What used to be a compliance problem for online gambling, alcohol, adult content or financial services is now spreading into app stores, social media platforms, online marketplaces and, eventually, AI-driven commerce. Today age verification has become big business with a growing list of challenges.
The policy goals haven’t changed: keep children away from services, content or “addictive” features lawmakers say are harmful. But it’s not the goals that are expected to change over the next several years, it’s the stakes.
For sites that require age verification, there are new compliance issues that include 26 unique state-level age verification rules to consider. Social platforms are facing a barrage of access-related lawsuits forcing them to shore up age gates. And AI companies are suddenly having to defend chatbots accused of pushing kids to self-harm — including OpenAI, which faces a wrongful-death suit after 16-year-old Adam Raine died by suicide in April 2025; his family’s complaint alleges ChatGPT engaged with his self-harm disclosures rather than intervening.
For age verification vendors the challenges are equally as complex. Beyond proving someone is old enough without sparking a privacy and free speech debate, there are the technical and compliance considerations.
Vendors now need jurisdiction-specific policy engines, multiple verification methods for each state, in-app-store or device age verification, auditable parental consent, and a capacity to apply rapid rule changes without rebuilding the platform.
[Related: U.S. Digital ID Readiness Report]
That makes the next generation of solutions less a bouncer at the door checking IDs and more an age-policy and identity orchestration system at scale.
When a user hits an age verification gate, what rung on the identity ladder do they land on? It depends on which state they’re in, which law applies, and how much risk the platform is willing to carry. There is no longer a single gate, rather a policy engine deciding, transaction by transaction, how hard to check.
That’s the shift Peter Horadan has built a company around. Horadan is CEO of Vouched, which sells identity verification to healthcare, financial-services and, increasingly, age-restricted platforms.
His starting premise is that every one of these systems is solving the same underlying problem, however different the compliance paperwork looks. “Any workflow or any process really starts with identity — knowing who you’re dealing with,” he said in an interview with Security Point Break.
Learning not leading
US challenges aren’t new. We can learn a lot from Australia, the United Kingdom, and the European Union.
In Australia, the Social Media Minimum Age law has barred anyone under the age of 16 from major social platforms since December 2025, backed by civil penalties of up to $49 million. The U.K.’s Online Safety Actv instead requires “highly effective” age assurance, backed by fines up to $24 million or 10% of global turnover, whichever is greater. And the EU is steering platforms toward a common, government-built proof-of-age app under the Digital Services Act’s child-safety guidelines — the app itself, the European Digital Identity, or EUDI, Wallet, is a separate Commission initiative the DSA doesn’t itself mandate, but regulators are treating it as the preferred compliance path — it aims to launch across member states by the end of 2026.
The lessons are instructive.
A bright line is easier to build for than a moving target. Australia’s flat under-16 ban gives vendors one clear spec to engineer against, not a judgment call. A shared credential beats forcing every platform to build its own. One government-issued proof of age, reusable everywhere, cuts the vendor fragmentation that’s made the U.S. market so hard to serve. And regulators increasingly favor an age-check escalation approach versus a one-size-fits-all single gate.
Australia’s guidance explicitly pushes platforms toward a “waterfall” approach, starting with a light check and only escalating to something stronger when the first signal is unreliable, rather than demanding maximum friction for every user.
The challenges we can glean from outside the US are even more instructive. They already foreshadow what’s coming to the U.S.
That one bright line age verification rule to follow is only as good as its enforcement. UK regulator’s “highly effective” standard has come under fire for being too vague. That has led to sites building age gates they believed complied with the law, only to find out what they built isn’t good enough. And within the EU, it’s learning its EUDI Wallet for credentials concentrates risk as much as it reduces it. The EU’s single government-built app means one compliant build instead of 27, but as its own flawed April rollout showed, it also means one point of failure instead of many.
Australia’s challenge cuts the other way. A peer-reviewed BMJ study found “insufficient evidence” its age-restriction ban had any early effect on under-16 usage. Polling by the Molly Rose Foundation found 61% of Australian 12-15-year-olds who had accounts before the ban still have access to one now.
eSafety’s own March compliance review found part (PDF) of the reason why is because platforms were letting users who’d already declared themselves under 16 simply retry a low-confidence facial-age check again and again.
US market is fragmented
The U.S. market is different. It is fragmented among 26 state laws covering adult content, social networks, addictive feeds, parental consent and app stores.
Today, most of those 26 laws are in a state of limbo, thanks to a wave of First Amendment litigation from NetChoice and CCIAv — the trade groups representing Meta, Google, Snap and Amazon — that has enjoined laws in Virginia, Georgia and Arkansas, and left the rest waiting on appeal.
None of that fragmentation gets resolved by looking to the Supreme Court, either — its only definitive ruling so far covers the narrowest slice of the question. Its 2025 decision in Free Speech Coalition v. Paxton upheld age gates for sexual content specifically, but said nothing about whether the same logic extends to social media, app stores, or anything else states are trying to regulate.
Utah is testing the same logic from the other direction — not what gets verified, but whether states can reach past a workaround to enforce it. As of May 6, the state treats anyone physically in Utah as a Utah user even behind a VPN. Pornhub’s parent, Aylo, sued; Utah paused enforcement until September 3 while that plays out.
The EFF, Rindala Alajaji, associate director of state affairs, called it “a technical whack-a-mole that likely no company can win.” The outcome will be the first real test of whether Paxton’s logic covers circumvention, not just the check itself.
That fragmentation runs deeper than litigation.
