There is still no single federal law requiring age verification for general online access in the United States. What exists instead, as of mid-2026, is a fast-growing patchwork: Texas, Louisiana, Utah, Virginia, Arkansas, Tennessee, Florida, New York, and others have passed age-check laws for social media, adult content, gaming, or app distribution — each with its own scope, threshold, and enforcement posture. Some are fully in force. Some are tied up in First Amendment litigation. One has already been upheld by the U.S. Supreme Court. If you run a platform, forum, store, or community with US users, "wait for Washington" is no longer a compliance strategy — but neither is building fifty bespoke gates.
No federal blanket law does not mean no federal exposure
COPPA still applies to services directed at children under 13, and the FTC's 2026 COPPA Policy Statement signals enforcement discretion in favour of age verification technologies that are accurate, secure, clearly disclosed, and data-minimal. A sloppy age gate that hoards identity documents can create federal privacy exposure even in states with no age-check statute at all. See the FTC COPPA 2026 policy breakdown.
Quick answer
- Who must comply: Platforms serving users in states with social-media, adult-content, gaming, or app-store age laws — Texas, Louisiana, Utah, Virginia, Arkansas, Tennessee, Florida, New York, and a growing list.
- What's federal: No blanket law. COPPA (under-13) plus the FTC's 2026 posture favouring accurate, secure, data-minimal verification.
- Court status: Mixed. Texas HB 1181 upheld by SCOTUS in June 2025; Virginia temporarily blocked in 2026 on First Amendment grounds; more litigation pending.
- The trap: Per-state checkbox pages, or document KYC that turns your database into a PII vault under CCPA and state privacy laws.
- Recommended approach: One integration with configurable thresholds per state (13+/16+/18+/21+), privacy-first tokens, and minimal data retention.
- How AgeOnce helps: Single API or WordPress plugin; signed age tokens and an Audit ID; no ID storage on your servers. Run the live demo.
No federal blanket law — and why that makes compliance harder, not easier
In the EU, platforms can at least plan around one instrument (the DSA) and one technical blueprint. In the US, the absence of a federal age-verification statute means the action happens in state legislatures and state attorney general offices, each moving at its own speed and defining "minor," "covered platform," and "reasonable verification" differently.
Two federal anchors still matter:
- COPPA governs services directed at children under 13 and imposes parental-consent and data-handling duties — unchanged in scope, newly energetic in enforcement.
- The FTC's 2026 COPPA Policy Statement effectively grades age-verification technology. Tools that are accurate, secure, give clear notice, and minimise retention are treated favourably; tools that quietly accumulate identity data are not. That posture rewards the same architecture most state laws are converging on: prove the threshold, keep almost nothing.
The practical consequence: you cannot copy one state's rulebook nationwide, but you can standardise on one verification architecture that satisfies the strictest common denominator — effective assurance, configurable thresholds, minimal retention.
The state patchwork at a glance
The table below summarises where the major state regimes stand as of mid-2026. Treat it as a map, not legal advice: several of these laws are in active litigation, and status can change with a single ruling.
| State | Primary focus | Status in 2026 | Typical threshold |
|---|---|---|---|
Texas | Harmful sexual content (HB 1181) | Active; SCOTUS upheld June 2025 | 18+ before access |
Louisiana | Adult content publishers | Active | 18+ verification required |
Utah | Social media accounts for minors | Active with litigation risk | Parental consent / age assurance |
Virginia | Social media for minors | Temporarily blocked in 2026 (First Amendment) | Was 13+ parental flow; status pending |
Arkansas | Social media age assurance | Passed; enforcement varies | ID-based assurance debated |
Tennessee | Adult content access | Active | 18+ verification |
New York | SAFE for Kids (addictive feeds, minors under 18) | Rulemaking; effective after AG rules + 180 days | 18+ or parental consent for minors |
California | AADC; app store / OS age APIs | Partial enforcement from March 2026; more in 2027 | Child-likely services: estimation or child defaults |
Colorado | App store age verification APIs | Targeting 2027 implementation | Platform-level age signals |
Florida | Social media for minors | Active with court challenges | Parental consent models |
US state age verification is a patchwork. Confirm scope for your product category and monitor court decisions before relying on a single rule set nationwide.
Three patterns are worth reading out of that table. First, adult-content laws are the most battle-tested — Texas survived the Supreme Court. Second, social-media-minor laws are the most litigated — Virginia is blocked, Utah and Florida face challenges. Third, the newest wave targets infrastructure, with California and Colorado pushing age responsibilities toward app stores and operating systems on 2027 timelines.
Three lanes of state regulation
Grouping the statutes by target makes the patchwork legible. Almost every US age law falls into one of three lanes.
