“This was the plan all along.” Social Media Minimum Age Restrictions #SocialMediaBan
Blog / July 12, 2026
On July 11, 2026, shortly after midnight in the UK early hours of Saturday morning, Jonathan Haidt, the world leading champion of minimum age restrictions to social media, said all the quiet parts out loud in a single tweet. As digital rights civil society has warned, the outcomes behind the Australian “Social Media Ban” are emerging, as parliamentarians worldwide rush to introduce laws to age gate the Internet.
“Authoritarian countries like China can mandate identity verification via government-issued ID. But democracies like Australia must start more softly.”
“Now that the regulator has data on compliance, they are telling the last non-compliant companies that they must do better, and they are increasing the fines. This was the plan all along.”
“As age-verification technology improves rapidly (now that Australia has created a market)”
“But if that first step is hard, then you should quit.”
“Actually, I think Lao Tzu only said the first part. The second sentence was added by all those who claim the Australian law has failed because the first step did not bring them to the final destination.”
If this was the plan all along, it should mean that the Australian parliamentarians would have debated all this and drafted these things into their law, with a gradation of (a) monetary penalties, and (b) making it clear that over time, age assurance would mean age verification, with an expectation that it will become less democratic and more authoritarian, because it will, “mandate identity verification via government-issued ID“.
But readers of Australian Hansard’s parliamentary record will find there is no tiered or phased increase written into the SMMA Bill where fines start lower and rise over subsequent years for the same conduct. The Bill raised the existing maximum civil penalty for breaches of Online Safety Act industry codes and standards, up to the same $49.5m ceiling, “consistent with serious offences set out in the Privacy Act 1988 and the Competition and Consumer Act 2010” (See Minister’s second reading speech). This is a different provision from the minimum-age obligation itself and was already in the Online Safety Act at a lower level. The SMMA Bill created a one-off legislative increase when it passed (1.41). It was not debated or proposed to be a soft start to a scheduled multi-year ramp up requiring ever stronger law. New law has been passed to ratchet up the fines only 6 months after the first commenced.
“government-issued ID”
When it comes to a mandatory or routine use of a government-issued ID for the purposes of age checks, s.63DB of the Online Safety Act was introduced late during Australian parliamentary debate prohibiting government ID as the sole means of compliance, while leaving it available as one option among several. The Australian Greens’ dissenting report separately, had flagged that the bill did not prescribe how platforms would monitor or enforce compliance, and that community members held “concerns about the sharing of important data with historically untrustworthy platforms.”
The big gap that leaves, is in pretending age-gating, or using any ID at all, is a free choice and therefore consent is freely given whether it is a government-issued or otherwise. It was already clear to many that government-issued Digital ID would be the only possible destination even if the path to social media bans started as a less authoritarian model compared with what might be expected of a less democratic state, as we now see in Haidt’s description.
Politicians who claim ID is not needed for age checks, fail to grasp (across the range of age verification methods) that digital ID is required not at the point-in-time of the platform demanding the age check, but earlier, when the age-check provider required evidentiary proof of age in order to issue you a credential you can use with the platform. Businesses pay a fee to receive the verified age or verified name of users from the age-check provider.
Much policy debate so far, about the age checks has been about whether a face scan is legally biometric data, whether the template is stored, whether the cryptography is privacy-preserving, and whether consent is valid. Those debates matter here too, and regulators have begun to answer it — the Spanish AEPD fined Yoti €950,000 in March 2026 (EXP202317887), holding that comparing a live scan against a stored template is unique identification whether the match is 1:1 or 1:N, and treating the involvement of minors as an aggravating factor. The Bavarian authority reached further related conclusions on Worldcoin’s iris scanning. Biometrics once given away or lost, cannot be reset and decisions made about this generation of children’s biometrics will mean everyone’s identity in a few years, for all of society.
When an age-verifying face scan is the easiest route of least friction, or the only method on offer to access something routine, it is not consent. It is coercive compliance, packaged as something ‘softer’ to make it more palatable.
If that universal biometric digital ID is the hoped-for “final destination“, it is already based on flawed democratic consent right now, and the scope creep is already underway of the techniques that will be mandatory and where and what it will be used for. The plan is to nudge everyone towards an age-gated future as a final destination, that is far wider reach than social media.
“the final destination”
Haidt’s imagined, “final destination” on social media might well be what we and others have warned of as the intent that was never said out loud. Indeed, as he describes, it is the move of “authoritarian countries.” Age verification that requires identity verification via government-issued ID is the only logical natural conclusion of a model that will not tolerate a method of age assurance that social media users of any age can more easily work around than a state-acceptable evidentiary proof. Age verification providers need some sort of state-accepted ID from which they, the AV provider, obtained the proof-of-age that they go on to offer as a yes/no credential or “zero-knowledge proof” to a platform or other requesting body. Despite not sharing hard details of the ID itself onwards with the platform, age-checks still require ID to be shown earlier in the process, because at some point, it is shared with the AV provider.
