Age checks are becoming platform infrastructure

For years, the weakest part of many online age gates was their honesty test. A site asked for a birth date, the user typed the date that opened the door, and everyone understood the ritual. It was not really proof. It was a speed bump with a calendar attached.

That era is ending, at least for platforms and services that fall under tougher online safety rules. The useful story is not that every website is about to demand a passport. It is that age checks are turning into platform infrastructure: a technical, legal and product-design layer that decides when a service needs confidence about a user’s age, what evidence is proportionate, and how much personal data it is allowed to touch.

The UK is now one of the clearest test cases. In March 2026, Ofcom and the Information Commissioner’s Office published a joint statement on age assurance, aimed at services likely to be accessed by children and covered by both the Online Safety Act and UK data protection law. The statement is deliberately practical. It says the regulators share a risk-based, flexible and technology-neutral approach, while also making clear that self-declaration alone is not an effective way to determine age or keep underage users out where stronger checks are required.

That matters because the Online Safety Act has moved beyond theory. GOV.UK says illegal content duties have applied since 17 March 2025, and child safety duties since 25 July 2025. The same government collection says platforms are now required to use highly effective age assurance to prevent children from accessing pornography or content encouraging self-harm, suicide or eating disorders. Ofcom is the online safety regulator, with enforcement powers that can include major fines and, in serious cases, court action to block services.

For users, the visible change may feel smaller than the legal architecture behind it. More services may ask for a stronger age signal before showing certain content or features. A social app may separate younger users from adult recommendations. A video service may gate a high-risk area more firmly than a general homepage. A forum or search feature may need different controls depending on the likely audience and the kind of content it carries.

The important word is proportionate. The joint statement does not tell every service to collect the same document, face scan or account detail. It recognises that all age assurance methods involve processing personal data, but says that processing can be lawful where it is necessary, proportionate to the risks and compliant with data protection law. In plain English, the age check has to fit the harm it is trying to reduce. A low-risk design choice should not become an excuse to build a permanent identity file.

That is where the next fight over age checks will sit. Parents and child-safety campaigners want systems that are harder to dodge than a typed birthday. Privacy advocates worry that poorly designed checks could create new tracking systems, exclude people unfairly or make adults hand over sensitive details to visit legal sites. Both concerns can be true at the same time.

The European Data Protection Board made the same tension explicit in its 2025 statement on age assurance. It said age checks can affect data protection, non-discrimination, bodily integrity, liberty, security and freedom of expression and information. It also said age assurance should not give service providers extra ways to identify, locate, profile or track people. That is a sharp test for vendors selling neat-sounding verification products. The safer online door should not quietly become a surveillance turnstile.

Good implementation will probably look boring. It will explain why an age check appears, what method is being used, who receives the data, how long anything is kept and what happens if the check is wrong. It will avoid collecting more than is needed. It will give adults a route through without making legal access depend on one fragile technology. It will treat children’s privacy as part of safety, not as a paperwork issue to be solved later.

Bad implementation will be easy to spot too. It will over-collect, hide the real data flow, nudge users towards the most intrusive method, or treat a failed estimate as the user’s problem. It may also confuse age assurance with parental control. The first is a service’s method for assessing age or age range. The second is a household choice about limits and supervision. They can overlap, but they are not the same product.

The broader platform lesson is familiar. Regulation often sounds abstract until it reaches a settings screen. The Digital Markets Act becomes an interoperability prompt. Product safety rules become an update promise. Online safety law becomes a risk assessment, an appeal path and a different age gate.

Age checks will not make the internet safe by themselves. They can be bypassed, misapplied or turned into another data grab. But the old birthday box is no longer credible as a serious safety system. The next version of online age checking will be judged less by how strict it looks and more by whether it proves enough, collects little and explains itself clearly.