UK online age verification faces simple defeats as children tailor easy workarounds
Online age verification is proving fragile in practice, with a new Internet Matters study finding children routinely bypass checks and parents often assisting.
The United Kingdom’s Online Safety Act 2023 requires platforms to protect users through measures including online age verification, but a recent study by London-based charity Internet Matters (May 2026) shows many children can and do evade those checks using simple, low‑tech methods and by enlisting parental help.
Why the Online Safety Act makes age verification central
The Online Safety Act 2023 positions online age verification as a core tool for reducing children’s exposure to harmful content on platforms and apps. The law places explicit duties on tech services to protect younger users and requires practical measures — including systems that can verify or estimate a user’s age — to prevent access to certain types of material. As a result, a wide range of websites and mobile apps have adopted or are experimenting with age‑gate techniques designed to confirm whether a user is above a minimum age threshold.
How platforms implement online age verification today
Implementation approaches vary. According to the Internet Matters study, platforms commonly use several techniques to assess age: guided selfies or short video clips for facial age‑estimation scans, uploads of government‑issued ID photos, automated facial age‑estimation tools, and third‑party verification services that cross‑check personal data. These methods aim to be faster and harder to fake than the old “click I’m 18” prompt, and they reflect the industry’s move toward biometric and data‑driven verification as part of safety compliance.
The methods children use to bypass checks
The heart of the Internet Matters findings is how readily children are finding ways around verification. About one‑third of the 1,000 UK children polled said they had bypassed an age check previously. Perceptions of ease were high: 52% of respondents aged 13 and older said age verification was easy to bypass, and 41% of those aged 12 and under agreed.
The study cataloged a surprisingly broad set of tactics:
- Simple make‑up or props, including drawing a mustache with an eyebrow pencil, to alter appearance in selfies or short videos.
- Using clips of video game characters turning their heads to trick live‑motion checks.
- Uploading parents’ or other adults’ government ID photos, or searching the web for random adult photos when a photo upload is required.
- The longstanding practice of lying about one’s birthdate.
- Technical measures such as using a VPN to obscure identity or borrowing an older sibling’s or parent’s device.
- Asking a parent directly to complete or bypass the verification process on their behalf.
These responses show that even when checks move beyond a single click, children often combine low‑tech tricks and social strategies to succeed.
Parental behavior and the role parents play in bypassing checks
Internet Matters’ survey also probed parental involvement and found it significant: a quarter of parents (26%) reported allowing their child to bypass age checks. Within that group, 17% said they actively helped the child, while 9% allowed it or turned a blind eye. Parents who facilitated bypasses often said they felt capable of managing the risks themselves — for example, by supervising a child going live on TikTok or permitting access to games with peers while physically present.
That parental willingness complicates regulatory aims: when guardians explicitly assist or condone bypassing, platform controls alone cannot fully prevent underage access. At the same time, some parents view supervised access as a pragmatic tradeoff between preventing harm and enabling safe participation in social platforms or gaming.
Children’s exposure to harmful content and attitudes toward safety measures
Despite the inventive bypass strategies, the study reports that children still welcome the safety measures in principle. More than 90% of respondents said they appreciate newer safety measures intended to limit exposure to adult material. Yet exposure to harmful content remains a pressing concern: nearly half of the children polled said they had encountered something harmful online in the previous month, and Internet Matters characterizes those encounter rates as occurring at “unacceptable rates.”
A teenager quoted in the study captured the mixed view: “I think it’s good because it keeps us from viewing adult content, which is not going to be good for our mental health.” That sentiment illustrates why platforms and regulators are pursuing age verification despite its imperfections.
Calls for enforcement and regulators’ role
Internet Matters used the study’s findings to press the UK government for stronger enforcement. The organization argued that regulators and platforms must be held accountable where existing legislation is not being implemented, and it urged lawmakers to address gaps in the law without delay so harm is not left to occur first. In the coverage of the study, a request for comment to Ofcom, the UK regulator, did not receive an immediate response.
Those demands reflect a central tension in the policy debate: lawmakers and child‑safety advocates want robust guardrails, but practical limitations — technical workarounds, parental cooperation in bypassing checks, and differing platform approaches — make uniform compliance and enforcement complicated.
