This is part one of a two-part series in which we explore approaches to protecting children online while safeguarding privacy, security and the open web. Part one covers our concerns regarding age gates, and alternative policy proposals that address the root causes of online harms.
Young people today have unprecedented opportunities to learn, connect, and explore — not just the web and the world, but also themselves. With the increased ubiquity of digital technologies and devices, worries around the relationship between these technologies and young people’s well-being have grown, too. While concerns about the societal implications of new technologies is not a new phenomenon, experts argue that the accelerating speed of deployment of new technologies has outpaced scientists’ capacity to feed into policy recommendations addressing risks. A growing body of research documents the harms experienced by young people online and the challenges reported by parents attempting to mediate their kids’ technology use. At the same time, experts highlight the importance of contextual factors like existing mental health conditions, socio-economic circumstances and parental mediation to understand the real-world effects of digital technologies.
Faced with this complexity, and mounting public pressure, policymakers around the world are urgently seeking ways to improve child safety online. Driven by a sense of time running out and promises of new technical solutions to difficult questions, this has led, across jurisdictions, to proposals to restrict young people’s access to certain technologies or platforms by introducing age assurance mandates.
Privacy and user empowerment have always formed a core part of Mozilla’s mission. As we have said before, we support safer spaces for minors, but we caution against approaches that rely on identity checks, surveillance-based enforcement, or exclusionary defaults. Such interventions rely on the collection of personal and sensitive data and, thus, introduce major new privacy and security risks.
While many technologies exist to verify, estimate, or infer users’ ages, fundamental tensions around accessibility, their effectiveness and effects on user’s privacy, security and free expression remain. Technological approaches must be part of wider efforts to address the root causes of online harms. However, the deployment of age assurance technologies will not solve the complex challenge of preparing young people to navigate an increasingly online world and ensure their wellbeing. That will require more holistic approaches: offering education and support to navigate the web safely, addressing harmful business practices and acknowledging the offline factors shaping children’s lives including social inequality, poverty or disparate access to (mental) health care services.
Ineffective age-gating mandates and the dangerous shift toward VPN restrictions
As jurisdictions around the world gain experience with government-mandated age gates for certain services, evidence is mounting that age restrictions are not an effective policy tool. Avoiding age gates is widespread and trivially easy: In Australia, where minors under 16 year of age have been banned from certain social media platforms since December 2025, the government’s Compliance Update reports that seven out of ten young Australians remain online, often skirting age checks by simply entering a fake birthdate. A recent study on the implementation of the UK’s Online Safety Act found that a third of children have bypassed age gates with fairly trivial steps like faking their birthdate, borrowing someone else’s login credentials, or even drawing on facial hair, and that a quarter of parents have helped their children to bypass age assurance systems. In the US, studies indicate that as far back as 2011, 64% of parents who were aware their child under 13 had a social media account were also ones who helped them create that account.
Confronted with the apparent ineffectiveness of age gates, policymakers around the world seem to be shifting their attention to alleged circumvention tools. While research shows that many young people bypass age barriers by using other people’s devices and accounts or tricking age estimation tools by making themselves look older, virtual private networks (VPNs) are increasingly framed as primarily a “loophole” to age gates. VPNs create encrypted “tunnels” between a user’s device and the internet, protecting all internet traffic from that device and concealing users’ IP addresses. VPNs are an essential privacy and security resource for millions of users worldwide, including young people.
Utah’s recent age verification law holds websites hosting age-restricted content liable for verifying the age of anyone physically located in Utah, including individuals using VPNs or proxies. While the law does not ban VPNs outright, it forces websites to either block known VPN IP addresses or verify the age of every visitor globally. In the UK, policymakers debated age gates for VPNs extensively, but stopped short of restricting VPNs after new evidence confirmed that VPNs are not a relevant pathway for children seeking to bypass age checks. In Brazil, the ECA Digital law empowers the regulatory authority to order technical countermeasures against circumvention tools such as VPNs. These developments suggest a worrying trend: well-meaning but ineffective attempts to protect children risk undermining the fundamental rights to privacy, security, and free expression of all users, as well as the health and openness of the web itself.
We are convinced, however, that there are rights-respecting alternatives policymakers can pursue to empower young people online and improve their safety and well-being.
