Normal view

Internet Age Gates Are a Growing Global Threat

5 June 2026 at 21:28

The internet is an essential resource for young people and adults to access information, explore community, and find themselves—both inside countries and across continents. Yet governments around the world continue to introduce and implement legislation requiring all online users to verify their ages before accessing the digital space. In some cases, politicians are going further, putting forth proposals to ban social media for younger users.  

In late 2025, Australia’s government rolled out the first complete ban on users under 16 from having social media accounts. In this sweeping regime, platforms are required to introduce age assurance tools to block under-16s, demonstrate that they have taken “reasonable steps” to deactivate accounts used by under-16s, and prevent any new accounts being created, or face fines of up to 49.5 million Australian dollars ($32 million USD). The 10 banned platforms—Instagram, Facebook, Threads, Snapchat, YouTube, TikTok, Kick, Reddit, Twitch, and X—have each said they’ll comply with the legislation, which led to young people losing access to their accounts overnight. Reddit is currently challenging the law in Australian courts on constitutional grounds. Recent research notes how the ban is preventing teenagers from accessing news in the country. 

In the United Kingdom, rules took effect in mid-2025 under the Online Safety Act that require all online services available in the country to assess whether they host content considered harmful to children; if so, these services must introduce age checks to prevent children from accessing such content. Online services are also required to change their algorithms and moderation systems to ensure that content defined as harmful, like violent imagery, is not shown to young people. 

This approach is reckless, short-sighted, and we’ve already seen it introduce more harm to the young people that it is trying to protect. The UK’s scramble to find an effective age verification method shows us that there isn't one, and we’ve spent years urging UK politicians to abandon any measures that require platforms to collect data or remove privacy protections around users’ identities. 

Earlier this year, Indonesia’s Communications and Digital Affairs Minister, Meutya Hafid, announced that users under 16 would have their accounts on “high risk” platforms deactivated from 28 March. The platforms subject to this ban are YouTube, TikTok, Facebook, Instagram, Threads, X, Bigo Live, and Roblox; with Hafid noting how this policy would make Indonesia “the first non-Western country to delay children's access to digital spaces according to age.”

Similarly, the Malaysian government has recently pushed forward with plans to ban users under 16 from having accounts on social media platforms with at least 8 million users in Malaysia, including Facebook, Instagram, TikTok, and YouTube. Users under the age of 16 are being told to download or transfer their data from these platforms in one month before the restrictions are applied. Platforms failing to comply with the ban may face penalties of up to $2.5 million USD.

In Latin America, Brazil approved a new law in 2025 establishing that providers of information technology products and services directed to children and teenagers, or likely to be accessed by them, must conduct age checks when their products and services offer risks to underage users. Regulation requires age assurance for products and services that are not allowed for children and adolescents in accordance with Brazilian legislation. App stores and operating systems are required to provide age signals for other providers. 

While the law is already in force, full compliance with its obligations is expected for early 2027, after the approval of further regulations and a transition period, and the authority responsible for enforcing the law is the Brazilian National Data Protection Agency. The list of concerns regarding the implementation of the law include: the wide scope of products and services that may fall within age-check obligations, how these obligations can affect non-proprietary operating systems and free software projects, and how effective the law's crucial data protection safeguards will be in a context of likely widespread age checks for accessing content online.

Similarly, the European Union has taken large steps towards mandatory age verification that could undermine privacy, expression, and participation rights for everyone. Politicians are promoting an EU-wide approach to age verification through its age verification “app,” which will be fully interoperable with the Digital Identity Wallet. While this mini-app has been announced as technically ready to be rolled out “for citizens to use,” it comes with its own realm of potential privacy and security concerns, such as long-term identifiers (which could result in tracking) and over-exposure of personal information. 

The European Commission also supports age verification in various legislative initiatives, from proposals that would allow or mandate companies to scan our communication (“Chat Control”) to non-binding guidelines of existing laws, such as the Digital Services Act. The EU Parliament, too, has proposed an EU digital minimum age of 16 for access to social media, a move that aligns with EU Commission’s president Ursula von der Leyen’s recent public support for measures inspired by Australia’s model. To all these initiatives EFF has provided one consistent response: mandatory age verification measures are not the right way to protect young people. 

These proposals restrict the fundamental rights of young people to speak to each other and to access information. They also force all internet users, not just those under a certain age, to upload private data—like a face scan or passport—in order to access a website or service. In considering the vast scope of privacy issues pertaining to the collection, storage, and sharing of this personal information, the problems of age verification in restricting free speech are compounded by these reckless and harmful approaches to verification. 

The problem of censorship and surveillance goes far beyond the borders of the internet. EFF continues to explore support for legislative and litigation challenges that recognize how these laws harm everyone’s rights to privacy, free expression and due process.

