A study published in the BMJ on 24 June 2026 looked at what actually happened to Australian teenagers in the three months after the Social Media Minimum Age Act came into force in December 2025. The headline conclusion has been widely reported as proof that age restrictions “don’t work”. A closer read of the data tells a different story: age assurance barely got switched on, so the impact of Act has not yet properly tested.
The headline findings
Researchers from the University of Newcastle, New South Wales, and partner institutions surveyed 436 adolescents aged 12 to under 17 before the Act took effect and followed up with 408 of them three months later. The study compared those just under and just over the new 16 year threshold.
The results were stark. More than 85% of participants under 16 were still using restricted platforms at follow-up, mostly through their own accounts. But only 66% of those users reported encountering any step defined very broadly in the study as “age verification” at all – and many of those steps would not meet the definition of age assurance. There was no statistically significant change in daily social media use at the 16 year cut-off (P≥0.60), and the authors found ‘limited implementation, incomplete compliance, and substantial “circumvention”‘ – again a term defined very broadly – rather than evidence that age assurance itself is ineffective.
In other words, the study measured a policy that platforms had barely started to enforce. Exposure to any “age assurance measure” was reported by at most 39% of under-16s across the platforms covered by the Act – and these appear to include self-declaration or a request for parental permission which are not age assurance measures. Indeed, the Reasonable Steps guidance specifically warns that “Implementation that relies entirely on self-declaration to determine the age of existing or prospective account holders…” “would not constitute reasonable steps as their effect would be inconsistent with the objectives of the SMMA.”
What was actually used, and what counts as age assurance
The most common “age verification” methods reported by teenagers were a self-declared age (24-39%) – explicitly not sufficient under the guidance – and uploading a selfie (13-27%). Stronger methods such as ID documents, ID numbers, bank card checks or third party verification apps were used far less often.
This matters because not all of these methods are age assurance technology in any meaningful sense. A checkbox asking “how old are you” involves no technology and no independent confirmation at all.
| Reported verification method | Share of under-16s reporting it | Genuine age assurance technology? |
|---|---|---|
| Self-declared age | 24-39% | No. Pure self-attestation, easily falsified |
| Selfie or picture upload | 13-27% | Yes, if applied with a buffer age sufficient to deliver sufficient accuracy |
| Parental permission | 7-13% | No, this applies parental consent which is not a feature of Australia’s new law. |
| Voice recording | 3-8% | Yes, if applied with a buffer age sufficient to deliver sufficient accuracy |
| Photo of official ID | 5-16% | Yes, if applied with a match to a selfie and liveness testing. |
| Official ID numbers | 4-7% | Yes, if there is an authentication method to confirm the ID belongs to the user |
| Bank card information | 1-5% | Yes, through the use of Open banking for authentication |
| Third party app or program | 2-6% | Yes, presuming this refers to a good quality age assurance provider |
So the most widely reported “check” was, according to the research, not a check at all: platforms are not failing because age assurance does not work, they are failing because most of them are not using it sufficiently.
Circumvention, and the conspicuous absence of VPNs
The study also asked how under-16s got around restrictions when they encountered them. The results are revealing.
| Circumvention method | Share of under-16s reporting it | Bypasses genuine age assurance technology? |
|---|---|---|
| Fake account | 15-19% | No. There was no real check to bypass |
| Someone else’s account | 9-29% | No. This is achieved through collusion which can be mitigated through regular re-checking or biometric authentication |
| Private or incognito browsing | 6-11% | No. Affects browser operations, not age checks |
| VPN or proxy server | 2-3% | No if the social media platforms follow eSafety guidance to look for technical and behavioural indicators that flag likely underage users in Australia |
The pattern is consistent. Where teenagers did get around restrictions, it was almost always by exploiting the absence of a real check, not by defeating one. VPN use, the method most often cited in media coverage as evidence that age checks are pointless, was the rarest circumvention route reported, at just 2-3%, and could be substantially prevented if platforms chose to do so.
Checking the “1000% VPN surge” claim
The paper itself states that “VPN subscriptions surged… in some cases by more than 1000%” following the UK Online Safety Act, citing it as context for why circumvention is a live concern. Tracing that citation back to its source is instructive: it leads to a commercial age verification vendor’s marketing page, which in turn relies on self-reported figures from VPN providers themselves, such as NordVPN’s claimed “1,000% spike in UK subscriptions” and ProtonVPN’s claimed 1,400-1,800% increase.
None of these figures come with an actual subscriber count. A percentage increase on its own tells us nothing. A rise of 1,000% is equally consistent with going from one user in August to eighteen in September as it is with millions of new sign-ups. Without absolute numbers, this is sales talk from companies with a commercial interest in being seen as the answer to age checks, not independent evidence of child circumvention. Ofcom‘s figures put this into perspective, estimating 250,000 additional daily users of VPNs after age verification for pornography and other high risk content was introduced, many of whom would be adults, whose use of a VPN is both legal and immaterial to the effectiveness of a policy aimed at children.
Independent UK research points the other way. Childnet‘s nationally representative survey of 2,018 children, fielded in November 2025, found that the proportion of children who said they had started using a VPN in the previous three months (23%) was statistically consistent with the proportion who said they started a year earlier (21%). In other words, no surge attributable to children at all. Internet Matters‘ Pulse survey of UK children reached the same conclusion, finding VPN use among children had stayed consistent over the past two years, at 7-8% with the most common reasons given being privacy and accessing entertainment content unavailable in the UK, not evading age checks. Both organisations published this after the introduction of highly effective age assurance for primary priority content in August 2025, precisely the period the latest academic paper from Australia could imply would have triggered a children’s VPN boom.
The actual Australian data and the actual UK data agree with each other. They disagree with the marketing claims that the paper repeated without challenge.
What should happen next
The right reading of this study is not that age assurance has failed. It is that age assurance has barely been tried, and where it has been tried in the form of genuine document, biometric, voice or database checks rather than a self-declared tickbox, teenagers are not routinely defeating it with VPNs or other technical workarounds.
Before any further deadlines for compliance with social media age restrictions, whether in Australia, the UK or elsewhere, governments should require rigorous, independent testing of complete age assurance solutions as actually configured for live operation, including in-house and third party tools, against the relevant international standards: ISO/IEC 27566-1 and IEEE 2089.1. That testing should confirm not just that a solution exists on paper but that it delivers statistically expected accuracy in practice, and that privacy and data security measures, including required deletion of personal data once an age check is complete, are properly configured and implemented.
Accuracy thresholds should be written into regulation rather than left to platforms’ own judgement of what counts as “reasonable”. For a novel policy like Australia’s social media minimum age, we have suggested a reasonably effective standard of 90% accuracy as a sensible starting point. Markets where age assurance is already well established, such as the UK, can and should aim higher: a highly effective standard of 95%. Australia should set out a clear path to reach that same 95% benchmark within one to two years, once its market has had time to mature in the way the UK’s already has.
Until accuracy levels are actually measured and required, studies like this one will keep confirming the same thing: not that age assurance doesn’t work, but that it isn’t being used.