The 'Papers, Please' Era of the Internet: What Age Verification Laws Mean for SaaS Founders
The internet is about to ask for your driver's license. Not just for the obvious sites. For social platforms, community tools, anything where a minor might conceivably land.
Twenty-five US states now require age verification to access parts of the internet — that's half the country. Australia banned under-16s from social media entirely in December 2025. France, Spain, Denmark, Norway, and Indonesia are drafting their own versions. The EU is watching and taking notes.
This is what age verification for SaaS looks like in practice: identity verification mandates are becoming the default gate for accessing online services, not just adult content. And the blast radius is larger than most founders realize. If your product has a public community, user-generated content, messaging between users, or any feature where strangers interact — you are in this conversation whether you've joined it yet or not.
FIRE's free-expression watchdog Sarah McLaughlin named this the "Papers, Please" era of the internet. The reference is precise. These laws aren't asking platforms to guess a user's age. They're requiring platforms to verify identity as a condition of access — and the infrastructure being built to do that has uses far beyond child protection.
"Age Verification" Is a Euphemism for "Identity Verification"
The framing is always "protect the children." The mechanism is always "show us who you are."
You cannot verify age without verifying identity. Those two things are inseparable — which is precisely what makes these laws so much broader than their marketing suggests. What regulators are passing, when you read past the headline, is a framework for mandatory identification as a precondition of internet access.
The US Supreme Court made this durable in June 2025. In Free Speech Coalition v. Paxton, the Court upheld Texas's H.B. 1181, which requires age verification before accessing sites with substantial sexually explicit content. That decision opened the door for similar statutes to survive constitutional challenge — and state legislatures have been walking through that door steadily since.
Federal proposals like the Kids Online Safety Act (KOSA) would extend mandatory verification nationally, applying to any platform a minor might use. Not just adult content. Any platform.
Your compliance team isn't thinking about this yet. They should be.
What Verification Actually Looks Like in Production
When a platform implements mandatory age verification, three technical methods dominate what a user actually encounters:
Document upload and OCR. User photographs their government-issued ID — passport, driver's license, national ID card. A system extracts and validates the data. The document or a hash of it gets stored. This is the most invasive method and creates the heaviest data liability. It's also the most common mandate from regulators who want high confidence.
Facial biometric matching. User submits a selfie. A third-party API matches the face to the uploaded ID photo. Snapchat is using k-ID — a Singapore-based layer that accepts banking connections, government ID scans, or selfies for age-range estimation. k-ID wraps the complexity but doesn't eliminate it: biometric data exists somewhere, and "destroyed once all purposes have been met" is doing a lot of work in those data retention agreements.
Banking or financial data bridging. The platform pings a bank or credit bureau to confirm age-range. Lower friction than a document scan. Requires open banking infrastructure. Common in the UK; less mature in the US.
The third-party API layer forming around all of this is already mature:
| Provider | Methods | Notable Use | Geography |
|---|---|---|---|
| k-ID | Bank link, government ID, selfie | Snapchat | Global |
| Yoti | Document scan, selfie | UK government pilots | EU, UK |
| Veriff | Document + facial biometric | Fintech, social platforms | Global |
| Persona | Document, biometric, database | Enterprise SaaS | US-focused |
| AgeID | Email, credit card, document | Adult content platforms | US, UK |
This infrastructure was built for fintech KYC. Regulators are now mandating it for social platforms. The question for SaaS founders is whether they'll be next.
Where It's Already Law — and What Happened
Australia moved first. The Online Safety Amendment banning social media for under-16s took effect December 2025 — the first national social media ban of its kind. The results were instructive for anyone building policy assumptions into their product roadmap.
Government research found roughly 7 in 10 minors still accessed social media months after the ban took effect. A British Medical Journal study found "little evidence was found of immediate substantive reductions" in use. The infrastructure went in. The verification flows went live. And teenagers found workarounds within weeks — VPNs, older siblings' accounts, borrowed credentials.
Then a Discord breach exposed the government IDs of nearly 70,000 Australians in the weeks leading up to the ban. The law failed to stop minors. The data collection created a breach that harmed the adults who complied.
That's the paradox in one incident. The enforcement outcome looks bad. The data liability outcome is worse.
In the US, the landscape is fragmenting. Specific laws currently active or taking effect in 2026:
| State | Law | Key Requirement | Fines |
|---|---|---|---|
| Virginia | SB 854 | One-hour daily limit for under-16; parental consent | $7,500 per violation |
| Nebraska | LB 383 | Age verification + parental consent for under-18 | $2,500 per violation |
| Ohio | HB 96 | Age verification for harmful-to-minors content | Varies |
| California | SB 976 | Algorithm restrictions for under-18 | TBD |
| Tennessee | HB 1891 | Social media restrictions for minors | Varies |
That's five different technical requirements, five different fine structures, and five different definitions of what content "harmful to minors" means. An app available in all 50 states is looking at potentially 25 parallel compliance regimes.
Florida's implementation is a useful early data point: VPN demand in Florida surged 1,150% following HB 3's rollout, according to reporting in Breached.company's 2026 rollout analysis. Minors routed around the law within days. The verification overhead landed on the adults who didn't.
Globally, at least 9 more nations are pursuing similar frameworks — France, Spain, UAE, Indonesia, Malaysia, Greece, Denmark, Norway, and several EU member states. McLaughlin's FIRE analysis warns that if the UK moves forward with targeting VPN usage that circumvents age gates, the surveillance scope could rival state-level censorship regimes in breadth.