What these findings mean for developers and product teams
For platform engineers, product managers, and compliance teams, the Internet Matters data offer a pragmatic reality check. Moving from a declarative legal obligation to effective technical controls requires thinking beyond a single verification method. The study suggests a few implications for product design and security engineering:
- Multi‑layered approaches are likely necessary. Relying solely on one verification vector (for example, a selfie‑based age‑estimation model) is vulnerable to low‑effort spoofing and social workarounds.
- Usability and parental workflows matter. Where parents are willing to help, platforms might need clearer parental consent flows, better parental controls, and audit logs that make parental involvement transparent and accountable.
- Fraud detection and contextual signals can help. Device history, reuse patterns, and cross‑session anomalies may flag suspicious attempts that simple one‑time checks miss.
- Privacy tradeoffs must be managed. Techniques that rely on biometric or identity documents raise data‑protection, retention, and minimization questions that product and legal teams must balance against safety goals.
All of these implications point to a broader need for cross‑functional collaboration among developer tools, security teams, legal counsel, and product owners to craft verification experiences that are both robust and respectful of user privacy.
Business and policy implications for platforms and regulators
From a business perspective, the study’s findings affect trust, compliance risk, and user experience design. Platforms operating in the UK — already described in the study as among the toughest jurisdictions on age verification — must weigh operational costs of stronger checks against the reputational and regulatory risks of not sufficiently preventing underage access. For smaller services without large compliance teams, the burden of meeting the Online Safety Act’s expectations may be especially acute.
Policywise, the study reinforces arguments from child‑safety groups that legislation alone is not enough; active enforcement and mechanisms to hold platforms to account are necessary. Regulators will need clear benchmarks for what constitutes adequate verification and processes for testing and responding to circumvention tactics that emerge in the wild.
Wider industry context and adjacent technologies
Age verification intersects with several adjacent ecosystems and technologies. Biometric age estimation sits at the crossroads of AI tools and privacy law; identity verification touches CRM and identity providers; and moderation efforts overlap with automation, security software, and content safety tooling. The trends noted by Internet Matters — children using both low‑tech and digital methods to bypass checks — suggest that solutions will need to combine machine learning models, fraud detection systems, parental controls, and human moderation workflows.
Developers and companies working on AI verification models or identity services should consider how their products will be used in supervised settings, how to support parental management features, and how to document privacy and retention practices that align with legal requirements.
Limitations of verification as a single line of defense
The study highlights a structural truth: verification is necessary but not sufficient. Even with improved age checks, children continue to encounter harmful content at rates Internet Matters calls unacceptable. Platforms therefore must treat verification as one component of a layered safety strategy that includes content moderation, reporting mechanisms, targeted interventions, and education for both children and parents about online risks.
What the Internet Matters findings mean for families and educators
For families, the data underline the importance of active discussions about online safety and the limits of technological fixes. Parental involvement — whether in helping bypass checks or supervising a child’s online sessions — plays a decisive role in how children access content. Educators and child‑safety professionals can use the study to inform guidance for parents about supervising device use, recognizing circumvention techniques, and making informed decisions about when supervised access is appropriate.
Potential paths forward for policy and product design
The clearest path suggested by the findings is a multi‑pronged one: stronger enforcement of existing laws, clearer standards for what effective verification looks like, and product designs that anticipate common circumvention strategies. That combination would require coordination among regulators, platform operators, child‑safety organizations, and technology vendors who provide verification services.
The study’s catalog of bypass methods also offers test cases for vendors and platforms: designers can use those real world tactics — from silly makeup tricks to misuse of adult IDs and parental facilitation — as adversarial inputs when hardening verification systems and user flows.
Looking ahead, policymakers and industry will need to reconcile competing priorities: protecting children, preserving user privacy, and keeping legitimate user experience friction low. Practical progress will likely come through iterative enforcement, transparency about verification efficacy, and continued monitoring of how young people adapt.
Children are inventive and often pragmatic about tools that restrict their access; the Internet Matters survey shows that many are willing to try simple tricks and enlist adults to reach content. The upshot for platforms and regulators is clear: age verification matters, but it will only reduce harm if it is paired with realistic threat modeling, parental engagement strategies that do not encourage circumvention, and enforceable standards that move beyond checkbox compliance.
The conversation around online age verification is far from settled, but this study provides concrete evidence that current verification methods face predictable weaknesses and that parental behavior is a major variable. Future developments are likely to combine improved technical detection, clearer regulation and enforcement, and better resources for parents and educators so verification measures work as intended rather than as hurdles to be dodged.
