By 2026, 26 states have active age verification laws in effect, with West Virginia's law scheduled to take effect June 12, 2026. Laws apply based on where content is viewed – a platform operated from Delaware serving a user in Utah falls under Utah's law for that transaction.

Most state laws apply when at least one-third of a site's content qualifies as "harmful to minors," which generally covers nudity and sexually explicit material. Three states – Ohio, South Dakota, and Wyoming – set no minimum threshold at all, meaning any platform with adult content is covered regardless of proportion.

Penalties vary by state but frequently include fines up to $10,000 per day. Several states also create private rights of action, giving parents the ability to sue platforms directly when minors gain access to content.

The Online Safety Act covers any platform accessible to UK users that hosts pornographic content – user-to-user platforms, search services, and dedicated adult publishers alike. The compliance deadline was July 25, 2025. Ofcom's maximum penalty is 10% of qualifying worldwide revenue or £18 million, whichever is the larger figure.

Ofcom has since written to major technology platforms requiring them to enforce minimum age policies using highly effective age assurance, with a reporting deadline of April 30, 2026. Enforcement posture in the UK has hardened considerably throughout 2025–2026 and shows no sign of softening.

The Digital Services Act establishes the baseline across EU member states. Article 28 requires online platforms accessible to minors to provide a high level of safety, security, and privacy – and the Commission has moved from publishing guidelines to opening enforcement actions against specific platforms.

France brought Arcom's mandatory technical standards for adult content verification into force in January 2025. Fines for a first violation reach €150,000 or 2% of global annual turnover, whichever is higher. Repeat violations double both figures. Arcom can also instruct ISPs and domain providers to block non-compliant sites within 48 hours – and providers face criminal liability if they fail to comply within that window.

Germany tightened its approach in December 2025. Regulators can now require banks and payment processors to stop serving non-compliant platforms. For most operators, losing payment processing is a more immediate commercial threat than a fine.

Italy mandates age verification for adult content, prohibits platforms from promoting VPNs as a workaround, and enables ISP-level blocking for sites that don't comply.

Spain is developing a national digital identity tool specifically for age verification.

The EU-wide solution – built on the same technical framework as the forthcoming European Digital Identity Wallets – is currently in pilot testing across France, Denmark, Greece, Italy, Spain, Cyprus, and Ireland. Full rollout is expected by end of 2026.

Australia moved faster than most. Phase 1 in December 2025 prohibited under-16s from major social platforms. Phase 2 in March 2026 extended the same requirements to pornographic sites and AI chatbots, with fines up to AUD 49.5 million for platforms that fail to take reasonable steps. Pornhub's response – blocking all Australian users rather than implementing verification – illustrates the severity of the enforcement risk, though it is not a commercially sustainable strategy for most operators.

The user shows their face via photo or video. AI analyses the image to estimate age, confirming the subject is a live human rather than a photo. No identity document is needed.

The major providers delete the image immediately after the check. Yoti has completed over 850 million age checks, with every image deleted straight after processing. The platform receives only a pass/fail result – no image, no identity data is stored or transmitted. This method works well for users who prefer not to share documents or financial information, though it is worth offering alongside other options for users who remain uncomfortable with facial scanning.

The user uploads a government-issued ID – passport, driver's licence, or national ID card. The provider checks document authenticity, runs liveness detection to confirm a real person is present, and matches the face to the document.

This is among the most robust methods available and is legally mandated in some US states (Louisiana requires government-issued ID for accessing pornographic sites). The combination of document checks, liveness detection, and face matching makes it very difficult to circumvent with a fake or borrowed ID.

The user provides credit card details. A payment processor confirms the card is valid using a two-factor authentication and mini-transaction process – no money changes hands. Because credit cards are only issued to adults, a valid card confirms the user is over 18.

The process is similar to a hotel check-in: the platform receives only a yes/no confirmation. No personal data passes to the adult platform. Verifymy describes it simply: "Is this individual over 18? Yes or no." For users who are already providing payment details to access content, this is typically the least disruptive option.

This is a newer method, offered by BorderAge – one of the two certified providers BunnyCMS integrates with. The user holds their palm up to a camera, and the system estimates age from palm characteristics. BorderAge holds regulatory certification for this approach. For users who prefer not to show their face, it offers a biometric alternative that doesn't require any document or financial detail.

Digital ID apps – such as the Yoti app – let users store a verified proof-of-age credential on their device. When accessing a site, they share only confirmation that they are 18+. Nothing else is disclosed.

The EU's forthcoming digital identity wallets operate on the same principle using Zero-Knowledge Proof cryptography. The platform receives an age attestation – nothing more. No underlying identity data is transmitted at any point in the process.

The user grants permission for an age-check service to access their bank's confirmation that they are over 18. Since bank accounts require age verification at setup, this serves as a proxy for age confirmation. The bank confirms status; the platform receives the result.

The user provides their email address. The service analyses where that address has been used – banking, utility providers, financial services – and estimates the account holder's age from those associations. Verifymy reports this as the method users say they feel most comfortable with. Data may be retained for up to 28 days in encrypted form before deletion.

The user grants permission for an age-check service to query their mobile operator regarding account age filters. If no parental restrictions are in place, the account holder is confirmed as an adult. Importantly, the mobile operator does not learn which website the user intends to access.

Journey: User visits → sees SFW or blurred preview → subscribes or pays → completes age verification → unlocks full content.

Keeping verification after the payment decision reduces friction at the point where most drop-offs occur. Users can evaluate the platform and decide to subscribe before being asked to prove their age. Conversion rates tend to be stronger with this approach because the barrier doesn't appear during initial discovery.

The trade-off is a limited preview experience: users in locations where compliance is required will only see safe-for-work or blurred content until verification is complete. This works best for subscription-based paysites where converting a visitor into a paying subscriber is the primary goal.

Journey: User visits → completes age verification → views full preview content → decides whether to purchase.

Giving users full preview access before asking for payment builds trust and lets the content make the case for itself. Subscribers who choose to pay after seeing the full preview tend to have stronger intent and lower churn.

The trade-off is that verification sits at the very beginning of the journey – before any commercial relationship exists. This is the moment of highest drop-off risk, and the quality of the verification experience matters more here than anywhere else.

This structure works best for platforms where the preview is a major driver of purchase decisions: high-quality VOD libraries, niche content where users need to assess fit before committing, or fan platforms where the creator's voice and style need to come through before a subscription makes sense.

The most effective implementations offer both flows simultaneously, letting user behaviour and regional requirements determine the path.

Users who want full preview access can verify first. Users who prefer to subscribe and deal with identity checks later can pay first. The platform stays compliant under both paths, and friction is reduced for the broadest possible audience.

This is how BunnyCMS implements verification through its Age Verification Module – handling both flows with Yoti and BorderAge, including fallback logic for different user preferences and regional compliance requirements.