It is increasingly clear that will become government-issued or state approved, digital ID. The UK 2026 consultation on national digital ID already proposed this (s.4.1).
We note that in the EU, Article 28(3) of the DSA expressly does not oblige platforms to process additional personal data to determine whether a user is a minor, and confers no legal basis to do so. This principle should be respected in the same way that the spirit of GDPR recital 57 intended, that a data controller should not be obliged to acquire additional information for the sole purpose of complying with any provision of the (GDPR) Regulation. Complying with a regulation for data protection reasons, or with claims of being about child “safety” should never mean giving up highly-valuable, high-risk, bodily data.
But while the nuances of law are intended to be protective, they focus on the technical ability to identify and how humans view that. Debate so far on the outcomes of age verification, and any recommendations have addressed the issue of facial data only by today’s definition of biometrics. And it is only limited to considering today’s technology. This will soon be obsolete, in little time, if we pursue current paths your face will be your global pass-key, named or not. Once lost or given away intentionally, your face cannot be exchanged, reset or withdrawn. It is forever compromised and no longer yours 100% to control, even on-device. More immediately, the issue of identification by the third-party controllers or processors is not the greatest risk here.
GCHQ and Home Office provided government the groundwork in 2019 for expanding future testing to assist in making age assurance a reality. But they seem to have completely missed the fact that their vision in the VoCO Manifesto 2030 creates a world in which children have been programmed to perform on camera, on demand, in much the same way as predators demand of them. It creates more risk.
Their VoCO technical models miss the behavioural ones. Their 2030 vision of newly normalised behaviour has missed the most important one, that their age-gating the Internet brings about.
To a child in front of a camera told to comply with demands to perform age verifier’s liveness checks, the distinctions between estimation and verification, between a template and an image, definitions of biometric data or not, on-device or sent to a chain of third parties, are invisible. What they experience is being told to perform actions on camera. And show and share their body, their face. Sometimes their smile, their voice. That experience is the harm, and it occurs whether or not any provider has convincing arguments about when such data are, or are not, narrowly defined as biometric under Article 9. Children and adults required to age gate and once normalised for social media, will not easily discern whether it is a company’s obligation or just a less trusted website’s scammers way to obtain facial data and share validated ID. Not only is the model not delivering online safety, but is in our view, likely to create substantive additional risk and harm.
(images source: VoCo Report 2.0, 2020)
“Australia has created a market”
This understanding has been missing in debate. There has also been an absence in global debate over the intention as Haidt described, “to create a market” rather than the policy and legislative stated aim of delivering “online safety” which the Australian ban has not delivered on. The VoCo vision is not narrowly about social media, but already included gaming in 2019, and industry talks about age gating being used on every high street and in vending machines and investor confidence.
Haidt however, misses out that while the market for social media has indeed been rolled out and tested in Australia, making-the-market has been in the UK pipeline above, for over a decade.
And there are tipping points, the world is on the way towards, after which it is perceived the majority of society has accepted a new practice, after which the minority need no longer be catered for, or accounted for. Making age-gating mandatory for social media means children* (*and adults* to tell them apart from a child) need ID, clearly speeding up the normalisation of adoption by all of society.
The Digital identity sectoral analysis report 2026 from the UK DSIT Office for Digital Identities and Attributes, (2026), points to some of the shared market growth. “In October 2025, GBG, a UK-headquartered global identity firm, acquired DataTools Pty Ltd, a leading provider of address validation and data quality solutions in Australia and New Zealand, for AUD $16 million (£7.9 million), extending its identity data capabilities in the region.” If the name rings a bell with readers, it might be a reminder of when gambling clients of GBG had been accessing information from the DfE Learner Records Service of 28 million users personal details, knowledge enabled unlawfully via Trustopia, caught in 2020. GBG wrote then on its website, “Without credit reference data to draw on, businesses are having a hard time verifying millennials’ identities and turning away potentially good customers” (Ed. –> new gamblers). Lest we forget, they wrote, “Millennials are taking longer to reach the ‘traditional’ markers of adulthood, such as buying their first house or car. Some are opting out altogether. As a result, conventional identity verification methods are falling short.”
The growth of these new age verification methods and market in this youth sector through social media bans among other AV growth, might therefore appear to be a bit of a godsend to such age verifying companies, who then seemed to rather delight in reusing school children’s records as an ID database to be able to increase their “uplift’ in getting new younger gamblers signed up. Many might consider this, the opposite of enhancing children’s online safety.
Indeed, exactly this ‘making a market’, commercialisation-not-child-safety, as a driver of these technologies, is among one of the things we pointed out in a letter, prior to Haidt’s remarks, to the EU Special Panel on Child Online Safety. The panel will hand over its report to President von der Leyen on July 13th and the Commission will then consider the recommendations and determine next steps for the EU. While outside the UK, policymakers are no doubt paying attention.
A soft start, moving from assurance to verification, using government-issued Digital ID, authoritarian values in democratic packaging, to enable step by step the final destination. We agree with Haidt here, “This was the plan all along.”
(The bold above, ours.)

