Banning Social Media for Under-16s: The Data Protection Question Nobody’s Answering
So it’s official. This morning, the Prime Minister stood in Downing Street and announced a full ban on social media for children under 16. TikTok, Instagram, Snapchat, X, YouTube, Reddit — the lot. Legislation before Christmas, enforcement potentially from Spring 2027.
As a parent of two boys — one turning 17 in September, the other 15 in August — I get it. I’ve spent years worrying about what they’re seeing, who they’re talking to, and how much time they’re spending glued to screens. The instinct to protect children online is absolutely right.
But as an information security and data protection professional, I have a rather pointed question: how exactly are they planning to make this work, and what’s it going to cost us in terms of personal data?
Because banning under-16s from social media is one thing. Proving someone is over 16 — without creating an age verification data protection nightmare — is quite another.
The Age Verification Issue
Right now, there’s been no detail on how this ban will actually be enforced. And that’s the bit that should concern all of us.
The consultation received over 116,000 responses, and we’re told the government will publish its analysis this summer. But the announcement has run well ahead of the “how.” The Prime Minister has the powers. What he doesn’t yet have is a workable mechanism.
Currently, the options for proving your age online boil down to a handful of approaches, none of them without significant issues:
Facial age estimation — a camera scans your face and guesses how old you are. It’s probabilistic, it’s not always accurate, and if you’re 15 and look 18 (or vice versa), there’s an obvious problem.
Government ID verification — uploading a passport or driving licence. More accurate, but it means handing over incredibly sensitive personal data to platforms or third-party verification providers.
Device-level verification — Apple has quietly started doing this through its Declared Age Range API, where account history and parental settings provide an age signal to apps without sharing raw identity data. Clever, but it only works if you’ve been in the Apple ecosystem for years.
Behavioural profiling — analysing your online behaviour to estimate your age. Which creates its own privacy headaches around tracking and surveillance.
None of these are straightforward. And every single one of them raises questions about where personal data ends up.
Age Verification Data Protection: When Proving Your Age Means Losing Your Privacy
I’ll be honest — this one hit home for me recently. I looked at the process of getting verified on a well-known professional platform. When I looked into it properly, I discovered that the actual verification wasn’t being done by the platform at all. It was handled by a third-party company called Persona, based in San Francisco. I decided against the verification.
A security researcher who went through the same process found that Persona’s terms of service allow it to collect far more than just a name-and-date-of-birth check. We’re talking facial geometry data, behavioural biometrics (including something called “hesitation detection” — tracking whether you pause during the process), geographic location data, and cross-referencing against multiple external databases. Their list of sub-processors runs to pages.
Persona’s CEO has said the company doesn’t use personal data for AI training and deletes biometric data after processing. But the fact remains: to get a little blue tick on a professional networking site, I would need to route my passport data through a company I’d never heard of, headquartered in a country with a fundamentally different approach to data protection than ours, and with no idea how long they would keep the details for.
Now imagine scaling that kind of process to every child — and every adult — trying to access social media in the UK. What verification provider will TikTok choose? What will Snapchat’s terms say? Where will that data be stored, for how long, and who else gets to see it?
The Open Rights Group has already raised serious concerns about age verification providers repurposing the data they collect for advertising and profiling. Discord’s trial of Persona ended after reports of questionable data-sharing practices. Security researchers found that one provider’s systems were running hundreds of individual checks on users’ face scans — far beyond simple age estimation — including screening against categories of adverse media and intelligence programme codenames.
This isn’t theoretical. It’s already happening. And the ICO’s approach — fining platforms for not having age verification, while apparently doing very little about what those verification providers actually do with the data — feels like it’s got the priorities the wrong way round.
The Teenagers in the Room
Here’s where it gets very real for me. I have two boys. My elder turns 17 in September. He’s already demonstrated that he can be trusted with social media — he’s been sensible, he’s not given me cause for concern, and under this ban he’ll just about scrape through. My younger turns 15 in August. He’s squarely in the target group.
And I can tell you from direct experience: the tools we already have for managing children’s access to technology are fragile at best.
Their school recently changed the wifi settings to restrict access to more sites. Sounds sensible. The problem? It didn’t work on Android phones — both boys are on Android — and the restrictions simply didn’t apply. Meanwhile, I’ve had to remove Google Family Link — the monitoring tool I was using to set time limits on individual apps and games — because it was conflicting with other settings and creating more problems than it solved. So here I am, a professional who spends her working life advising organisations on information security, and I’m struggling to manage the digital access of my own teenagers with the consumer tools available to me.