One Step Forward, Two Steps Back: CA's AB 1856 Exempts Open Source But Expands Age-Gating

29 May 2026 at 22:15

After public outrage, California lawmakers are moving closer to exempting open-source operating systems from the sweeping age-bracketing regime mandated by last year’s Digital Age Assurance Act (AB 1043). Nonetheless, the current bill still jeopardizes internet users’ speech, privacy, and security.

While the open source exemption, if passed, would improve the law, the remaining amendments proposed by AB 1856 would require all web browsers and websites to request and collect users’ ages. This is an expansion of last year's AB 1043's age-bracketing system that compounds its constitutional harms to users’ speech, privacy, and security. As AB 1856 moves on to the Senate, EFF will continue fighting for amendments that reduce those harms.

AB 1856 Extends AB 1043’s Age-Gating Regime

Last year, California passed AB 1043, which requires all operating systems and app stores to create age-bracketing systems that segment users based on their ages. As we’ve written, that regime is a recipe for censorship: it creates unnecessary and unconstitutional barriers to accessing lawful online speech, threatens our right to anonymity, and pressures online services to collect troves of valuable and sensitive user data. On top of that, A.B. 1043’s wide-sweeping compliance burdens impose disproportionate harms on the open-source ecosystem that underpins much of the modern web. 

Given these flaws, lawmakers introduced AB 1856 this year as a supposed “clean-up” bill for AB 1043. But instead of sticking to fixing AB 1043’s unique and serious harms (like its impact on open-source operating systems), AB 1856 also expanded the regime even further—extending its age-bracketing requirements beyond operating systems and app stores to browsers and websites. 

EFF opposed AB 1856 on two grounds, which we explained in our opposition letter to the Assembly: 

  1. The harms that age-gating regimes pose to users’ speech, privacy, and anonymity; and
  2. The disproportionate harms that this particular regime imposes on open-source developers. 

Open Source Concerns Somewhat Alleviated By Amendment

On May 28th, AB 1856 passed the Assembly in a nearly unanimous vote (68-1). 

Before that vote, however, AB 1856 was amended to relieve the compliance burden on open-source operating systems. This is a meaningful improvement and a welcome relief for open-source developers, who have been loud and clear about how much of an existential threat A.B. 1043’s age-gating mandate would pose.

The new exception reads:

Operating system provider” does not mean a person or entity that distributes an operating system or application under license terms that permit a recipient to copy, redistribute, and modify the software.

EFF understands this amendment to exempt open-source operating systems from the requirement to collect and transmit users’ age-bracket data. That is a definite win for open-source developers. The bill is narrower now than it was before, and lawmakers clearly responded to concerns raised by EFF and the broader open-source community. 

Some important questions still remain—for example, it is unclear how the law would apply when an open-source operating system is incorporated into a commercial product or service. And, given the structure of where the exemption is placed under the “operating system provider” definition, lawmakers could stand to clarify that the exemption applies to open-source operating systems and applications.

Nonetheless, that ambiguity aside, this amendment does substantially reduce the threat that AB 1043 could have on many open-source developers. 

AB 1856 Still Expands the Problematic Age-Bracketing Regime

Don’t get us wrong—if this bill passes, we will be very happy that AB 1043 does not pose nearly the amount of harm to our friends behind open-source operating systems. But even after these amendments, EFF remains opposed to AB 1856 because it ultimately expands California’s sweeping age-bracketing framework far beyond the original scope of AB 1043. 

In AB 1856 and its amendments, the Assembly failed to address the core problem with AB 1043’s age-bracketing regime: mandated age-gating systems threaten users’ speech, privacy, anonymity, and security. 

Even after these amendments, EFF remains opposed to AB 1856 because it ultimately expands California’s sweeping age-bracketing framework far beyond the original scope of AB 1043. 

Even though AB 1043 does not explicitly require companies to perform age verification, it nonetheless imposes a liability structure that strongly pressures companies to verify users’ ages anyway. In practice, that could lead to more ID checks, more biometric scanning, more invasive data collection and risk of breach, and more barriers to adults’ and young people’s lawful speech.

In fact, instead of narrowing AB 1043’s wide net, AB 1856 expanded it to add browser providers and website operators to the list of entities that must comply with its age-bracketing requirements. This dramatically broadens the scope of AB 1043 and pulls more services, developers, and users into an anonymity- and privacy-destroying data collection framework that has not yet been implemented or evaluated. The result would make it nearly impossible for regular internet users to avoid AB 1043’s age gates.

The Fight Moves to the Senate

On those grounds, EFF will continue to oppose AB 1856. Though it has passed the Assembly, the fight is not over. As the bill moves through the Senate, we’ll continue to push for amendments that actually “clean up” and narrow the scope of AB 1043, and offer more protection to users from the harms of age-gating systems.

❌