Age Verification Laws in 2026: A Global Compliance Guide

Age verification in 2026 is a legal requirement across a growing set of jurisdictions — not a best practice.

Online platforms have operated on the assumption that a checkbox is enough. "I confirm I am over 18" is the totality of age verification on most consumer-facing services. That assumption is ending. Governments across four continents have passed or are actively enforcing legislation that requires real age checks — not self-declaration — as a condition of accessing adult content, gambling services, social media, and age-gated retail. This guide maps the major regulatory regimes, explains the technical methods regulators accept, and covers what privacy-preserving age verification means in practice.

Key takeaways

• Age verification laws are being enforced, not just drafted. The UK Online Safety Act and Australian online safety framework are among the most advanced in mandating technical age assurance for specific platform categories.
• Regulators accept multiple methods but are converging on two: document-based date-of-birth (DOB) verification and facial age estimation. Self-declaration is not accepted as age assurance in most regulated contexts.
• Age Estimation ($0.10 per check) provides a privacy-preserving signal — no document required, no personally identifiable information (PII) retained — appropriate where an approximate threshold (18+, 25+) is sufficient.
• Document-based DOB verification provides regulatory-grade certainty; Didit's ID Verification module covers 14,000+ document types across 220+ countries.
• Data minimization matters — regulators increasingly require that only the minimum data necessary for age assurance is collected and that PII is not retained after the check.
• App-store age checks (Apple and Google) add a parallel layer — mobile-first platforms may face both statutory and platform-level requirements simultaneously.

The regulatory landscape in 2026

UK: Online Safety Act

The UK Online Safety Act (OSA) places duties on platforms hosting pornographic content and certain other categories to implement robust age verification. Ofcom — the UK communications regulator — is the enforcement authority. The OSA does not prescribe a single technical method; it requires that platforms implement age assurance proportionate to the harm profile of their service.

Ofcom's guidance has moved toward expecting technical controls that materially reduce under-18 access, with self-declaration explicitly identified as insufficient. Penalties under the OSA include fines up to £18 million or 10% of global annual revenue, and the possibility of service blocking for non-compliant platforms. The OSA applies to user-to-user and search services accessible to UK users regardless of where the platform is incorporated — a UK user accessing a US-headquartered platform falls under its scope.

EU: Digital Services Act

The EU Digital Services Act (DSA) addresses age verification primarily for Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs). Obligations include risk assessments covering access by minors and systemic mitigation measures for platforms whose services present foreseeable risks to children.

The DSA operates alongside national legislation in EU member states. Several member states — including Germany, France, and Spain — have enacted or are enacting national-level age verification requirements for adult content platforms, with document-based or certified age-assurance provider obligations. DSA enforcement sits with the European Commission for VLOPs; national Digital Services Coordinators handle smaller platforms. Cross-border applicability means a platform headquartered outside the EU but serving EU users is subject to DSA obligations proportionate to its reach.

US: State-level legislation

The United States has not passed a federal age verification law as of mid-2026, but more than a dozen states have enacted legislation requiring age verification for online adult content and social media access by minors. Louisiana's HB 142 was an early template, requiring commercially reasonable age verification for adult content platforms. Utah, Texas, Virginia, Arkansas, and others have followed with similar frameworks.

State enforcement has been uneven and several laws face constitutional challenges on First Amendment grounds. The legal landscape is unsettled. However, the direction of travel is clear: state-level age verification requirements are proliferating, and platforms serving US users without an age assurance strategy carry accumulating legal exposure in multiple jurisdictions simultaneously.

Australia

Australia's Online Safety Act 2021 established the eSafety Commissioner with enforcement powers over online content and platform conduct. The Australian government has since published an Age Verification Roadmap and conducted consultations on mandatory age assurance for high-risk platform categories. The direction is toward technically robust age verification requirements with a technology-neutral, outcome-focused standard — platforms must demonstrate that their approach is effective, not merely that they checked a particular box.

App-store age checks

Apple and Google have each tightened their age rating and parental-control frameworks. Apps categorized as adult content on the App Store (17+) or Google Play (18+) face restrictions on distribution, in-app purchase capability, and discoverability. Separate from statutory law, these platform-level requirements effectively mandate age assurance for any business that depends on mobile app distribution — including gambling, alcohol, tobacco, dating platforms, and social services with adult content. A platform that satisfies the legal requirements in its primary jurisdiction still faces app-store policy requirements as a parallel obligation.

Methods regulators accept

Document-based DOB verification

A government-issued ID is captured, the date of birth (DOB) is extracted, and the applicant's age is calculated at the point of check. This is the highest-certainty method: it provides regulatory-grade evidence that the platform performed a real, documented age check.

