Within the past two years, more than 40 countries have considered, passed, and begun to implement laws that ban or restrict children from social media as a response to a range of online harms to children.
Child safety online is a cross-platform, cross-jurisdictional challenge. Child safety harms – such as child sexual abuse, sextortion, harassment, and mental health concerns – evolve and manifest both offline and online. Platforms have a responsibility to respond and protect children’s safety and rights online. Yet, trust and safety responses have varied widely in their robustness and effectiveness, and globally, there is widespread frustration at the perceived inadequacy of industry responses to keep children safe online. At the same time, there is a range of possible risks and harms that policymakers could address, some of which are not clearly defined and do not have agreed-upon causal factors, making it challenging to develop effective, evidence-based responses.
Within this context, a dominant policy response has been to restrict children’s access to social media. This is a sea change in Internet policy that creates profound implications for rights online. These policies move the Internet further away from a vision that at least attempted to enable universal access and privacy, and towards a future that seeks to restrict access and anonymity. Given this, where these frameworks are already in place, the implementation will be critical to make them as rights-respecting as possible.
The Global Network Initiative (GNI) – a multistakeholder membership organization focused on the intersections of tech, privacy, and freedom of expression – recently convened a discussion to better understand trends in this policy landscape. Additionally, we covered the range of age assurance techniques that these policies will depend on, dove deeper into the Brazilian and Indonesian contexts, discussed the implications for privacy and freedom of expression, and explored possible responses. This piece highlights key learnings and areas of discussion from the conversation, but it does not intend to be a comprehensive review of the issues.
This recent convening built on conversations that GNI held at our Rights and Risks Forum, in partnership with the Digital Trust and Safety Partnership. It also built on work by GNI’s civil society and academic members around the world on rights-respecting approaches to child safety more broadly and age assurance specifically.
There is no one way to evaluate a user’s age. Instead, platforms use a range of technical methods, collectively referred to as age assurance. Age assurance as a remedy remains contested because different methods require balancing competing objectives, including privacy, accuracy, accessibility, and robustness to circumvention. As a result, each approach presents distinct challenges for protecting users’ rights.
There’s been considerable work across the tech policy and digital rights fields to explain and analyze the rights implications of the relevant regulatory frameworks and age assurance techniques. Some of the key concerns related to GNI’s focus areas of privacy, freedom of expression, and access to information include: the reduction of anonymity, which can be crucial for activists, advocates, and members of marginalized groups; security vulnerabilities that can lead to privacy concerns, such as the risk of data breaches from additional collection of personal information; and the possibility of reduced access to critical community and information, including news, for young people. Additionally, even where regulatory frameworks are relatively more privacy-preserving and do not require age verification explicitly, companies may feel incentivized to overcomply; so, even relatively privacy-preserving age assurance requirements may impact user privacy. Finally, once platforms have the technical set-up to restrict a set of users from their services, it is possible they could be required to restrict access for other groups of people as well.
Given the wave of policies, it is increasingly hard to keep track of the landscape. Tech Policy Press is tracking these regulatory efforts globally. For example, their tracker notes when a regulatory regime specifies an age threshold and what the cutoff is, if it specifies a method for evaluating age, and who should be responsible for evaluation. Maia Levy Daniel also has a child safety and social media policy tracker that collates relevant resources.
Drawing on her work at Tech Policy Press, Ramsha Jahangir proposed four regulatory models: access bans, conditional access bans, design regulations, and liability-focused enforcement. For example, Australia implemented an “access ban” on social media for children under 16; Brazil passed a law requiring “conditional access”, including that social media accounts for children under 16 must have parental consent, along with associated age verification; the European Union has proposed design regulations, which include mandated age verification; and Indonesia’s framework, discussed in more detail below, blends elements of several of these models.
