The UK government will ban under-16s from social media, with regulations due before Christmas and the rules taking effect in spring 2027.
To enforce it, platforms must age-check their users. In practice that means anyone opening a new account will likely have to prove they're over 16 by uploading an ID or passing a facial age scan.
Long-standing accounts are largely exempt, but signing up fresh now triggers verification, effectively ending anonymous account creation in the UK.
Security and privacy experts warn the checks are easy to circumvent, put everyone's ID and biometric data at risk of breaches, and were rushed in with little political scrutiny.
The announcement
Prime Minister Keir Starmer set out the plan on June 15, following a national consultation that drew more than 116,000 responses from parents, children and experts.
The government says nine in ten parents backed an under-16 ban, and two-thirds of young people agreed that under-16s should be kept off at least some platforms.
"That's why we're going further than any country in the world by banning social media for under-16s and putting wider protections in place to give kids their childhood back," Starmer said.
"This is a line in the sand. Tech giants had their chance and failed."
Technology Secretary Liz Kendall framed it as a fight with the platforms: "Tech companies have had countless opportunities to keep children safe, yet they have failed to act. That is why we are taking power away from the tech giants and putting it back in parents' hands."
What's covered
The ban is modelled on Australia's, which took effect in December 2025 and was the first of its kind.
It will cover user-to-user platforms "whose purpose is to enable social interaction" and that run algorithmic feeds. The government names Instagram, YouTube, TikTok, Snapchat, Facebook and X. Messaging services such as WhatsApp and Signal are explicitly excluded, as is YouTube Kids.
There will be a narrowly defined exemption list for educational services, e-commerce and music streaming.
The UK says it will go further than Australia.
High-risk features, such as livestreaming and strangers being able to contact children, will be restricted across a wider range of services, including gaming sites like Roblox (the platform stays, but features such as chat get locked down).
To avoid a "cliff-edge at 16," those stranger-contact and livestreaming restrictions will be on by default for 16- and 17-year-olds too.
Separately, AI "romantic companion" chatbots that simulate sexual or roleplay relationships will have to enforce an 18+ minimum, with intimate functions restricted for under-18s on AI chatbots more broadly.
The government is also consulting on overnight curfews and breaks in infinite scrolling for under-18s, with detail promised in July.
The catch for adults: it's the new accounts
The government's reassurance is that most adults won't face a fresh check.
According to a fact sheet, an account is treated as low-risk if it has been open for more than 16 years, has a credit card attached, or is linked to an email already age-verified elsewhere. Anyone who's already verified under the existing Online Safety Act wouldn't need to do it again.
But that carve-out is essentially a grandfather clause, and it does nothing for new accounts.
If you create a social media account from scratch after the rules land—say you want a fresh, pseudonymous handle, or you're simply a new user—none of those passive signals apply, and the fallback is exactly what the fact sheet describes: a facial recognition check, or an ID upload. In practice the regime quietly converts what's billed as child protection into a rule that no adult can open a new account without proving their age.
It's a lighter touch than the adult-content regime, for now.
Since July 25, 2025, the Online Safety Act has required adult and other sensitive sites to run "highly effective" age checks (typically an ID upload or a facial-age selfie) for every user, with no grandfathering.
Enforcement has also been aggressive. By February 2026, Ofcom had opened investigations into more than 90 platforms and issued six fines, and its remit had stretched to Reddit, X, Discord, Bluesky and AI services.
The social media age-gate doesn't go that far yet, but it normalises the same plumbing. In the current announcement, Ofcom has been asked to run a rapid study on how to verify whether someone is over 16.
The VPN loophole
The well-documented weakness is that a VPN defeats all of it. The Online Safety Act targets sites, not users, so connecting through a server outside the UK sidesteps the check.
Some VPN providers reported signup spikes of up to 1,800% when adult-site enforcement began.
Any social media age-gate inherits the same gap, and Australia's experience bears it out. Research there found more than 60% of children were still using social media months after that country's ban.
The UK government has limited room to close the loophole. A blanket VPN ban for the whole population has been ruled out.
In October 2025 a tech minister, Baroness Lloyd, told the Lords there were "no current plans to ban the use of VPNs," citing their legitimate uses.
A children-specific clampdown is a different story. In February 2026 the government said its wellbeing consultation would examine "options to age restrict or limit children's VPN use," and in January 2026 the House of Lords inflicted a government defeat, voting 207 to 159 for an amendment to the then Children's Wellbeing and Schools Bill that would require ministers to prohibit VPN providers from serving UK children.
To sort children from adults, that measure would in practice force providers to age-check every user. The amendment drew public petitions against it.
The Commons rejected it across several rounds of parliamentary 'ping-pong,' and the Act that received Royal Assent (became law) in April instead handed ministers a broad power to restrict children's online access by regulation.
For now, nothing stops a determined adult, or a determined 15-year-old, from getting around it.
What security and privacy researchers are saying
The cybersecurity objection isn't to the goal, but that the enforcement mechanism creates new risks while the controls themselves don't hold up.
Dr. Siamak Shahandashti, a senior lecturer in cyber security and privacy at the University of York, pointed to fresh empirical work from Politecnico di Milano testing age-verification methods deployed on adult sites.
The researchers found low-to-medium robustness for nearly every method except credit-card checks. Most could be bypassed with tools and know-how within reach of "motivated minors."
Their blunt conclusion, which Shahandashti quoted: mandated age verification currently functions as "compliance theatre." He added that checks linked to real, physical ID could be made robust enough if clear standards were set.
Dr. Richard Gomer, a lecturer in computer science at the University of Southampton, zeroed in on the second-order risk. Enforcing an under-16 ban means age-gating everyone, and that process is itself dangerous.
Handing a passport or driving licence to platforms, he warned, exposes people to identity theft or blackmail when those records inevitably leak, something already seen under the Online Safety Act rollout.
He also flagged the quieter cost of the regulation pushing the web further from its original ideals of anonymous, open communication.
That data-breach risk is not hypothetical either.
Responding to the ban, the Open Rights Group (ORG) warned that over-16s will now have to surrender identity documents or biometric data to unregulated age-verification companies, pointing to Discord as a platform that already suffered a major data leak after introducing age checks.
James Baker, who runs ORG's Platform Power and Freedom of Expression programme, argues the measures chase symptoms rather than the cause, namely the engagement-driven business models that reward harmful content, and has previously warned that the underlying powers were "rushed through without proper time for political scrutiny."
Platforms aren't on side either.
Meta and YouTube both argue that bans push teenagers toward less-regulated spaces rather than making them safer, with Meta making the case that age checks should sit on the device so users aren't handing ID to every service separately.
The wider direction of travel
It's worth noting where this sits. Since January 2025 the government has been building a GOV.UK Wallet and a digital driving licence, pitched partly as a way to prove your age online and in person using the facial-recognition features built into modern phones.
That's separate from this announcement and predates it. But together they sketch a direction of travel, where proving your age is increasingly a precondition for being online in the UK.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
English (US) ·