The headline act
The UK government just announced it's banning under-16s from social media, with regulations landing before Christmas and enforcement kicking off in spring 2027. Prime Minister Keir Starmer called it "a line in the sand" after a national consultation pulled 116,000 responses. Ninety percent of parents backed it. Two-thirds of young people agreed at least some platforms should be off-limits.
Sounds reasonable, right? Here's the part nobody's leading with: to enforce this ban, every platform has to verify your age. And the verification mechanism they're settling on — ID upload or facial recognition scan — applies to everyone opening a new account. Not just kids. Everyone.
That's the story here. The child protection angle is real, sure. But what we're actually building is a mandatory age-check regime for the entire UK internet population.
See also: The UK Will Ban Adolescents Under 16 Years Old from User-to-User Social-Media Platforms for broader coverage of the legislative background and parental rights debate.
What actually gets banned
The government's list reads like a who's-who of the platforms your teenager actually uses: Instagram, YouTube, TikTok, Snapchat, Facebook, and X. The criteria are specific — user-to-user platforms whose primary purpose is social interaction, running algorithmic feeds. Messaging apps like WhatsApp and Signal are explicitly excluded. YouTube Kids is out too.
There's a narrow exemption list for educational services, e-commerce, and music streaming. Makes sense.
But the UK is going further than Australia's model, which took effect in December 2025 and was the first of its kind globally. High-risk features — livestreaming, stranger-contact functions — will be restricted by default for 16- and 17-year-olds too. The government calls this avoiding a "cliff-edge at 16." Roblox stays open, but chat features get locked down. AI "romantic companion" chatbots face an 18+ minimum, with intimate functions restricted more broadly for under-18s.
The government is also consulting on overnight curfews and forced breaks in infinite scrolling for under-18s, with details promised in July. Technology Secretary Liz Kendall framed it bluntly: "Tech companies have had countless opportunities to keep children safe, yet they have failed to act."
The catch: it's not just for kids
Here's where the policy quietly transforms. According to the government's own fact sheet, an account is treated as low-risk — and bypasses fresh verification — if it's been open for more than 16 years, has a credit card attached, or is linked to an email already age-verified elsewhere. Anyone who's already verified under the Online Safety Act doesn't need to do it again.
That's a grandfather clause. It does absolutely nothing for new accounts.
So if you create a social media account from scratch after the rules land — maybe you want a fresh pseudonymous handle, or you're simply a new user moving to the UK — none of those passive signals apply. The fallback is exactly what the fact sheet describes: a facial recognition check, or an ID upload.
In practice, what's billed as child protection becomes a rule that no adult can open a new account without proving their age. It's a lighter touch than the adult-content regime that's been running since July 2025 under the Online Safety Act — which requires "highly effective" age checks with no grandfathering at all — but the plumbing is identical. Ofcom has already opened investigations into more than 90 platforms and issued six fines under that existing regime.
Why the checks won't hold up
The cybersecurity community isn't opposed to keeping kids off social media. The objection is that the enforcement mechanism creates new risks while the controls themselves don't actually work.
Dr. Siamak Shahandashti at the University of York pointed to fresh empirical work from Politecnico di Milano testing age-verification methods deployed on adult sites. The researchers found low-to-medium robustness for nearly every method except credit-card checks. Most could be bypassed with tools and know-how within reach of motivated minors.
Their conclusion was blunt: mandated age verification currently functions as "compliance theatre." Shahandashti added that checks linked to real, physical ID could be made robust enough if clear standards were set. But we're nowhere near that.
Dr. Richard Gomer at the University of Southampton zeroed in on the second-order risk. Enforcing an under-16 ban means age-gating everyone, and that process is itself dangerous. Handing a passport or driving licence to platforms exposes people to identity theft or blackmail when those records inevitably leak — something already seen under the Online Safety Act rollout.
The data-breach problem nobody's talking about
This isn't theoretical. Responding to the ban, the Open Rights Group warned that over-16s will now have to surrender identity documents or biometric data to unregulated age-verification companies. They pointed to Discord as a platform that already suffered a major data leak after introducing age checks — 70,000 government IDs exposed.
The comment section on the original reporting is full of people connecting dots: Persona kept photos despite deletion claims. The Tea app had over 13,000 selfies and government IDs leaked to 4chan. Every platform that collects biometric or ID data becomes a target. The question isn't if these databases get breached. It's when, and how much damage they'll do.
For context on the scale of data breach risks facing platforms that collect sensitive user identity documents, see our coverage of Council of Europe Investigates ShinyHunters Data Breach Claims.
The VPN gap that breaks everything
The well-documented weakness is that a VPN defeats all of it. The Online Safety Act targets sites, not users, so connecting through a server outside the UK sidesteps the check entirely. Some VPN providers reported signup spikes of up to 1,800% when adult-site enforcement began.
Any social media age-gate inherits the same gap. Australia's experience bears it out: research found more than 60% of children were still using social media months after that country's ban took effect.
The UK government has limited room to close this. A blanket VPN ban for the whole population has been ruled out — Baroness Lloyd told the Lords in October 2025 there were "no current plans to ban the use of VPNs," citing their legitimate uses. A children-specific clampdown is a different story, but the House of Lords already inflicted a government defeat on that amendment. The Commons rejected it across several rounds of parliamentary ping-pong.
The Act that received Royal Assent in April instead handed ministers a broad power to restrict children's online access by regulation. For now, nothing stops a determined adult or a determined 15-year-old from getting around it.
Where this is heading
It's worth noting where this sits in the broader picture. Since January 2025, the government has been building a GOV.UK Wallet and digital driving licence, pitched partly as a way to prove your age online and in person using the facial-recognition features built into modern phones. That's separate from this announcement and predates it.
But together they sketch a direction of travel: proving your age is increasingly a precondition for being online in the UK. Meta and YouTube have both argued that bans push teenagers toward less-regulated spaces rather than making them safer, with Meta advocating for device-level age checks so users aren't handing ID to every service separately.
The policy is real. The enforcement mechanism is flawed. The data-security risk is genuine and accelerating. And the VPN gap means the people most likely to circumvent it are exactly the ones the policy is designed to protect.
That's not a critique of the goal. It's an observation about the architecture we're building to achieve it.