Lane 1: Social media and minors
Utah, Arkansas, Florida, and Virginia went after social media accounts for users under 18, typically requiring age assurance plus parental consent for minors. New York's SAFE for Kids Act is narrower and, arguably, smarter: it targets addictive algorithmic feeds and nighttime notifications served to minors, with AG-enforced penalties of up to $5,000 per violation once rulemaking completes. If your product has a feed, ranking algorithm, or push-notification layer, this is your lane — covered in depth in our NY SAFE, Texas, and California guide. Community platforms should also review the forums use case, since UGC communities with minor-accessible registration increasingly resemble "social media" in statutory definitions.
Lane 2: Adult content publishers
Texas HB 1181, Louisiana, and Tennessee require commercial publishers of sexual material harmful to minors to verify that visitors are 18+ before access. This is the lane with the clearest legal footing after June 2025 (more on that below) and the steepest per-day penalties — Texas allows up to $10,000 per day for missing verification and up to $250,000 where a minor accesses covered material. Notably, several of these statutes prohibit the verifier from retaining identifying information, which is a legislative push toward third-party, data-minimal providers rather than merchant-side ID collection.
Lane 3: Design codes and platform-level age signals
California's Age-Appropriate Design Code (AADC) took partial effect after the Ninth Circuit narrowed its injunction in March 2026: covered businesses whose services are likely to be accessed by children under 18 must estimate age (or apply child-level protections to everyone) and may not reuse age-estimation data for other purposes. Meanwhile, California and Colorado are advancing rules that push age verification duties to app stores and OS-level age APIs, with implementation targeting 2027. Even if platform-level signals eventually carry some of the load, web operators will still need their own gates for browser traffic — app-store APIs do not cover your website, your WooCommerce checkout, or your gaming community.
$10,000/day
Maximum Texas HB 1181 penalty for operating without required age verification, plus up to $250,000 if a minor accesses covered material
Court challenges: Virginia blocked, Texas upheld
The litigation picture is genuinely mixed, and any compliance plan should be built to survive rulings in both directions.
On one side, a federal court temporarily blocked Virginia's law in 2026, citing First Amendment concerns about burdening adults' access to lawful speech. Similar challenges are pending against social-media-minor laws in other states, and some may be narrowed or struck down.
On the other side, the U.S. Supreme Court upheld Texas HB 1181 in June 2025, holding that age verification requirements can survive constitutional scrutiny when they are narrowly targeted at content that is harmful to minors. That ruling is the single most important data point in US age-gate law: it establishes that well-scoped age checks are constitutionally viable, and it has emboldened legislatures in both red and blue states.
Betting your compliance posture on courts striking down every state age law is a losing strategy after June 2025. Betting your users' identity documents on every law surviving is a losing strategy too. The architecture that wins either way keeps proof strong and data small.
Where the hedging belongs
Court status changes fast. Virginia's block is preliminary, not final; other injunctions may be granted or dissolved on appeal. The defensible operator posture is to comply with laws currently in force, monitor stayed ones, and keep your data handling clean enough that no outcome strands you with a retention problem.
One integration for a fifty-state problem
If you serve users in multiple states, the wrong answer is fifty flows. The right answer is one verification integration with configurable policy:
- Threshold per surface and jurisdiction. The same integration should enforce 18+ on adult content, 21+ on restricted SKUs, and 16+ or parental flows where a social-media-minor law applies — driven by configuration, not code forks.
- Method that regulators treat as effective. Self-declared birth years fail every statute in the table above. ID + liveness, accredited digital ID, or validated estimation (where a statute permits it) are what "commercially reasonable" now means.
- Retention that survives any court outcome. If a state law you complied with is later struck down, you do not want to explain to a CCPA plaintiff why you are still holding a vault of driver's licences collected under it.
The conversion stakes are real. Industry UX benchmarks commonly cite 40–60% registration abandonment when document upload is required at sign-up. A gate that satisfies the Texas AG but halves your funnel is not a win — which is why the first full verification should happen once, and returning users should get a lightweight reverification that feels like unlocking a phone.
40–60%
Typical registration abandonment when document upload is required at sign-up (industry UX benchmarks)
Privacy-first tokens, not ID vaults
Your platform does not need names, document numbers, or selfie files. It needs a reliable, provable answer: is this user above the required threshold?
The privacy-first pattern — the same one the FTC's 2026 posture rewards and Texas-style retention bans effectively mandate — works like this:
- The user completes photo ID matching + liveness in the browser, once, with the verification provider.
- The provider derives the threshold and returns a signed outcome (for example
18+ verified) plus an Audit ID to your application. - No ID images, document numbers, or biometric archives touch your database. If a regulator asks, the Audit ID proves the check happened; if an attacker breaches you, there is no document vault to steal.
That is the core argument in why tokens beat ID galleries: compliance and breach risk are not a trade-off when the architecture is right.
CCPA and multi-state privacy exposure
Holding only a verification outcome, timestamp, and audit reference dramatically shrinks what a database leak exposes — which matters for breach notification duties, vendor security reviews, and class-action exposure under CCPA and the growing set of state privacy laws.
At AgeOnce your application receives only an age threshold and an Audit ID — not names, document images, or biometric archives.
