digital-humans.org

Age verification has become one of the most consequential features quietly threaded through consumer software, and by 2026 it is no longer optional in large parts of the world. Under the UK Online Safety Act, platforms hosting pornography or other content deemed harmful to minors must use what Ofcom calls "highly effective age assurance" – a standard that rules out a simple checkbox and pushes services toward document checks, facial age estimation, or verified digital identity. The mechanics of how a platform decides you are old enough now sit at the intersection of child safety law, biometric privacy, and the same face-analysis technology that powers synthetic avatars.

That intersection is where this piece lives. Age verification is not a single technology but a stack of competing methods, each with a different cost, a different accuracy profile, and a different appetite for your personal data. The choices platforms make about which method to deploy – and how long they keep what they collect – increasingly define the privacy posture of the open internet.

Age verification in 2026

Three regulatory forces are driving the current wave. In the United Kingdom, the Online Safety Act came into force in stages, with age-assurance duties for services that publish or host pornographic content taking effect through 2024 and 2025 under Ofcom's guidance. The regulator has been explicit that self-declaration alone does not meet the bar; a service must be able to demonstrate that its method reliably distinguishes children from adults.

In the European Union, the revised Audiovisual Media Services Directive (AVMSD) requires video-sharing platforms to protect minors from harmful content, and the Digital Services Act layers on additional obligations for very large platforms. The European Commission has also floated a common age-verification approach tied to the emerging EU Digital Identity Wallet, which would let a user prove they are over 18 without revealing their date of birth or name.

In the United States, there is no federal statute, so the picture is a patchwork of state laws. More than a dozen states have passed age-verification requirements for adult content, several of which have been litigated on First Amendment grounds. The US Supreme Court's 2025 decision in the Texas case (Free Speech Coalition v. Paxton) upheld that state's requirement, which has emboldened further state legislation. Anyone building for the American market now has to track requirements state by state, because they diverge sharply.

Meanwhile the platform-level machinery has moved fast. Google age verification, for instance, has expanded well beyond a birthday field. Google has rolled out machine-learning age estimation across some of its services, using signals from account activity to infer whether a user is likely a minor, and offering document or card-based verification as a fallback when the inference is uncertain. The point is worth restating precisely: a growing number of consumer platforms now estimate your age before they ever ask it.

Verification methods

Four broad approaches dominate, and most large services blend them.

The first is document plus selfie. You photograph a government ID and then take a live selfie; software matches the two and confirms the document is genuine. This is the most robust method and the most invasive, because it exposes a full identity document to a third party.

The second is AI age estimation, in which a model analyses a selfie or short video and returns an estimated age band rather than an identity. No document changes hands. This is faster and less intrusive, but its accuracy falls off at the edges – precisely the ages that matter most for an 18 threshold.

The third is credit-card or payment verification, long used by adult sites as a rough proxy for adulthood. It is weak: cards can be borrowed, and it excludes adults without one.

The fourth is parental consent and account-level controls, the model favoured for younger children under regimes like the US Children's Online Privacy Protection Act. Here the question is not "prove your age" but "prove a parent authorised this."

Reusable digital identity – a wallet that issues a verified "over 18" credential once and presents it repeatedly – sits above all four and is the direction European policy is pushing. It promises data minimisation by design, since the platform learns only the answer to a yes-or-no question.

For platforms

For the businesses that must comply, the reality is a tension between two duties that pull in opposite directions. Regulators demand effective age assurance; data-protection law demands data minimisation. Collecting an ID satisfies the first and endangers the second, because every stored document is a breach waiting to happen. The 2024 and 2025 news cycles were dotted with age-verification and identity vendors suffering data exposures, each one a reminder that the safest data is the data you never retain.

The pragmatic answer most vendors offer is a broker model: a third party performs the check, returns a pass/fail token, and deletes the underlying image within seconds. Whether that deletion actually happens is a matter of contract and audit, not something the user can see. Platforms weighing this trade-off should read our analysis of identity verification in the AI era, which unpacks how these brokered flows work in practice.

For users

What actually gets verified is narrower than people fear and broader than they hope. In the best-designed flows, the platform receives only a boolean – over or under the threshold – and never sees your face or document at all. In the worst, a full ID scan lands in a database with unclear retention. The gap between those two outcomes is invisible at the moment of sign-up.

Retention is the concern to press on. Reputable providers publish deletion timelines measured in seconds or minutes for the raw biometric. Users should look for that claim, and for independent certification against standards such as ISO/IEC 30107 for presentation-attack detection. The uncomfortable truth is that you are trusting a disclosure you cannot verify yourself.

