The UK government plans to prohibit anyone under 16 from using social media, with regulations expected before Christmas and enforcement beginning in spring 2027.
To make this work, platforms will need to verify the age of their users. In real terms, anyone creating a new account will likely need to confirm they’re over 16 by submitting an ID document or completing a facial age estimation scan.
Existing long-standing accounts are mostly exempt, but registering a fresh account now triggers the verification process, effectively putting an end to anonymous sign-ups in the UK.
Security and privacy experts caution that these checks are easy to bypass, place everyone’s ID and biometric information at risk of being exposed in data breaches, and were pushed through with minimal political oversight.
The announcement
Prime Minister Keir Starmer unveiled the proposal on June 15, following a national consultation that received over 116,000 responses from parents, young people, and specialists.
The government reports that 90% of parents supported a ban for under-16s, and two-thirds of young people agreed that children under 16 should be barred from at least some platforms.
“That’s why we’re going further than any other country by banning social media for under-16s and introducing broader protections to give children their childhood back,” Starmer said.
“This is a line in the sand. Tech giants had their chance and failed.”
Technology Secretary Liz Kendall described it as a confrontation with the platforms: “Tech companies have had countless opportunities to protect children, yet they have failed to act. That is why we are taking power away from the tech giants and returning it to parents.”
What’s covered
The ban follows the model set by Australia, which introduced its own version in December 2025 as the first country to do so.
It will apply to user-to-user platforms “whose purpose is to enable social interaction” and that use algorithmic feeds. The government specifically names Instagram, YouTube, TikTok, Snapchat, Facebook, and X. Messaging apps like WhatsApp and Signal are explicitly excluded, as is YouTube Kids.
A narrowly defined exemption list will cover educational services, e-commerce, and music streaming.
The UK says it intends to go further than Australia.
High-risk features, such as livestreaming and strangers being able to contact children, will be restricted across a broader range of services, including gaming platforms like Roblox (the platform itself remains, but features like chat will be locked down).
To avoid a “cliff-edge at 16,” those stranger-contact and livestreaming restrictions will be enabled by default for 16- and 17-year-olds as well.
Separately, AI “romantic companion” chatbots that simulate sexual or roleplay relationships will be required to enforce an 18+ minimum, with intimate features restricted for under-18s on AI chatbots more broadly.
The government is also consulting on overnight curfews and breaks in infinite scrolling for under-18s, with further details expected in July.
The catch for adults: it’s the new accounts
The government’s reassurance is that most adults won’t face a fresh check.
According to a fact sheet, an account is considered low-risk if it has been active for more than 16 years, has a credit card linked to it, or is associated with an email that has already been age-verified elsewhere. Anyone who has already verified their age under the existing Online Safety Act would not need to repeat the process.
However, that exemption is essentially a grandfather clause, and it offers no protection for new accounts.
If you create a social media account from scratch after the rules take effect—whether you want a fresh pseudonymous handle or you’re simply a new user—none of those passive signals apply, and the fallback is exactly what the fact sheet describes: a facial recognition check or an ID upload. In practice, the regime quietly transforms what is marketed as child protection into a rule that no adult can open a new account without proving their age.
It’s a lighter approach than the adult-content regime, for now.
Since July 25, 2025, the Online Safety Act has required adult and other sensitive sites to implement “highly effective” age checks (typically an ID upload or a facial-age selfie) for every user, with no grandfathering.
Enforcement has also been aggressive. By February 2026, Ofcom had launched investigations into more than 90 platforms and issued six fines, and its scope had expanded to include Reddit, X, Discord, Bluesky, and AI services.
The social media age-gate doesn’t go that far yet, but it normalises the same infrastructure. In the current announcement, Ofcom has been asked to conduct a rapid study on how to verify whether someone is over 16.
The VPN loophole
The well-known weakness is that a VPN bypasses all of it. The Online Safety Act targets sites, not users, so routing through a server outside the UK sidesteps the check.
Some VPN providers reported signup surges of up to 1,800% when adult-site enforcement began.
Any social media age-gate inherits the same gap, and Australia’s experience confirms it. Research there found that more than 60% of children were still using social media months after that country’s ban.
The UK government has limited options for closing the loophole. A blanket VPN ban for the entire population has been ruled out.
In October 2025, a tech minister, Baroness Lloyd, told the Lords there were “no current plans to ban the use of VPNs,” citing their legitimate uses.
A children-specific restriction is a different matter. In February 2026, the government said its wellbeing consultation would examine “options to age restrict or limit children’s VPN use,” and in January 2026 the House of Lords inflicted a government defeat, voting 207 to 159 for an amendment to the then Children’s Wellbeing and Schools Bill that would require ministers to prohibit VPN providers from serving UK children.
To distinguish children from adults, that measure would in practice force providers to age-check every user. The amendment drew public petitions against it.
The Commons rejected it across several rounds of parliamentary ‘ping-pong,’ and the Act that received Royal Assent (became law) in April instead granted ministers a broad power to restrict children’s online access through regulation.
For now, nothing prevents a determined adult, or a determined 15-year-old, from getting around it.
What security and privacy researchers are saying
The cybersecurity concern isn’t with the goal itself, but with the fact that the enforcement mechanism introduces new risks while the controls themselves don’t hold up.
Dr. Siamak Shahandashti, a senior lecturer in cyber security and privacy at the University of York, highlighted recent empirical research from Politecnico di Milano testing age-verification methods deployed on adult sites.
The researchers found low-to-medium robustness for nearly every method except credit-card checks. Most could be bypassed with tools and knowledge within reach of “motivated minors.”
Their blunt conclusion, which Shahandashti quoted: mandated age verification currently functions as “compliance theatre.” He added that checks tied to real, physical ID could be made robust enough if clear standards were established.
Dr. Richard Gomer, a lecturer in computer science at the University of Southampton, focused on the second-order risk. Enforcing an under-16 ban means age-gating everyone, and that process itself is dangerous.
Handing a passport or driving licence to platforms, he warned, exposes people to identity theft or blackmail when those records inevitably leak—something already observed during the Online Safety Act rollout.
He also highlighted the quieter cost of the regulation pushing the web further from its original ideals of anonymous, open communication.
That data-breach risk is not hypothetical either.
Responding to the ban, the Open Rights Group (ORG) warned that over-16s will now have to hand over identity documents or biometric data to unregulated age-verification companies, pointing to Discord as a platform that already suffered a major data leak after introducing age checks.
James Baker, who leads ORG’s Platform Power and Freedom of Expression programme, argues the measures address symptoms rather than the root cause—namely the engagement-driven business models that reward harmful content—and has previously warned that the underlying powers were “rushed through without proper time for political scrutiny.”
Platforms aren’t supportive either.
Meta and YouTube both argue that bans push teenagers toward less-regulated spaces rather than making them safer, with Meta making the case that age checks should be handled on the device so users aren’t handing ID to every service separately.
The wider direction of travel
It’s worth considering where this fits. Since January 2025, the government has been developing a GOV.UK Wallet and a digital driving licence, promoted partly as a way to prove your age online and in person using the facial-recognition features built into modern phones.
That’s separate from this announcement and predates it. But together they sketch a direction of travel in which proving your age is increasingly a prerequisite for being online in the UK.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