“Seven states are already issuing digital IDs in the United States, and 30 have announced an intention to issue them, and the rest we don’t know,” Horadan said.
He added, each is building its own app with its own access rules. “If you live in Louisiana, you want a Louisiana digital ID. You’re installing the Louisiana app on your phone.”
Fifty states, fifty potential apps, fifty sets of rules about who’s even allowed to ask to see one.
Age Verification, State by State
All 50 states researched and categorized
Meanwhile, civil liberties groups argue the tools themselves are the problem, not just their execution. The ACLU has fought age verification in court since the 1990s, winning Reno v. ACLU and Ashcroft v. ACLU on the same core theory it’s using now; requiring ID or a biometric scan to access protected speech “forces users to relinquish their anonymity.”
ACLU senior policy counsel Jenna Leventoff said, “Censorship and invasive age verification measures will not keep children safe.” The EFF makes a parallel but distinct case — less about the First Amendment, more about the tools creating exactly the kind of centralized data trove that keeps getting breached, arguing that a system built to protect kids from platforms is instead building new infrastructure for platforms, and their vendors, to fail kids and adults alike.
The industry fix
The industry’s answer to privacy critics is to change what the check actually collects.
Zero-knowledge proofs — cryptographically confirming “over 18” without revealing a birthdate, name or document — are the specific technical answer to the ACLU’s anonymity objection and the EFF’s breach objection at once.
Horadan frames zero-knowledge proofs as the rare policy answer that satisfies both sides of the fight at once.
“It’s a solution that meets the needs of both groups,” he said. “It meets the needs of the state because the state now has a way to enforce that underage people aren’t seeing things designed for people of a certain age, and it also, if you’d like to stay private, enables you to do that while proving your age.”
With zero-knowledge proofs, there is nothing to steal, nothing identifying to hand over. It’s a real, deployable idea, not a hypothetical — France’s data regulator, CNIL, has built a working proof of concept.
But building a reliable zero-knowledge app well is turning out to be its own unsolved problem. The CNIL’s concept and the EU’s production rollout are not the same thing. The EU’s own zero-knowledge-proof app, the EUDI Wallet, publicly declared “technically ready” in April, was demonstrated broken within a day by an outside researcher who reset its PIN by editing a plaintext config file.
What’s next
That has left platforms scrambling to deliver their own solutions. Meta says its Teen Accounts now cover hundreds of millions of users across Instagram, Facebook and Messenger, layering in AI models meant to catch adults posing as teens and vice versa.
YouTube has been expanding AI-based age inference since 2025v, built from viewing behavior and account history rather than a one-time check. TikTok describes a similarly layered approach. Roblox offers the clearest measure of what “scrambling” looks like in practice, cost included.
By February 2026, 45% of its 144 million daily Roblox users had completed facial age estimation or ID verification after the company made checks mandatory for chat, a share that climbed to 51% globally and 65% in the U.S. by the end of the first quarter. The rollout wasn’t free: daily active users fell from 152 million to 132 million over the same stretch, triggering an 18% one-day stock drop.
Vendors are vying for a piece of the action — and it’s not just about social.
Liminal’s own research puts the global age-assurance market at $5.7 billion in 2025, growing to $10.4 billion by 2029, a 17.3% compound annual growth rate, with adoption spreading well beyond its original base in adult content, alcohol and gambling into app stores, gaming, dating, streaming, e-commerce and generative AI and enterprise identity.
Next up, bigger money
Agentic commerce — AI systems shopping, negotiating and buying on a person’s behalf — is coming fast enough that McKinsey is already sizing it: up to $1 trillion in U.S. retail revenue orchestrated by agents by 2030, and $3 trillion to $5 trillion globally. It won’t just change how people shop.
It inherits, wholesale, the exact problem Horadan has been warning about. That is ensuring an autonomous AI agent working on your behalf can’t be hijacked or impersonated.
Roger Roberts and his McKinsey coauthors warn that agentic commerce “will test existing frameworks for identity management, fraud prevention, and data privacy.” They said businesses will need new ways to verify an agent is actually authorized to act for the person it claims to represent.
That’s not a new problem. It’s the age-verification problem, one layer up. Instead of proving a human is old enough, the system now has to prove an AI is allowed to be there at all, and on whose authority.
Right now, most of them can’t. “Today, they steal the identity of the user. They say, ‘Log in as you, and then I’ll take it from here.’ That cannot work,” Horadan said.
It isn’t a new fight, either. Horadan sees a direct precedent in an industry that solved a version of this problem twenty years ago.
“It reminds me of the way the banking industry was in the late ’90s and early 2000s,” he said, when screen-scraping services convinced millions of users to hand over their bank passwords so the service could pull their data — until the industry built OAuth specifically to kill that model.
“We need the same thing” for agents, he said. We don’t need shared passwords, but a delegated, revocable identity an agent holds on its own. His timeline for when that stops being optional is “within 1,000 days there will be more agents taking actions on the internet than there will be humans.”
Vouched has already put a stake in the ground on which side of that shakeout it’s betting on. It donated its identity-and-delegation framework — originally called MCP-I, donated to the Decentralized Identity Foundation in March and renamed KYA-OS after joining DIF’s community governance — to open standards rather than keeping it proprietary, wagering that whatever wins the “shakeout” will need to be something nobody owns outright.
Nobody has built the equivalent check for machines yet. “There’s going to be a shakeout,” Horadan said. “We’ve just added a new chapter called how to deal with agents. And the chapter is entirely blank.”