself. The law, which took effect January 1, 2025, requires age verification by December 31, 2026. Under SB 976, operating systems — iOS, Android, Windows, macOS, and potentially Linux — must estimate or verify the age of the primary user and transmit a digital "age signal" to any app or website that requests it. This means your phone or computer would verify your age before you even open a browser. The age signal would be available to any app that asks for it. On November 12, 2025, NetChoice sued in the Northern District of California. Judge Edward John Davila blocked sections of SB 976 that required time-of-day restrictions on social media access. The age verification provisions remain in effect pending further litigation. The EFF called 2025 "the year states chose surveillance over safety," specifically citing SB 976 as a turning point where age verification moved from website-level checks to device-level identity infrastructure. Colorado SB26-051: The copycat Colorado's SB26-051, introduced in early 2026, mirrors California's OS-level approach. The bill requires operating systems to register the device owner's birthdate or age and share an "age bracket" with third-party apps through an API. The bill is sponsored by state Senator Matt Ball and assigned to the Senate Business, Labor & Technology Committee, with a hearing held February 24, 2026. If enacted without a safety clause, the effective date would be August 12, 2026. The Register reported that System76 — the Colorado-based Linux hardware manufacturer — attempted to talk lawmakers down from the bill, arguing that open-source operating systems like Pop!_OS and Linux distributions generally cannot comply with the age attestation requirements without fundamentally altering their architecture. Similar bills have been introduced or proposed in New York, Illinois, Louisiana, Texas, Utah, and Brazil. The California-Colorado model is becoming the template. Australia: Age verification for almost everything Australia has moved faster and further than any other country. The Online Safety Amendment (Social Media Minimum Age) Act 2024 banned social media access for users under 16, effective December 2025. The eSafety Commissioner approved age verification methods including government ID upload, biometric facial age estimation, digital ID tokens, and third-party verification services. But Australia didn't stop at social media. In 2026, the government expanded age verification requirements to cover R-rated games, websites with adult content, and search engines. Australians now need to verify their age to use Google and Bing. The expansion coincides with the opening of Australia's Digital ID system to private companies in 2026. Civil liberties groups have warned that the age verification infrastructure and the digital identity system are being built to interlock — the social media ban was the first step, and broader mandatory identity verification is the destination. As one Australian Redditor summarized: "If age verification is mandated for any social media platform, proving your identity also means creating a digital trail between your online activity and your government ID." Discord: Mandatory global age verification On February 9, 2026, Discord announced mandatory global age verification for all users. Under the "teen-by-default" system, every user would receive a teen-appropriate experience by default. To access age-restricted channels, sensitive content, or adult settings, users would need to verify their age through face scans or government ID uploads. The announcement drew immediate criticism. Discord had suffered a significant data breach just months prior. The EFF published a detailed critique titled "Discord Voluntarily Pushes Mandatory Age Verification Despite Recent Data Breach," noting the irony of a company that couldn't protect existing user data now collecting government ID scans and biometric data. On February 25, 2026, Discord CTO Stanislav Vishnevskiy announced a delay. The global rollout, originally scheduled for March 2026, would move to the "second half of 2026" to expand verification options, increase vendor transparency, and publish technical documentation. The delay does not change the plan. Discord will still require age verification globally. It just needs more time to build the infrastructure. How age verification actually works Every age verification method requires sharing personal information with a third party. There are no exceptions. Government ID scanning: You photograph your driver's license, passport, or national ID card. The image is processed by a verification service that extracts your name, date of birth, address, and ID number. The service confirms you are who you say you are and reports a yes/no to the requesting platform. Facial age estimation AI: A camera captures your face. An AI model estimates your age range. Some systems combine this with liveness detection to confirm you are a real person, not a photograph. The biometric data may or may not be stored depending on the vendor. Credit card verification: The system runs a $0 or $1 authorization on your credit card. Since you must be 18 to hold a credit card in most jurisdictions, a successful charge serves as proof of age. This links your browsing activity to your financial identity. Database cross-referencing: The verification service checks your personal details against commercial databases — the same ones data brokers use. If your information matches records indicating you are over 18, you pass. This means data brokers are effectively being written into age verification law as identity infrastructure. OS-level age signals (new): Under California SB 976 and Colorado SB26-051, your operating system would verify your age once during device setup and then broadcast an age bracket to any app that requests it. This creates a persistent, device-level identity marker. Each method creates a record. Each record can be breached. Each database can be subpoenaed. The privacy risks, explained Age verification is not a neutral technical process. It is identity infrastructure, and identity infrastructure is surveillance infrastructure. Data breaches are inevitable. Every company that collects age verification data becomes a target. Discord was breached before announcing its verification plan. The major ID verification vendors — Yoti, Veriff, Jumio, Onfido — hold millions of identity documents. A single breach of any of these vendors exposes government IDs, facial biometrics, and the browsing activity