Europe Moves to Make Age Checks Actually Mean Something Online

Brussels decides the one-click system has had enough time

For years, many porn sites have treated age checks as a ceremonial gesture. Click the box that says you are over 18 and, apparently, the legal system can rest easy. The European Commission has now decided that this arrangement is not much of a system at all, and it is moving faster on a broader age-verification framework, helped along by recent US scrutiny of how social platforms affect minors.

The Digital Services Act starts biting

In May, the Commission opened formal proceedings against Pornhub, Stripchat, XNXX, and XVideos over suspected breaches of the Digital Services Act, or DSA. The law, which has applied since 2024, updated the rules for online platforms operating in Europe. It requires transparency, faster removal of illegal content, and proper handling of systemic risks, including misinformation and the protection of minors.

By March 2026, the preliminary findings were in. The Commission concluded that all four sites allowed minors to access their services through simple one-click confirmation pages, which regulators judged to be nowhere near adequate for the legal standard. A similar conclusion was reached in a separate investigation into Snapchat, where the Commission said the platform may have exposed minors to grooming attempts, recruitment for criminal activity, and information about illegal goods such as drugs, as well as age-restricted products including e-cigarettes and alcohol.

The DSA does not spell out age verification as an absolute obligation. Still, for Very Large Online Platforms, meaning services with more than 45 million monthly users in the European Union, the Commission expects concrete measures to reduce systemic risks tied to child protection. Noncompliance can lead to fines of up to 18 million euros or 10 percent of global annual turnover, whichever is more useful as a warning.

The proposed fix: prove your age, not your entire life

At a press conference in recent days, the two officials overseeing the work, Prabhat Agarwal and Renate Nikolay, explained the idea behind the new system. The aim is to let users prove they are above a certain age without sending their name, date of birth, or other personal details to the platform or anyone else. A rare privacy goal, in other words, for a policy area that has not always been generous with them.

The technical answer under review is the so-called mini-wallet, officially the Age Verification Blueprint. It works as a mobile app in the style of a digital wallet. A user downloads it, verifies age once through an electronic ID card, passport, banking app, or another national identification system, and then uses it to prove adulthood at participating sites without submitting documents every time.

The core principle is selective disclosure. The mini-wallet does not tell a website the user's date of birth. It answers a simpler question: is this person over 18? The answer is cryptographically verified and sent as a single-use token, which in theory limits the ability to link activity across different sessions on the same site.

A bridge to the EU’s broader digital identity plans

The mini-wallet is not meant to stand alone. It is being designed as a stepping stone to the EU Digital Identity Wallets, or EUDI Wallets, which some member states are expected to implement by the end of 2026. Those future wallets will eventually be integrated with the mini-wallet system.

The idea is that people who get used to the mini-wallet now will later encounter the same basic logic in the wider digital wallet planned for all European citizens. That app is supposed to hold not only age credentials but also identity documents, educational qualifications, driver's licenses, and other personal attributes in one place.

Five member states are already testing the system this year, though not exactly at the same speed. At the press conference, officials said France and Denmark are ahead of the pack, while Greece, Spain, and Italy are lagging. Some experts are therefore skeptical that the full digital wallet rollout will land on schedule. Bureaucracies, as ever, are enthusiastic about deadlines right up until they are required to meet them.

Europe is trying to avoid the US playbook

Several age-verification companies are already active in Europe. Yoti is one of them, and TikTok uses it in Europe alongside other methods such as credit cards and document checks. Another is Persona, an identity and age-verification provider used by platforms including Roblox, Discord, and Reddit.

The Commission is not especially keen on Persona’s approach, which is far more data-heavy. Its services can include fingerprint verification, face recognition, facial screening against a specified list, and retention of such data for up to three years.

In February 2026, it also emerged that Persona had publicly exposed thousands of files online. The company said this involved an isolated testing environment and that the data was not actually exposed. It also said it does not work with US government agencies to provide them with user data.

Even so, the US model is seen in Europe as a warning about what happens when age verification depends on collecting and analyzing large amounts of identifying information. That is precisely the direction Brussels says it wants to avoid. The goal is to move from “prove who you are so I can guess your age” to “prove your age and keep the rest to yourself.”

To support that approach, the Commission is backing an open-source architecture, with room for member states and private companies to publish national or derivative versions. Scytales and T-Systems were mentioned during the press conference as examples of services to watch in Europe.

Officials also described a “triangular” model. In that setup, a third party certifies that the user meets the required age threshold, while the site never receives documents or other personal data. To make the idea less abstract, the Commission pointed to the system used for Covid certificates.

The obvious problem remains obvious

There is still a gap between the technical promise and the basic habits of real people. The mini-wallet is designed mainly to stop websites from learning too much about users. It does far less, however, to prevent the oldest workaround in the book: a minor using an adult’s phone, account credentials, or ID.

So yes, the system may reduce the spread of personal data. No, it does not magically eliminate bypasses in the real world.

Even so, the mini-wallet currently looks like the strongest option on the table. The Commission has made clear that it is not the only possible answer. Alternatives are still welcome, as long as they are “equally effective.” Pornhub is already taking part in the pilot phase, and other operators have also been invited.

If the plan holds, Europe could become the first major policy laboratory where age verification stops being a box-ticking exercise and becomes actual infrastructure. That may improve child protection. It will also create new risks, new technical questions, and a fresh round of arguments about how much of yourself the internet should be allowed to know.