This is also where the field brushes against synthetic media. The same face models that estimate age can be spoofed with a deepfake selfie or a generated video, which is why liveness detection – confirming a real person is present, not a replayed clip – is now the harder engineering problem than age estimation itself. The techniques overlap with the concerns we cover in face recognition technology and privacy concerns, and the arms race between spoofing and detection mirrors the wider provenance fight around C2PA content credentials and watermarking systems like SynthID.

AI age estimation

The most interesting technical layer is facial age estimation, and two vendors define the conversation. Yoti, a UK company, publishes periodic white papers reporting the mean absolute error of its model – the average number of years by which its estimate misses. As of its recent public reporting, Yoti has claimed a mean absolute error in the low single digits of years for the young-adult range, with accuracy varying by age band, skin tone and gender. Those figures are self-reported and should be checked against Yoti's current age estimation white paper rather than taken as fixed.

FaceTec, better known for 3D liveness and face matching, occupies the adjacent space of confirming a live human is present. Independent evaluation matters here because both accuracy and demographic fairness vary. The US National Institute of Standards and Technology (NIST) runs ongoing evaluations of face and, increasingly, age-estimation algorithms; its data has repeatedly shown that error rates differ across demographic groups, which is the crux of the fairness problem. An age estimator that runs two years high for one population and two years low for another will wrongly block some adults and wrongly admit some minors, and it will do so unevenly.

The reliability question is not academic. A mean absolute error of a few years sounds tolerable until you set the threshold at 18 and add a safety buffer. To avoid admitting minors, platforms tend to require an estimated age comfortably above the legal line – say 25 – before waving a user through without a document. That buffer protects children and inconveniences a large band of young adults, who are pushed into the document flow they were trying to avoid.

How accurate is AI age estimation?

AI age estimation is accurate enough to sort clear adults from clear children but not precise enough to adjudicate the years immediately around 18 without a fallback. Vendors such as Yoti report mean absolute errors in the low single digits of years, but accuracy degrades near thresholds and varies across skin tone, gender and age band, which is why platforms apply an age buffer and route borderline cases to document verification.

Does age verification store my ID or face?

Whether age verification stores your ID or face depends entirely on the provider and its retention policy. Well-designed brokered systems return only a pass/fail result and delete the underlying image within seconds, while poorly configured or self-hosted systems may retain documents indefinitely. Users should look for a published deletion timeline and independent certification against presentation-attack standards, though these disclosures cannot be verified by the user directly.

A note on the culture-clash queries

Search behaviour reveals something about how age verification enters public consciousness: people often reach these systems through curiosity about specific individuals. Queries like the age of Grant Feely – the young actor cast as Anakin Skywalker in Star Wars projects – or the ages of the members of TXT, the K-pop group under HYBE, sit alongside the technical searches. The link is not incidental. Age is one of the most searched-for facts about any public figure, and platforms that host user-generated content about celebrities, minors among them, increasingly face the same assurance duties as any other service. When a teenage performer's fan community congregates on a platform, that platform's obligation to distinguish adult from minor users – and to protect the minors depicted – is exactly the compliance surface the Online Safety Act and AVMSD target. The mundane fan query and the regulatory machinery are two ends of the same wire.

For policy observers

The most important thing to understand about age verification is that it is not really about age. It is a general-purpose regulatory lever. Once a jurisdiction can compel platforms to verify a single attribute of every user, the architecture for compelling verification of other attributes exists too. Privacy advocates, including the Electronic Frontier Foundation and Open Rights Group, have argued consistently that mandatory age verification normalises identity checks across the open web and creates chilling effects, particularly for lawful adult expression and for users who cannot or will not produce documents.

The counter-argument, made by child-safety organisations and by regulators, is that the previous status quo – a self-declared birthday that any nine-year-old could falsify – was not neutral either. It exposed children to material with documented harms. The honest framing is that both harms are real and the policy question is which to weigh more heavily, not whether one exists.

Where this lands over the next few years depends on whether reusable, privacy-preserving credentials mature fast enough to defuse the trade-off. If a wallet can prove "over 18" without disclosing anything else, and if that proof is genuinely unlinkable across sites, the strongest privacy objection weakens considerably. If instead the market settles on document uploads brokered by a handful of vendors, age verification becomes a de facto identity layer for the internet – which is precisely what its critics fear and what the technology, on its current trajectory, is closest to delivering. Watching which of those futures the EU Digital Identity Wallet and the various national schemes actually produce is the single most useful thing a policy observer can do right now.