UK plans age checks for new social media accounts

The UK government plans to ban users under 16 from major social media platforms in spring 2027, with rules due before Christmas and age checks set to shape new account signups.

Prime Minister Keir Starmer announced the plan June 15 after a national consultation drew more than 116,000 responses from parents, children and experts. The government said nine in 10 parents backed an under-16 ban, and two-thirds of young people supported limits on access to some platforms.

The rules target user-to-user services with social interaction and algorithmic feeds. The government named Instagram, YouTube, TikTok, Snapchat, Facebook and X. It excluded messaging apps such as WhatsApp and Signal, along with YouTube Kids.

The policy matters for adults because platforms must decide who has reached 16. Existing accounts may qualify through signals such as account age, credit card use or prior age verification under the Online Safety Act. New accounts lack those signals, so platforms may turn to ID uploads, facial age estimation or similar checks.

That change could end easy pseudonymous account creation in the U.K. for new users. A person who wants a fresh handle, a separate work account or a first account on a service may need to prove age before posting.

The U.K. modeled part of the plan on Australia’s youth social media ban, which began in December 2025. Ministers said they plan to go further by limiting high-risk features across more services. Gaming platforms such as Roblox could keep access open while platforms restrict chat, livestreaming or contact from strangers for younger users.

The government also plans an 18+ floor for AI romantic companion chatbots that simulate sexual or roleplay relationships. Officials said they will consult on overnight curfews and breaks in infinite scrolling for users under 18, with more detail expected in July.

Security researchers see a familiar weakness: VPN use can bypass location-based checks. The Online Safety Act regulates platforms, not users, so a user who connects through a server outside the U.K. may avoid a U.K. age gate. VPN providers reported large signup spikes when adult-site checks began in 2025.

The government has said it has no current plan to ban VPNs. Ministers have explored restrictions on children’s VPN access, but that approach creates a hard verification problem. A VPN provider would need to know whether a user is a child, and that would push age checks onto VPN services too.

Privacy advocates warn that the cure adds its own risk. Platforms and age-verification vendors could collect passports, driving licences or biometric estimates from millions of users. Attackers target those stores because identity data has long resale value.

Dr. Richard Gomer, a lecturer in computer science at the University of Southampton, warned that universal age checks expose adults as well as children. The Open Rights Group has made a similar argument, saying the policy pushes people to hand sensitive documents to age-check firms with uneven oversight.

Dr. Siamak Shahandashti, a senior lecturer in cyber security and privacy at the University of York, pointed to research from Politecnico di Milano on age-verification systems used by adult sites. Researchers found that many methods offered low-to-medium resistance against determined minors, while credit card checks performed better.

Platforms have also pushed back. Meta has argued that app stores or devices should handle age checks, so users do not submit documents to each platform. YouTube has warned that bans can push teenagers toward services with weaker safeguards.

For security teams, the next question concerns data handling. Companies that process U.K. users will need to map which age signals they collect, which vendors they use, how long they retain evidence and how they handle breach notification. A narrow age token that says a user has passed a threshold creates less risk than storing images of IDs.

Parents should expect uneven enforcement. A motivated 15-year-old can use a VPN, borrow an adult’s account or move to smaller services that lack mature safety teams. The ban may reduce casual access, but it will also reward platforms that design safer defaults without collecting more identity data than they need.

The U.K. government now faces two tests before spring 2027. It must give platforms clear technical standards, and it must limit the data companies collect to enforce those standards. Without both, the country will trade one online safety problem for a larger identity-risk problem.