Moving beyond access bans
We strongly believe that online safety frameworks should be grounded in children’s rights, striking a balance between their right to protection and their right to participate in society, express themselves freely, and access media and information. Such frameworks must also be proportionate and should not undermine the fundamental rights and access to tools like VPNs for all users.
Rather than focusing on limiting access, we believe that policymakers should prioritize interventions that tackle the root causes of online harm. Before considering new instruments, this work starts with ensuring that independent regulatory authorities have the necessary resources to enforce existing online safety frameworks. In Europe, preliminary findings against Meta and TikTok find these companies’ addictive design features to be in breach of the Digital Services Act, underlining the potential of frameworks like the DSA to address key concerns.
The design of online interfaces, and the affordances and constraints they offer, significantly influences users’ interactions, decisions and overall wellbeing. ‘Dark patterns’ or deceptive interfaces are key drivers of harms experienced by users, and especially young people: they can compel people to consent to extensive data collection and processing, resulting in hyper-personalized feeds, personalized ads that may exploit cognitive vulnerabilities and promote unhealthy or excessive consumer choices, and an overall erosion of privacy.
This is why we support proposals like EU Digital Fairness Act (DFA) and the American Innovation and Choice Online Act (AICOA) that could fill regulatory gaps. Specifically, we advocate for the prohibition of harmful design, guided by harmonized definitions of core concepts like “dark patterns”, “deceptive design,” and “addictive design” and anti-circumvention clauses to prevent companies from avoiding regulation through small tweaks. Platforms should be responsible for demonstrating that their design choices are fair, non-manipulative and non-exploitative. And services that are likely to be accessed by children should be required to refrain from enabling certain design features, including excessive notifications, endless feeds and gambling-like features by default, and only with parental consent.
Further, we urge policymakers to adopt a privacy-first approach to online harms. Many of the risks encountered by young people online are related to the collection and processing of personal data. Platforms collect enormous amounts of personal data, including sensitive data, to personalize and target services, ranging from algorithmic recommender systems to online ads. While the systems that target and display ads and curate online content are distinct, both are based on the surveillance and profiling of users.
Such profiling is the basis for young people being targeted with personalized ads and content recommendations, which can segment, exclude, or steer people into inequitable options and towards harmful content. Providers should thus be prohibited from using sensitive personal data (e.g. ethnicity, religious belief, health status, sexual orientation, political affiliation) to personalize content recommendations or ads, and they should be mandated to enable privacy-protective settings by default, including restricting access to users’ location, camera, microphone, contacts, and camera roll. Policymakers should also extend the fairness and transparency obligations to personalization systems and advertising actors, including intermediaries and data brokers.
Additionally, everyone online, including families and young people, should be fully in control of their online experiences and navigate the web according to their preferences and needs. There is a significant opportunity to empower users with easy, effective opt-out rights and granular user controls. In practice, users should have the right to opt out of personalized content and targeting without being penalized with a downgraded version of the service. Some frameworks already strengthen choice – in those cases, we advocate for their robust enforcement.
Across jurisdictions, choice can be strengthened by ensuring that preferences explicitly expressed (e.g. settings selected, feedback signals, customization choices made, survey responses) are respected and “sticky”, so do not get reset without being explicitly requested by the user. Interoperability mandates should let people integrate third-party content moderation systems or recommendation algorithms that better match their preferences and help them break out of the walled gardens of a few dominant companies. Parental controls are another important lever to operationalize user controls: Providers should deploy easy-to-use and effective parental controls that allow families to tailor online experiences to their preferences, across platforms.
We appreciate that this is a long list of complex policy recommendations which are also impacted by broader (geo)political developments. The fact remains that current age assurance approaches are not a silver bullet, and will create more, rather than solve, problems in the long term.
Where policymakers consider age signals as necessary to ensure age-appropriate online experiences, we believe that there are technical approaches better suited to balance users’ rights than those currently pursued. We will explore these developments and approaches in the second part of this series.
The post Beyond technical fixes: Protecting kids online without breaking the internet appeared first on Open Policy & Advocacy.














































































