See how we do itHow verification options compare
| Traditional document KYC (Onfido, Jumio-class) | Wallet / age-estimation only | AgeOnce | |
|---|---|---|---|
| First-time UX | Full ID scan + selfie on every new site | App download or selfie-only (varies by risk) | In-browser ID + liveness once |
| Return / second site | Often full ID again | Depends on wallet adoption | In-browser face reverification |
| Data on your server | Risk of storing vendor payloads if misconfigured | Wallet or vendor may hold attributes | Signed threshold + Audit ID only |
| CCPA / breach exposure | High if IDs are retained locally | Lower if vendor handles storage | Low — no document gallery on your side |
| WordPress / SMB fit | Poor without enterprise budget | Mixed — user must adopt extra apps | Plugin or API in hours, not months |
| NY SAFE / TX HB 1181 / CA AADC | Can work if methods are effective and data-minimal | Varies — estimation alone may not meet all gates | ID + liveness first; reverification with fresh audit trail |
How verification approaches compare for US-facing registration, communities, and restricted commerce.
Enterprise document-KYC suites and government wallet apps remain the right tools for AML programmes and accredited identity schemes. For web age gates across a state patchwork, the requirements are different: defensible assurance, per-state configurability, minimal PII, and a flow adults will actually complete.
Integration paths: API for custom stacks, plugin for WordPress
| Integration path | Best for |
|---|---|
Next.js, React, Node.js, Python, headless SaaS, mobile apps — redirect, callback, signed token + Audit ID | |
bbPress, BuddyBoss, membership sites, vape/alcohol checkout — install, configure gates, no custom ID storage |
Custom SaaS and modern frameworks
The AgeOnce API uses an OAuth-style redirect: send the user to verify, receive an authorization code on callback, exchange it server-side for a signed token and Audit ID, and gate routes on the token. For a Next.js, React, Node, or Python backend, the work is a redirect URL, a callback handler, token validation, and a session flag — often a day or less. The API vs plugin comparison covers when each path fits.
WordPress and WooCommerce
A large share of US small-business sites — vape and alcohol stores, supplement shops, hobby forums, membership communities — run on WordPress. State laws do not carve them out. The AgeOnce plugin enforces gates at WooCommerce checkout, forum registration, or member-area access with per-threshold rules and no ID storage on your server. Setup, OAuth credentials, and checkout rules live on the WordPress age verification page.
WordPress age gates in under 3 minutes
Install the AgeOnce plugin, connect OAuth, and gate WooCommerce checkout or forum registration — no ID storage on your server.
How ready is your platform? A 2-minute self-assessment
Reading about statutes is one thing; knowing which gaps apply to your stack is another. Check off what you already have in place below — based on your score, you will get an honest readiness verdict and the single most useful next step, whether that is fixing verification methods, closing configuration gaps, or validating an already-solid setup.
Where does your platform stand?
Check what you already have in place. You will get a readiness assessment and the most useful next step for your situation. Progress is saved in this browser.
Next step: one integration, every state
The US patchwork will keep shifting — new statutes, new injunctions, new appellate rulings. What should not shift is your architecture: effective verification, configurable thresholds, signed tokens instead of ID vaults, and an audit trail that satisfies whichever AG comes asking.
Run the live demo — ID + liveness once, then in-browser reverification on return, with per-state thresholds from one integration. Compare volume tiers on pricing. On WordPress or WooCommerce? Start from the WordPress age verification setup page and gate checkout or registration today.
Frequently asked questions
No general federal age verification law covers all online access. COPPA applies to services aimed at children under 13, and the FTC's 2026 COPPA Policy Statement favours accurate, secure, data-minimal age verification technologies. Several states have passed their own laws for social media, gaming, or adult content.
Texas, Louisiana, Utah, Virginia, Arkansas, Tennessee, Florida, and New York have passed age verification laws, though scope and court status vary. California's AADC is partially in force from March 2026; California and Colorado are advancing app-store and OS-level age API rules targeting 2027.
Mixed. Virginia's social-media law was temporarily blocked in 2026 on First Amendment grounds. Texas HB 1181 was upheld by the Supreme Court in June 2025. Louisiana and Tennessee adult-content laws remain active. Expect more litigation on social-media-minor statutes.
The FTC's 2026 COPPA Policy Statement says it will use enforcement discretion for age verification technologies that are accurate, secure, provide clear notice, and minimise data retention. Well-designed privacy-first tools are less likely to be targeted.
Self-declared birth years are insufficient where statutes require effective assurance. Regulators and courts accept photo ID matching with liveness, accredited digital identity, and validated age estimation where a statute permits it. Several adult-content laws also prohibit verifiers from retaining identifying information from the check.
Comply with laws currently in force in states you serve, monitor stayed or blocked statutes, and keep data handling minimal so any outcome does not leave you with an ID vault. One integration with configurable thresholds per state or product surface is more resilient than rebuilding flows per ruling.



