EU Eyes Age-13 Social Media Floor to Shield Children Online
European Commission President Ursula von der Leyen is pushing for an EU-wide mandate that would set a minimum age of 13 for creating social media accounts, framing the initiative as a response to mounting evidence that unsupervised platform use is fueling addiction, mental health crises, and exposure to harmful content among minors. Speaking to the Financial Times and in a separate statement over the weekend, von der Leyen argued that while parents retain authority over when children receive their first smartphones, regulators must impose a harmonized "start date" for social media access. Once children reach 13, platforms would need to demonstrate that their services are "age-appropriate and safe for teenagers" before granting full access, a verification burden she likened to seatbelt and airbag requirements for automakers. The policy reflects data showing European children now spend an average of four to six hours per day in front of screens, a figure von der Leyen translated into "twenty years of their life."
The proposal lands amid intensifying pressure from EU member states. France, Spain, and Greece have already enacted or are fast-tracking domestic legislation that in some cases pushes the floor to age 15, creating a patchwork that tech firms argue is difficult to operationalize. Critics note that most major platforms already stipulate a minimum age of 12 in their terms of service, yet these self-imposed limits have proven trivially easy to circumvent, since account creation typically requires only a date-of-entry field or a passive checkbox. Effective enforcement would likely demand robust age-verification infrastructure, ranging from government-issued digital ID checks to biometric authentication, all of which carry their own data-protection risks under the General Data Protection Regulation (GDPR). Parents concerned about how platforms currently track their children's devices can run a browser fingerprint test to see exactly what identifiers their browser leaks to every site visited.
Privacy advocates have cautioned that any age-gating regime risks creating centralized databases of minors' identities, potentially a more attractive target for threat actors than the platforms themselves. Storing proof-of-age credentials at scale invites the same data-breach exposure that has plagued adult-facing services, and child-specific datasets would be especially high-value on criminal markets. Von der Leyen acknowledged these tensions indirectly, noting that the Commission would evaluate "the proof given by the platforms" without specifying whether identity attestation would be handled by governments, third-party verifiers, or the platforms themselves. Security researchers have also flagged that under-13 users, when barred from mainstream platforms, frequently migrate to less moderated alternatives, where exposure to phishing campaigns, malware-laden downloads, and social-engineering attacks tends to be significantly higher. Users can verify whether credentials associated with their accounts have already appeared in known breaches using an email breach checker, a precaution increasingly relevant for households where multiple generations share devices.
Whether the age-13 threshold will satisfy member-state governments demanding stricter limits remains unclear, and the Commission has yet to publish a legislative timeline or specify penalties for non-compliant platforms. What is evident is that the EU is positioning child safety as a competitive regulatory lever, one that could force global platforms to redesign onboarding flows, deploy stronger privacy checkup mechanisms, and accept new liability for harms caused to minors. "The status quo, a world where we continue to allow big tech unrestricted access to our children, will only consign another generation to more mental harm, addiction and misery," von der Leyen said. For cybersecurity professionals, the proposal signals a coming wave of compliance work around age assurance, identity verification, and consent management, all on top of existing GDPR, Digital Services Act, and AI Act obligations already reshaping the European digital landscape.