The trade-off is data minimization. Regulators — particularly in the EU under GDPR (General Data Protection Regulation) — expect that only the minimum data necessary is processed and retained. The age-positive check (age ≥ 18) is the relevant output; retaining the full document image is harder to justify. Privacy-compliant document-based age verification extracts DOB, performs the age calculation, and discards the raw document data. Didit's workflow can be configured to return only the pass/fail threshold decision and discard the underlying document.

Facial age estimation

Facial age estimation runs a model against a selfie and returns an estimated age range. No document is required; no PII is extracted or stored. The model returns a probability distribution over age ranges rather than an exact date of birth — which makes it appropriate for use cases where a threshold (≥18, ≥25) is the requirement, not a specific DOB.

Age estimation is the privacy-minimizing method: the selfie is processed, the age estimate is returned, and the image is discarded. It is not appropriate in contexts where regulators require documentary proof of age or where the exact age determination may be contested. For borderline cases — a user whose estimated age falls near the threshold — a step-up to document-based verification provides the regulatory-grade record.

Didit's Age Estimation module costs $0.10 per check.

Privacy and data minimization expectations

GDPR and equivalent national frameworks impose a data minimization principle: collect only the data necessary for the stated purpose. Age verification's stated purpose is confirming that a user meets an age threshold — not building a database of document copies or biometric profiles.

Regulators and privacy advocates are watching age verification implementations closely. Platforms that collect and retain document images or facial photographs beyond what is needed for the check expose themselves to data protection enforcement separate from age verification enforcement. The technically sound approach is to run the check, return the decision (age ≥ N: pass/fail), and discard the raw inputs.

Didit's session model supports this: the workflow captures the data, runs the analysis, and the platform receives the age decision. Document image and biometric retention are configurable; operators with strict data minimization requirements can set retention to none.

Use cases

Adult content platforms — UK OSA and state-level US laws require robust age assurance. Document-based DOB verification (or a certified age-estimation approach proportionate to the platform's risk profile) is the primary compliant path.

iGaming and sports betting — 18+ or 21+ age gates are regulatory requirements in every licensed jurisdiction. Document verification plus age calculation provides the audit trail for licensing compliance. Didit covers 220+ countries, matching the geographic spread of igaming operators.

Age-gated retail (alcohol, tobacco, vaping, cannabis) — online age gating for age-restricted product categories. Age Estimation as a lightweight first gate at $0.10; document verification as a step-up for cases near the threshold or for higher-value orders.

Social media and creator platforms serving minors — DSA obligations for VLOPs and national-level regulations in EU member states require platforms to assess and mitigate access by under-age users. Age estimation provides a non-intrusive first signal; document verification for elevated-risk accounts or features.

How Didit helps

Didit's ID Verification module handles document-based DOB verification for 14,000+ document types in 220+ countries — the regulatory-grade path for OSA, DSA, and state-law compliance. The workflow extracts DOB, computes age at the point of check, returns a pass/fail threshold decision, and can be configured to discard the document image in line with data minimization expectations.

For platforms where a document-free, privacy-preserving check is preferred, Didit's Age Estimation module runs facial analysis against a selfie and returns an estimated age range at $0.10 per check — appropriate for threshold gates where exact DOB is not a regulatory requirement.

Both modules are configurable in the Workflow Builder alongside liveness, face match, AML (Anti-Money-Laundering) screening, and other checks. A sensible implementation: Age Estimation as a first gate, step-up to document-based verification when the estimate falls within a configurable margin of the threshold. Friction lands only where the platform needs certainty.

Frequently asked questions

Is self-declaration compliant under the UK Online Safety Act?

No. Ofcom's guidance is explicit that self-declaration — a checkbox confirming age — is not sufficient for regulated platforms under the OSA. The requirement is for a technical control that materially reduces under-18 access.

What is the difference between age estimation and age verification?

Age estimation returns a probabilistic age range from a selfie — no document, no PII retained. Age verification extracts a date of birth from a document and computes exact age. Regulation typically requires document-based age verification for the highest-risk contexts; estimation is appropriate as a privacy-preserving first gate.

How does Didit handle GDPR data minimization for age checks?

Didit's workflow can be configured to extract only the age-determination output (age ≥ N: pass/fail) and discard the raw document. The decision is available via the API; document image and biometric retention are operator-configurable.

Does the $0.10 Age Estimation check replace document verification?

It depends on jurisdiction and risk profile. For UK OSA compliance, Ofcom's expectation is a robust technical age check — estimation alone may not be sufficient for the highest-risk platform categories. Use estimation as a first gate; step up to document verification for borderline cases or high-risk contexts.

Are 500 free checks included for age verification?

Yes — the 500 free verifications per month apply across all Didit modules, including Age Estimation and ID Verification.

Ready to get started?

• Product overview → User Verification (KYC)
• Trust and compliance hub → didit.me/security-compliance
• Pricing → didit.me/pricing — Age Estimation at $0.10, 500 free checks/month
• Start free → business.didit.me