those IDs were used to access. Law enforcement access requires no warrant in many jurisdictions. Age verification databases are commercial records, not medical or communications records. In most US states, law enforcement can obtain them with a subpoena rather than a warrant. The legal standard is lower, and the subject may never be notified. The data persists beyond the verification event. Most age verification services retain data for fraud prevention and compliance purposes. Your ID scan from verifying your age on a single website may be stored for years, long after you've forgotten about it. The architecture enables function creep. A system designed to verify that you are over 18 can also verify that you are a specific person. A database of age verifications is a database of identities linked to online activity. The same infrastructure that blocks a 15-year-old from Pornhub can be repurposed to track which 35-year-old visited a protest organizing page. The slippery slope is not theoretical The trajectory is already visible: 2023: Age verification for pornographic websites (Texas, Utah, Virginia, Arkansas) 2024-2025: Age verification for social media platforms (multiple states, Australia) 2026: Age verification at the operating system level (California, Colorado) 2026: Mandatory global age verification on messaging platforms (Discord) Next: Age verification for search engines (already law in Australia), e-commerce, and any website a legislator deems "harmful to minors" Each expansion uses the same justification: protecting children. Each expansion builds on the infrastructure created by the previous one. Each expansion normalizes the idea that you must identify yourself to access the internet. The slope is not slippery because of speculation. It is slippery because the laws themselves contain no limiting principle. Once you accept that the government can require age verification for one category of content, there is no legal mechanism to prevent it from expanding to another. North Dakota SB 2380 already goes beyond adult content. It requires device manufacturers and operating systems to estimate the age of the primary user and transmit a digital age signal to websites and apps, which must block access to "mature content" for users under 18. "Mature content" is undefined in the bill. The FTC's double-edged gamble On February 25, 2026, the FTC issued an Enforcement Policy Statement promoting the adoption of age verification technology. The statement declared that the FTC would not bring enforcement actions under COPPA against operators who collect, use, or disclose personal data solely for age verification purposes. In plain language: the FTC gave companies permission to collect personal data for age verification without facing COPPA liability. The stated goal is to encourage robust age checks. The practical effect is to create a new category of data collection with reduced regulatory oversight. TechPolicy.Press called it a "double-edged gamble," noting that the policy trades one risk for another — it may improve age verification compliance, but it also creates new incentives for data collection with fewer guardrails. Separately, the FTC sent warning letters to 13 data brokers in early 2026 for potential non-compliance with the Protecting Americans' Data from Foreign Adversaries Act (PADFAA). The letters highlight growing FTC scrutiny of data broker practices — but also confirm that data brokers are deeply embedded in the age verification ecosystem. Several age verification methods rely on database cross-referencing with commercial data brokers. The same companies the FTC is warning about selling data to foreign adversaries are being written into law as identity verification infrastructure. No federal opt-out There is no federal law that allows you to opt out of age verification requirements. There is no national privacy law that limits what age verification companies can do with your data. There is no federal standard for how long your ID scan is retained or who it can be shared with. The state-level privacy laws that exist — CCPA in California, CDPA in Virginia, CPA in Colorado — provide some rights over your personal data. But they contain exceptions for data collected for "security" or "fraud prevention" purposes, which is exactly how age verification companies categorize their data collection. In practice, if you live in a state with an age verification law, you cannot access the covered content without submitting to verification, and you have no meaningful control over what happens to your data after you do. What you can actually do Use a VPN. Geographic restrictions are the weakest link in current age verification laws. A VPN can route your traffic through a state or country without verification requirements. OS-level verification under California SB 976 would make this harder, but the law is still facing legal challenges. Limit what you share. If age verification is unavoidable, choose the method that shares the least data. Facial age estimation, while imperfect and biometric, does not typically transmit your legal name or government ID number. It is the least bad option among bad options. Support organizations fighting these laws. The EFF, the Free Speech Coalition, and the Center for Democracy & Technology are actively litigating against age verification requirements. NetChoice has filed suits in multiple states. Pay attention to your state legislature. These laws are being passed state by state. Many pass with minimal public awareness. Check the Free Speech Coalition's tracker for your state's status. Demand data deletion. Under state privacy laws where they apply, you can request deletion of your personal data from age verification services. Exercise this right after every verification if possible. Do not trust "anonymous" verification claims. Some vendors claim to verify age without storing identity data. These claims are unverifiable, and several vendors have been found to retain more data than their privacy policies disclosed. Treat every verification as though your data will be stored indefinitely — because it probably will be. --- The infrastructure being built in 2026 will outlast every law that created it. Databases persist. Vendor relationships persist. The normalization of presenting government ID to access the internet persists. Every age verification law is a brick in a wall that will not come down on its own. The question is not whether age verification works. The question is what it costs — and who pays.