In our recent webinar, we explored the evolving landscape of age assurance for digital businesses operating in the UK and EU. With regulatory expectations intensifying and enforcement action on the rise, organisations can no longer afford to treat age verification as a secondary concern.
We were delighted to welcome an expert panel to unpack the legal landscape, enforcement trends, and practical steps organisations need to take on age assurance. Bryony Long and Laura Harper from Lewis Silkin, Álvaro Blanco from Garrigues, Julie Dawson from Yoti, and Simon Newman from the Online Dating and Discovery Association provided illuminating insights on this topical and fast-moving issue.
Key takeaways
- Effective age gating is a priority: Protecting children online has moved from a policy aspiration to a regulatory priority. There is mounting pressure on industry to deploy effective age checks, alongside a clear escalation in regulatory scrutiny and enforcement. In the UK, in addition to the government proposal to ban under-16s from social media, as of October 2025, Ofcom had investigated 69 platforms across 21 investigations and issued a £1.05 million fine against AVS Group for lacking appropriate age assurance mechanisms. The ICO has also been active, issuing a £14.47 million fine against Reddit for inadequate age assurance and a £247,590 fine against MediaLab.AI, Inc (owner of Imgur), an image sharing platform. In the EU, the European Commission has issued preliminary breach findings against Meta for failing to prevent children under 13 from accessing Facebook and Instagram, opened an investigation into Snapchat, and is examining major pornographic platforms to safeguard minors under the Digital Services Act. At EU national level, the Spanish Data Protection Agency imposed €525,000 in sanctions against an operator of adult sites as early as 2022, and France’s audiovisual regulator, Arcom, has recently issued formal notices to two adult sites threatening blocking and delisting of content.
- Self-declaration is not enough: Regulators in both the UK and EU have made clear that self-declaration alone, where a user simply states they are over a particular age, is not sufficient. The ICO’s enforcement action against Reddit specifically rejected self-declaration as an acceptable method. However, some organisations have been hesitant to adopt more robust measures due to "first mover fear", concerns about cost, user friction, and data protection implications. On the practical side, selfie-based facial age estimation checks are increasingly common and popular with users. Over 80% of consumers prefer these when given a choice. Meanwhile, regulators tend to favour government-issued ID as the most reliable method of age verification, though this approach raises accessibility concerns given the proportion of UK adults that lack photo ID.
- Regulatory divergence: Although regulators are increasingly working together through initiatives such as the Global Online Safety Regulators Network (launched in November 2022), the ICO-Ofcom joint statement on age assurance (March 2026), and the G7 digital regulators’ principles on protecting children online, there remains significant divergence on what constitutes "highly effective" age verification. For example, age inference is not accepted in Australia as capable of being highly effective, and mobile network operator checks are not deemed acceptable in Germany. This creates complexity for platforms operating across multiple jurisdictions, which must navigate different regulatory expectations whilst using the same technologies.
- Interoperability: Age verification solutions that can be used across multiple apps and services offer clear practical value. Users who sign up to one app, whether a dating app, social media platform, or gaming service, should ideally be able to use that verification 'token' to access other services without repeating the process. Recent trends show that 25% of adults in the UK, France, and Italy who repeatedly undertake age checks for adult content find this a pain point. Around 10 million people in the UK set up a reusable digital wallet last year for access to adult content, and with new use cases emerging (such as proof of age for alcohol purchases), this figure is expected to grow significantly. The EU Digital Identity Wallet initiative, due for rollout by the end of 2026, may further support interoperable, privacy-preserving age assurance.
- Beware of circumvention: Organisations must be alert to circumvention methods, particularly VPN usage. The Ofcom-ICO joint statement specifically notes that age assurance must address circumvention risks. There was an initial spike in VPN usage following the introduction of age verification requirements, though this subsequently dropped. Regulators are monitoring closely to determine whether this reflects children attempting to bypass safeguards or adults seeking to disguise their browsing activity. The Australian regulator has taken a proactive approach, placing the onus on platforms to detect and address VPN-based circumvention, an approach that may become standard practice elsewhere.
- Do not wait for perfect solutions: Tools such as identity wallets and other emerging technologies may assist in the future, but regulators expect businesses to act now. The EU Wallet is being tested in several countries including France, Spain, Denmark, Greece, and Italy, with all member states required to make a compliant wallet available by the end of 2026. The forthcoming Digital Fairness Act (proposal expected Q4 2026) will further strengthen obligations around minors’ protection. However, organisations cannot wait for these developments to materialise. The regulatory expectation is clear that robust age assurance measures must be implemented using currently available solutions.
- Proportionality allows flexibility: A risk-based approach means different services may be able to use different methods, provided they are appropriate and effective. Ofcom does not mandate any specific technology, so long as four criteria are met: technical accuracy, robustness, reliability, and fairness. For high-risk or large services with a likelihood of child users, highly effective age assurance (such as photo ID matching to face scans) will be required. Lower-risk services may satisfy requirements through appropriate age inference methods. The principle of proportionality is broadly accepted across regulators, helping to avoid one regulator’s approach being played off against another, and both the ICO and Ofcom agree that data used and retained for age assurance should be kept to a minimum.
Conclusion
The message from regulators is unambiguous: effective age assurance is no longer optional.
Digital businesses operating in the UK and EU must prioritise implementing robust, proportionate measures now – not wait for perfect solutions or future regulatory clarity. A risk-based approach, combined with attention to user experience, data minimisation, and circumvention risks, will be essential.
With enforcement activity increasing and significant fines already being issued, organisations that delay action do so at their peril. Those that move proactively, adopting appropriate technologies, engaging with industry standards, and staying abreast of regulatory developments, will be best positioned to navigate this fast-evolving landscape.