List Your Privacy-First SaaS on SaaSCity
Building compliance infrastructure for identity, onboarding, or verification? Or a SaaS tool that handles this problem differently — with less friction, less data collection, better UX?
SaaSCity.io is the directory where founders and buyers discover what's actually shipping in the privacy and compliance space right now.
- Free to list: Submit your product at /live/submit in under 2 minutes — no cost, no catch
- Earn dofollow backlinks: Every listing earns a permanent, indexed backlink from a high-authority domain. The kind that compounds.
- 3D city map visibility: Your product gets a building in the SaaSCity interactive map — visible to high-intent buyers actively researching solutions
- Category timing: Privacy and verification tooling is one of the fastest-growing SaaS categories in 2026. Getting listed early matters.
What This Means If You're Building SaaS
Here's where most founders make the category error: they see "age verification" and think "adult content sites and social media giants." Neither describes their product. So they file it away as someone else's problem.
The scope of these laws doesn't stay put. "Harmful to minors" is undefined in most statutes — intentionally. Regulators and courts fill in the meaning over time, and that expansion has a consistent direction: outward. Texas's law started with adult content. State legislators are now applying the same framework to social features, community platforms, and anything where user-generated content might reach a minor.
If your SaaS has any of these features, you're in the blast radius:
- Public comments or community forums — user-generated content a minor could access without logging in
- Direct messaging between users — peer-to-peer communication that regulators treat as a social feature
- User profiles visible to others — any social graph element
- Marketplace or content creation tools — where users post publicly and others browse
- Embeddable widgets or plugins — if your component lands on a page a minor visits, you may be deemed the platform
The Onboarding Math Is Brutal
Mandatory SaaS user onboarding with identity verification creates conversion drop-off at a scale that's easy to underestimate until you see it on your own funnel.
A 1% drop-off during onboarding translates to $100,000 in lost monthly revenue for a platform processing 100,000 signups with a $100 average customer lifetime value. That's one percent. Industry data on identity verification flows shows 15–30% abandonment at the document upload step alone — and that's before you account for users whose IDs don't match expected formats, mobile users who abandon at higher rates than desktop users, and international users whose government IDs fail OCR validation.
The friction falls hardest on exactly the wrong users. Older users without digital ID wallets abandon at high rates. Legitimate adult users in verification-resistant jurisdictions use VPNs or give up. The minors the law is trying to gate out route around it within a news cycle.
What to Build Now, Before the Mandate Arrives
The founders who will feel this the least are the ones building the architecture before a regulator imposes a timeline. The SaaS compliance checklist for 2026 lays out a practical workflow — age verification intersects with the same GDPR data minimization principles you're already working through.
Audit your product's risk surface. What features create user-generated content? What features allow user-to-user interaction? Which are visible to unauthenticated users — meaning a minor could access them with zero login friction? This map is what regulators will ask for first.
Know your geographic exposure. If 40% of your signups come from Texas, Virginia, and Louisiana, you're not watching this from a safe distance. Build your exposure map against the active law list before assuming you're not covered.
Evaluate the API integrations now. k-ID, Yoti, Veriff, and Persona all have integration documentation and sandbox environments. Testing an identity verification flow takes weeks when you're calm. It takes months when you're under a compliance investigation. The time to experiment is now.
Design for data minimization. The best architectures store a verified age-range flag, not the document. A verification token, not the biometric. European data regulations already mandate minimization under GDPR — these age verification laws stack on top of the same principles. The platforms that collect less have less to breach, less to explain to regulators, and less to lose when the inevitable security incident happens.
Document your position proactively. Regulators move faster against companies that can't show they thought about this. A written policy on how you evaluate and handle age verification obligations — even if the current answer is "we're under the threshold and here's why" — demonstrates governance. That matters when a complaint gets filed.
The Bargain Nobody Voted For
The hardest part of this conversation is that no one's wrong about the underlying problem.
Minors are using social platforms in ways that cause real harm. The data on teen mental health and social media is concerning. Platforms built addiction mechanics that exploit developing brains, and "just monitor your kids" has largely collapsed as a policy response.
But the solution being constructed — a mandatory identity verification layer on top of internet access — isn't targeted child protection. It's surveillance infrastructure with child protection branding. McLaughlin's argument at FIRE isn't that child safety doesn't matter. It's that these laws "could potentially exceed China, Iran, and Russia in surveillance scope" if extended to their logical conclusion. Once the plumbing exists, what gets piped through it is a policy decision made by whoever's in power next.
The US government's appetite for platform regulation isn't quieting down. From direct intervention in AI model deployment to content moderation mandates to age verification requirements, the direction of travel is clear: more regulation, broader scope, faster timelines.
What's actually being built, law by law, breach by breach, is an internet where anonymity is the exception and verification is the price of entry. For fintech, that's already true. For healthcare, same. For social platforms in half the US, it's now legally mandated.
SaaS founders can't control where this goes. They can control whether their products are built to survive it — minimum data collection, portable verification architecture, and compliance posture that wasn't assembled the night before a regulator called.
The internet is about to ask for your users' driver's licenses. The question is what you plan to do with them — and whether you've thought hard enough about that question before you were forced to answer it.
SaaSCity.io covers the intersection of regulation and SaaS. Explore the SaaSCity directory to discover what's shipping right now — or list your own product.
Get your SaaS in front of founders
List your product on the SaaSCity live city map — a permanent listing, real discovery, and a backlink from a high-DR directory. Free to start; upgrade for a dofollow link and a building on the map.
