A soccer fan logs in to cheer a last-second goal. The platform scans existing data, decides the user looks too young, and demands a passport scan or facial images from a third-party app. The user complies. Data flows. Risks mount. This scene no longer qualifies as speculation.
The Australian laboratory
Australia rolled out its under-16 social media ban in December 2025. The Foundation for Individual Rights and Expression warned it would usher in a “papers, please” era. Early results confirm those fears. Government research showed seven in 10 children still accessed the platforms months later. A British Medical Journal study found “little evidence” of immediate drops in reported use by adolescents under 16.
Yet the law demands action. Social media companies face massive fines unless they collect biometric data, government IDs or other identifiers. Platforms may rely on account age in limited cases. Most situations push them toward fresh verification through external services. Australian rules order destruction of personal information once purposes are met. Those purposes stretch to include complaints and challenges. Retention periods remain fuzzy.
Pre-ban trials already signaled trouble. Service providers over-collected data in anticipation of regulatory demands. The result? Heightened breach potential. Then came reality. Weeks before the ban took effect, a third-party app handling age-assurance complaints suffered a hack. It exposed government ID images, names, usernames, emails and some billing details for nearly 70,000 Australians. The Foundation for Individual Rights and Expression highlighted the incident. Governments admit phishing risks have risen. They shift much responsibility to platforms and users.
The Australian Human Rights Commission captured the deeper shift. “We’re moving to a world where the law requires you to be profiled in order to participate.” Even accounts that dodge direct checks get profiled from existing data. Anonymity fades. Speech chills. And the precedent travels.
But Australia now looks measured compared with what followed. The United Kingdom labeled its approach “Australia-plus.” Prime Minister Keir Starmer, before his resignation, vowed stricter enforcement to close loopholes. Officials eye VPN restrictions. Use of those tools jumped after the Online Safety Act. Technology Secretary Liz Kendall and Children’s Minister Josh MacAlister signaled possible age-gating for VPNs. Such moves would align the UK with China, Iran and Russia on digital controls. Not ideal company.
Europe marches in step. France, Spain, the UAE, Indonesia, Malaysia, Greece, Denmark, Norway and the EU pursue similar bans. The EU pushes an interoperable age-verification app tied to its Digital Identity Wallet. Privacy and security worries already swirl around long-term identifiers and over-exposure of personal data. The Electronic Frontier Foundation documented these developments in June 2026, noting penalties that can reach millions and the broad compulsion for users of all ages to surrender face scans or passports.
Across the Atlantic the pattern repeats, only faster. At least 19 states have enacted laws addressing minors’ social media access or addictive feeds. More than 20 target porn sites or broader content. Many remain in legal limbo. Courts have blocked some on First Amendment grounds. Virginia’s recent ruling cited free-speech protections against mandatory gates. Still, the momentum persists.
Texas, Utah and Louisiana passed App Store Accountability Acts in 2025. They require age checks and parental consent at the app-store level. A Future of Privacy Forum comparison chart released this week details their distinctions. Compliance headaches multiply for platforms. Half the states now pull adults into verification systems that often rely on AI. Sensitive data — names, faces, addresses, birthdays — ties directly to online activity. Hackers salivate. The CNBC reported in March that these rules create major targets for both governments and cybercriminals.
Real breaches already litter the record. A 2025 Discord incident. Multiple compromises of verification vendors. Persona left frontend systems exposed. TeaOnHer spilled driver’s licenses in minutes. The Electronic Frontier Foundation tallied several such events by May 2026. Each adds to the case against centralized identity stores.
Critics highlight deeper flaws. Attribute-based verification, which avoids full identity disclosure, offers one less invasive path. Most laws favor ID uploads or biometrics instead. Data retention policies vary wildly. Third-party vendors hold records long after verification ends out of liability fear. Data brokers stand ready to buy and resell the enriched profiles. The NBC News quoted Electronic Frontier Foundation’s Adam Schwartz in April: the mandates undermine anonymous speech protected under the First Amendment.
And the chilling effect shows. Users who surrender IDs think twice before criticizing politicians, sharing medical histories or discussing addiction. Public forums shrink. Expression narrows. Children gain no guaranteed safety. Platforms report easy circumvention via VPNs. Some states now float bans on those tools too. The cycle tightens.
Recent weeks brought no reversal. X discussions on June 29 warned that age verification forms infrastructure for ending anonymous speech. One post called it “the end of privacy.” Another urged Congress to reject forced online checks. The Electronic Frontier Foundation reiterated in early June that these gates threaten expression, participation and privacy for everyone. Regulators in Washington held workshops. Industry pushes privacy-preserving alternatives. Lawmakers press forward.
The pattern is clear. Good intentions collide with technical reality. Collection begets retention. Retention invites breach. Breach erodes trust. And once governments normalize identity checkpoints across the internet, rolling them back grows politically impossible. Platforms adapt by over-collecting. Users adapt by self-censoring. The open web recedes.
Alternatives exist. Strong default privacy settings. Data minimization rules. Targeted enforcement against actual harms rather than blanket profiling. Investment in parental tools that don’t require universal surveillance. These paths demand more nuance than sweeping mandates. They also preserve what made the internet distinct: the ability to speak, explore and associate without handing over papers at every gate.
That choice is narrowing. From Canberra to London to Sacramento, the papers-please model advances. Each new law cites child safety. Each adds another database of immutable personal data. Each raises the odds of the next breach making headlines. The cumulative weight points toward an internet where anonymity becomes a relic. And once lost, it will prove difficult to reclaim.
WebProNews is an iEntry Publication