And here’s the kicker. My elder — the responsible, trustworthy one — got around the school wifi restrictions by downloading a VPN. He didn’t even realise he was breaking school rules. He just found a practical workaround, the way teenagers do. If a sensible 16-year-old can bypass institutional-level network controls in about five minutes, what chance does a social media ban have?
If the technology doesn’t work consistently at school level, and it doesn’t work consistently at device level, how is it going to work across every social media platform in the country?
I’m fine with Apple’s approach to age verification — using years of account and device history to confirm an age range without sharing raw identity data. It worked for me, and as a concept it’s a clever bit of engineering. But it relies on being in the Apple ecosystem, with years of history behind you. My boys are on Android. My younger has a couple of years of device history at most. What’s he supposed to do — upload a passport he doesn’t carry, or a driving licence he’s years away from having?
Then there’s the timing question. This legislation is expected to come into force in Spring 2027. By then, my elder will be 17. Is he going to have to hand over personal identification to prove his age, just so he can continue doing what he’s been doing responsibly for years? Will he face overnight curfews and infinite scrolling restrictions for six months until he turns 18? And if those restrictions aren’t applied to 17-year-olds — if the ban is phased in, or only targets new accounts — then the government is implicitly saying that social media isn’t actually dangerous for someone his age. In which case, why are we building this entire infrastructure in the first place?
You can’t have it both ways. Either social media is harmful enough to justify mass age verification, or it isn’t. Drawing an arbitrary line at 16 and then shrugging at 17-year-olds undermines the whole argument.
And then there’s the data question. Every social media platform ends up with — or passes to a third party — a database of children’s identity documents. The exact kind of data that, if breached, can’t be changed. You can get a new credit card number. You can’t get a new face or a new date of birth.
The SAR Connection
This links to something I’ve written about before — the problem of organisations demanding excessive personal identification without clear policies on what happens to it afterwards.
When I tried to get one of my sons’ medical records through a Subject Access Request, the NHS trust demanded an extraordinary level of identification — far beyond what was proportionate. And when I asked what they would do with all that sensitive ID data after they’d verified my identity, the answer was far from reassuring.
The same pattern is emerging here. The government is about to mandate age verification across the entire social media landscape, but nobody is talking about the age verification data protection framework that needs to sit around it. Where are the mandatory retention limits for verification data? Where are the requirements for providers to delete ID documents after checking? Where are the approved standards for what constitutes proportionate age verification?
The ICO has been fining platforms for not checking ages aggressively enough. But I’d argue the more urgent question is: what safeguards exist for the tidal wave of personal data that’s about to be collected in the name of age verification?
What Should Happen Next?
If the government is serious about protecting children — and I believe it is — then the data protection framework needs to be built alongside the ban, not bolted on afterwards. That means:
Clear, enforceable standards for age verification providers operating in the UK, including strict limits on what data they can collect, how long they can keep it, and what they can do with it.
Mandatory privacy impact assessments before any verification system goes live, published and subject to public scrutiny.
A proper investigation by the ICO into what existing verification providers are already doing with the personal data they collect — because the evidence so far suggests it isn’t pretty.
Investment in privacy-preserving technology. The EU is building an age verification app designed to confirm age status without sharing identity data with platforms. Could the UK be doing the same — or better?
Transparency for parents and young people about exactly what data is being collected, by whom, and where it’s going. If either of my boys has to prove his age to use a platform, I want to know precisely what happens to that proof.
The Bigger Picture
I support protecting children online. Every parent does. But we’ve seen this pattern before — legislation driven by a genuine and urgent concern, rushed through without the operational detail that makes it work safely. The Online Safety Act is already creating perverse outcomes, with some adult content sites simply blocking UK users rather than implementing age checks, while others use the cheapest (and least privacy-friendly) verification tools available.
A social media ban for under-16s will only work if we can verify age without creating a surveillance infrastructure that puts everyone’s personal data at risk. Right now, we don’t have that. And the gap between the announcement and the reality is exactly where the problems will live.
It’s also hard not to notice that the practical effect of all this is to move the entire population a step closer to some form of digital identity. That’s not a political point — it’s an observation about where the infrastructure leads. Once a system exists that can verify your age across every major platform, it won’t stay limited to social media for long.
The question isn’t whether we should protect children from harmful content online. Of course we should. The question is whether, in doing so, we end up building a system that demands we all hand over our most sensitive personal information to companies we’ve never heard of, in jurisdictions we can’t control, with retention policies we’ve never agreed to.
That’s not protecting anyone. That’s creating a whole new problem.