This rapidly evolving landscape reflects a lack of global consensus on how to govern children’s access to social media, while also revealing a clear trend toward more interventionist approaches that increasingly rely on age assurance. Key actors can use this tracker to compare regulatory frameworks across jurisdictions. In jurisdictions with similar frameworks, experts can seek to connect with local stakeholders who understand the rights impacts and needs for implementation.
It can also be difficult to understand the available techniques to evaluate age and the relevant tradeoffs. The Knight-Georgetown Institute (KGI) conducted a technical examination of how age assurance systems are working in practice, including accuracy, circumvention resistance, availability, and privacy implications.
KGI classifies age assurance systems across three categories:
Each method of age assurance can take advantage of a variety of different age signals. For example, an age inference method may make use of bank records associated with a user or an email address, which can then be used to search commercial or government records in ways that establish a user’s age. These signals vary in how accurate they are at establishing user age and what risks are associated with them. Moreover, not all users will have access to all age signals. For example, if a system requires a government ID, that will exclude all users that do not have an ID from accessing a service to which they are legally entitled. As a result, KGI emphasizes that “no single age ‘signal’ is sufficient on its own.”
Responding to this challenge, many companies are using a variety of assurance types, often layering them based on perceived risks. For instance, a platform may initially ask a user for their declared age, but if user behavior indicates the user may be younger than the declared age, the platform will then move on to conduct age inference or verification. Or, a platform may start with age inference, and then require verification to use certain features. It’s important to understand that age assurance is most typically implemented by a vendor, which critically means the user is sharing data with an additional service provider, though this relationship can be opaque to users.
Each approach to age assurance creates privacy implications, though the devil is in the details of the type, the system architecture (server-based or on-device), and how it is implemented. There is not a technical fix to the many complex privacy trade-offs in this space. But, there are recent techniques that are more privacy-preserving, such as zero-knowledge proof cryptography (for example, as open-sourced by Google) or verification done on-device. Unfortunately, KGI found that even as these more privacy-protective approaches develop and become more widely available, they are not being deployed as commonly because they require more system changes to implement. Policies that require high-levels of privacy protections, including those with technical rather than governance guarantees may drive innovations and adoption of more privacy-preserving implementations.
In Indonesia, the government is “delaying”, essentially restricting, the access of children to social media through a ministerial regulation in a process tiered by age. As of March 2026, platforms are required to determine if accounts are owned by children under 16, and accounts of users determined to be under that age on platforms deemed “high risk” by the Indonesian government must be deactivated. Meanwhile, children under 13 can only use platforms built specifically for their age group, while children ages 13-16 can only be on services classified as “low risk” and with parental consent.
These regulations seek to address genuine harms in Indonesia that have not been sufficiently addressed. For example, Anton Muhajir, Program Director at local civil society organization SAFEnet, highlighted that children have increasingly become victims of online grooming and abuse. In response, the framework attempts to encourage platforms to be more proactive in filtering certain content, provide more notification to users, and encourage parents to be more actively engaged in their children’s online use. They also attempt to provide more protection for children against online profiling.
However, SAFEnet is concerned that the law creates real risks to rights. They highlighted that it likely will limit legitimate access by children for learning and access to information, which has been echoed by UNICEF, including further exacerbating already limited Internet access. They also highlighted that more accurate forms of age assurance require additional collection of children’s sensitive data, which could then be breached in ways that create a different set of harms.
In March 2026, the Brazilian Digital Statute for Children and Adolescents (ECA Digital) entered into force. It establishes tiered obligations for providers and age assurance will be a central pillar, as user declaration of age is explicitly determined to be insufficient by the framework.
The obligations apply broadly to any platform that is “likely” to be accessed by children, and then apply at different levels for services depending on determined risk levels. For example, for general services that are likely to be accessed by children, the services must adopt mechanisms that are capable of offering age-appropriate experiences while respecting children’s evolving autonomy. Additionally, app stores and operating systems are required to implement proportionate and auditable age assurance measures and must provide those age signals to app providers.
