Online safety: the age-verification era begins

The entry into force of the new AGCOM rules on age verification is only the latest European development regarding the protection of minors online. Driven by the Digital Services Act, access to adult content has become subject to increasingly strict regulations, requiring advanced technological solutions capable of certifying users’ legal age without compromising their anonymity. In essence, old self-declaration systems must give way to secure “digital barriers” that respect user privacy.

Age verification for websites: the new rules in Italy

Starting from last October, websites distributing adult content in Italy are required to adopt "age assurance" systems. In other words, they must be able to verify the age of users requesting access to pornographic content, gambling-related material, or content promoting violent practices.

The new rules, approved with AGCOM Resolution 96/25/CONS of April 8, 2025, implement Law 159/2023, the so-called “Caivano Decree”, which in Article 13-bis introduces specific provisions regarding minors’ access to pornographic content online.

“Website operators and video-sharing platform providers that distribute pornographic images and videos in Italy,” reads paragraph 2, “are required to verify users’ legal age in order to prevent access to pornographic content by individuals under eighteen years of age.”

By October 2025, therefore, operators and platforms must implement effective age-verification systems compliant with the rules set out in AGCOM’s specific measure — with AGCOM also responsible for monitoring compliance and challenging any violations, punishable by fines ranging from €10,000 to €250,000.

AGCOM: age verification and personal data protection

AGCOM Resolution 96/25/CONS establishes the technical characteristics of the age-verification systems required for the distribution of pornographic web content in Italy. 

These systems must first and foremost be GDPR-compliant, meaning they must respect the data-minimization principle (Art. 5 GDPR) and the principles of data protection by design and by default (Art. 25 GDPR).

This means that age-verification systems must not carry out any profiling of users and “must not allow the involved parties to collect the identity, age, date of birth, or other personal information of users.”

The protection of personal data, as stated in Annex A, is achieved through the “compartmentalization of actors, namely between the user, the content provider, and the entity certifying legal age.” Consequently, websites and video-sharing platforms distributing pornographic content in Italy must rely on third parties — legally and technically independent from the content provider — for age assurance and verification services.

Age verification: methods excluded by the AGCOM Resolution

According to the new rules established by AGCOM, it is necessary to abandon certain methods previously used for age verification, including:

• Self-declaration via checkbox;
• Entering the date of birth;
• Age estimation via email or social media activity, which are not necessarily linked to the user;
• Uploading an identity document to the content provider’s website;
• Checks based on credit cards and mobile devices, which may however be used as secondary controls;
• Accessing the website via SPID or CIE.

The age-verification system must, in fact, comply with the principle of double anonymity: on the one hand, the website must not be able to access the user’s personal data nor recognize a user who has already used the system; on the other hand, the provider of age assurance services must not be able to trace the content requested by the user.

How does AGCOM age verification work?

As specified by the Authority, each session must undergo age verification: to prevent pornographic content from being viewed without further checks (for example on a device shared by an adult and a minor), age verification must be repeated whenever the user exits the service or “after a period of 45 minutes of

actual inactivity.”

To be effective and not hinder access to web content, age-assurance systems must be “easy to use and based on the abilities and characteristics of minors.” For the same reason, users should be offered the possibility to choose between different systems. 

AGCOM also provides an example of the verification process, summarized as follows:

• When the user requests access to certain content, the website or platform asks them to verify their age by sending a file or request string that contains no reference to the website;
• The user asks the third party, which knows their identity but not the website or service being consulted, to provide proof of age — a sort of anonymous certification containing only proof of age and delivered to the user via an identification app or other software systems;
• The user sends the proof of age to the website they wish to access, which must verify the validity of the submitted object and carry out the relevant checks;
• The platform grants access to the content.

As specified in the AGCOM Resolution, very large online platforms under the Digital Services Act (with at least 45 million monthly active users in the European Union) that require user authentication to access online services must also accept the use of the EU digital wallet upon the user’s request.

Age verification: the situation in Europe

Italy is not the only European country to introduce age-verification systems to prevent minors from accessing adult-only content.

In Germany, for example, the Interstate Treaty on the Protection of Human Dignity and the Protection of Minors in Broadcasting and in Telemedia — which also applies to websites and platforms — has been in force since 2016. Here, unlike in Italy, users can verify their identity once and use a single passkey to access the same website multiple times. The latest development in Germany concerns sanctions for platforms that violate the rules: starting from December 1, 2025, regulatory authorities may intervene directly in payments directed to web services, blocking them in cases of non-compliance.

In Spain, instead, the law protecting minors from pornographic or violent online content dates back to 2022. It was further strengthened in 2024/2025 with the launch of "Cartera Digital Beta", an app that allows the generation of anonymous age credentials based on the national digital identity.

France approved in 2024 a law granting the national communications authority the power to impose heavy penalties (up to 4% of global turnover) and block access to websites for two years. 

In the United Kingdom, the Online Safety Act of 2025 imposes strict controls also on social platforms distributing pornographic material, but includes methods defined as “weak” by the Italian AGCOM, such as credit-card checks.