Online Responsibility Network

Moving Upstream: How the regulatory spotlight on age assurance is shifting the focus towards devices, operating systems, and app stores

Posted

Reliable age assurance is rapidly becoming a baseline global requirement for accessing digital services, driven by the popular policy objective of making children safer online. The UK’s Online Safety Act mandates ‘highly effective’ age assurance to restrict underage access to harmful content; likewise Federal Decree-Law No. 26/2025 of the United Arab Emirates requires platforms to implement age verification that is proportional to the risks posed by a platform, and the content it hosts. Under other regulatory frameworks, the requirement to assure user ages is implicit. Duties to keep minors safe from harm (e.g. under the European Union’s Digital Services Act) or to enable parental oversight (e.g. under the US’s amended Children’s Online Privacy Protection Act) are just two examples of obligations that cannot be met without knowledge of a user’s age. The increasing popularity of age-gating social media services (a measure enacted or under active consideration by 25 OECD nations, and now reflected in the UK Government’s announced plan to restrict under-16s’ access to social media from spring 2027) has further crystallised the global focus on age assurance.

In the first wave of online safety regulations, age assurance and verification were framed as safety measures for platforms to implement - as appropriate, or as required. In the past year however, we’ve started to see the regulatory focus shifting ‘upstream’. As of April this year, Singapore’s Infocomm Media Development Authority (IMDA) is requiring major app distribution services - including Apple and Google - to screen and prevent underage users from downloading age-inappropriate applications. California’s Digital Age Assurance Act, which will take effect in January 2027, similarly requires operating systems to collect users' ages at setup and share age brackets (e.g., under 13, 13-16) with the operators of apps. Parallel federal proposals, such as the Parents Decide Act, seek to mirror this approach nationwide.

An alternative model for ‘upstream’ age assurance

In April of this year, the European Commission advanced its alternative strategy to establish age assurance as a minimum requirement for accessing digital services, by announcing the readiness of its pilot age verification application, designed to be compatible with the soon-to-launch European Digital Identity (EUDI) Wallet. In order to use the app, a user will first scan their official identity documents onto their device. When accessing an age-restricted service, the app would generate a single-use, anonymised token that provides a definitive ‘Yes’ or ‘No’ in answer to whether the user meets a certain age threshold. Crucially, this is achieved without revealing the user’s identity to the platform or exposing their browsing habits to the verification provider.

The technical mechanisms relied upon include anonymised age tokens, key rotation and zero-knowledge proofs, tools that the European Data Protection Board deems consistent with the data minimisation requirements of the Global Data Protection Regulations (GDPR). This open-source public layer promises to cut compliance burdens for platforms, reducing the per-transaction cost of verification from up to €5.00, to €0.05 cents. Member states are encouraged to roll-out the technology this year.

What is ‘key rotation’?

In digital age assurance, user data is protected by complex cryptographic ‘keys.’ Key rotation is the automated process of regularly retiring old keys and replacing them with new ones. By rotating keys, an age assurance provider limits the amount of identity data that could be exposed in a worst-case scenario, keeping the vast majority of user information secure and private.
 
Source: National Institute of Standards and Technologies

What are ‘zero knowledge proofs’?

A Zero-Knowledge Proof (ZKP) is a cryptographic method that allows one party (the user) to prove to another party (a website or app) that a specific statement is true, without revealing any of the underlying data. In the context of age assurance, ZKPs allow a user's device to mathematically prove to a website ‘This person is over 18’ without sharing any personally identifiable information. The website gets the verification it needs to grant access, and the user’s identity is kept private.

Source: Ethereum Foundation

The main benefit of shifting age assurance to the device, operating system or app store level lies in creating a single point of enforcement, in lieu of fragmented, platform-by-platform compliance. In theory, moving such interventions upstream better preserves privacy by removing the need for repeated data collection, while also dramatically reducing compliance costs for platforms. This said, some child advocates warn against a complete shift to ‘upstream’ controls, highlighting that the absence of platform safeguards could entirely erode protections for children in families that share devices, in which settings configured centrally by parents could inappropriately skew their interactions across the entire digital ecosystem. Critics of regulations targeting app stores and operating systems also argue that concentrating verification within a handful of gatekeepers could in fact increase privacy risks, and undermine competitiveness, by boosting a small group of already powerful companies.

Re-framing the role of government in helping to create safer digital spaces

In addition to proving that highly effective, privacy-preserving age checks are technically feasible, the EU’s age verification infrastructure signals the beginnings of a more holistic approach to online safety, demonstrating that responsibility can and should be shared across different levels of the tech stack. By not putting the onus on app and operating system providers, it also avoids turning a small group of commercial entities into the ultimate, consolidated gatekeepers of citizens' digital identities. But above all, through the pioneering provision of public tooling, the EU approach enables a future in which governments, instead of just making online safety laws, actively play an appropriate, infrastructural role alongside tech providers, and platforms, to help build a safer digital ecosystem.