The law directs the National Data Protection Agency (ANPD) to be responsible for “technical aspects of the law, overseeing its enforcement, and ensuring that the solutions implemented comply with the principles of the General Data Protection Law (LGPD).” While the law does not prescribe a specific age assurance method (it only prohibits self-declaration), the ANPD is responsible for ensuring that any methods adopted by regulated platforms are privacy-preserving. In addition to allowing private age assurance solutions, the law authorizes the federal government to develop a public technological solution for age assurance, which must be offered for free.
While the framework clearly establishes privacy principles and safeguards for age verification, it remains to be seen how this will be implemented in practice, as privacy experts have been sounding the alarm about concerns with age verification. To start, ANPD published a report on age assurance mechanisms and currently has a consultation seeking input into how to implement the law.
Indonesia and Brazil are taking two different paths to the same goal. Indonesia’s deactivation mandate is the blunter tool. It requires platforms to remove or restrict access once a user is identified as underage. In practice, the framework works similarly to Australia’s access ban, even though the legal frame is different.
If a public age assurance solution is successfully implemented, Brazil’s framework could evolve toward a model closer to the European Union, where the European Commission has urged EU countries to accelerate the rollout of a centralized age verification app. In both jurisdictions, the intention is to let users prove their age without sharing unnecessary personal data. It’s still an open question whether centralized verification will hold up better than direct platform enforcement on privacy and rights grounds. The EU’s rollout has already drawn criticism over security weaknesses and an unsettled legal basis. It is also important to point out that, in Brazil, the law does not require platforms to rely on public infrastructure.
Where regulatory frameworks have not passed, privacy advocates need to decide if they will focus on how to design privacy-preserving age assurance methods, fight restrictions altogether, or some combination of strategies. Regardless, during GNI’s convening, participants emphasized that if age assurance is used, it should be part of a more comprehensive approach to child safety and support.
Where frameworks have passed, the consensus during GNI’s convening was that there needs to be more of a whole-of-ecosystem approach to move towards the most rights-respecting implementation of age assurance possible, including examining the range of technical and privacy-preserving options that are available under specific laws. In particular, policymakers need to recognize that no age assurance system will be perfect, and their goal should not be to seek an entirely circumvention resistant system, given the privacy downsides that introduces.
Informing this implementation will require further detailed technical work and multistakeholder engagement. The Knight-Georgetown Institute, the Center for Democracy and Technology, and the Digital Trust and Safety Partnership have begun to do this, among many others. For example, KGI highlighted the importance of evaluating age assurance systems across a number of factors, many of which are relevant for rights implications. These include: how accurately the age assurance performs, including on false positives and their distribution; the extent to which the system requires users to disclose information they wouldn’t otherwise share and how those signals are shared to service providers; the proportion of an eligible population that can successfully demonstrate their age to the system, to understand accessibility; and how the system handles adversarial attempts to misrepresent age. Additionally, CDT has developed guardrails that platforms can use when considering age assurance implementation to mitigate risks to privacy. These include avoiding service-side data collection, limited deployment of more privacy invasive systems like age verification, and use of high-quality data signals to ensure accuracy.
Participants in the convening also noted the importance of multistakeholder actors developing meaningful redress when age assurance systems don’t work. As age assurance systems are being deployed across platforms and jurisdictions, it’s not yet clear which actors can help keep them accountable.
Given how fast the challenges, technologies, and regulatory frameworks are evolving, the field now needs more ongoing multistakeholder dialogue that centers impacts to rights and puts this existing (and future) work into conversation.
One company practitioner noted that implementing rights-respecting age assurance practices internally has been the most complex issue she’s worked on in the long course of her tech policy career, so engagement by stakeholders who understand the rights implications and are technically informed would be very useful.
There needs to be more dialogue across tech policy experts, companies, parents, and child safety groups campaigning for bans. And, in particular, tech policy experts should be learning from each other across jurisdictions where these policies have been implemented, passed, or are under consideration.
GNI looks forward to continuing to convene its members to discuss these themes.