Apple Rolls Out Age-Verification Tools Worldwide to Comply With Growing Web of Child Safety Laws

Apple is expanding its age assurance tooling as countries layer on more child safety laws. The key piece is an updated Declare Age Range API. Developers can ask the operating system for a user’s age category, like under 13 or 16 to 17, without getting access to their exact date of birth or other personal data.

In places like Australia, Brazil, and Singapore, Apple will also block downloads of 18+ apps until a user confirms they are an adult. The App Store handles that confirmation step. On top of that, family settings allow parents to configure devices for minors so that age appropriate restrictions are enforced at the OS level.

I actually think this is closer to the right direction than what a lot of lawmakers are proposing. The moment you push age verification out to every app and every website, you create a massive new data collection problem. Every small developer becomes a potential honeypot for government IDs, biometric scans, and date of birth databases.

Apple is at least trying to centralize the signal. The app asks the device, the device returns an age range and no raw identity data changes hands.

The practice is where it gets complicated.

Put The Responsibility on the Device

If we are serious about enforcing age restrictions, I think the responsibility should sit with the device provider.

When someone buys a phone, that is the moment the device becomes an underage or overage device. If it is being purchased for a minor, that device should be configured accordingly. From that point on, the operating system enforces what apps can be downloaded and what services can be accessed.

I don’t want every random website to ask me for my government ID. They are going to screw it up, lose it and/or leak it. They should not have to know who I am in the first place.

There is also a real safety dimension here. Imagine you are a closeted queer person in a hostile environment, or you are trans and looking for community, or you live in a country where speaking out against the regime can get you in serious trouble. The ability to seek information and community online without tying your activity to a government ID is not some abstract privacy principle, it’s a safety requirement.

If age verification turns into identity verification, we are going to put vulnerable people at risk.

So if we are going to enforce age gates, let the device say, “this is an underage device” or “this is an adult device.” Let apps query that status. Do not build a system where every website has to run a face scan or collect a passport.

Is my proposal perfect? No. There will be holes. Kids will try to work around it. Shared devices complicate everything. But it’s still better than creating a distributed surveillance infrastructure across the entire web.

Where Apple’s Approach Helps and Where it Falls Short

Apple’s Declare Age Range API is at least aligned with the device centric model. Parents can set age ranges through family controls. Developers can get a signal without collecting sensitive personal data. That is good, but here is the problem: A lot of these laws are written in a way that puts the burden squarely on the app or website. If the law says the service must verify age, is relying on a device level API enough? What happens when the user does not share the age range? What happens when the device cannot infer age from account history, payment methods, or family settings?

At the bottom of that pile, companies tend to fall back to the heavy tools. Government ID upload, credit card checks, AI face estimation. We have already seen this play out. And once that infrastructure exists, it rarely stays narrowly scoped.

There is also the global fragmentation issue. Australia bans social media for under 16. Other countries focus on 18+ content. Others impose different consent requirements. Developers operating worldwide now have to juggle inconsistent regimes, and a device level API does not magically harmonize the law.

Still, if I have to choose between two flawed systems, I would rather see age enforcement anchored at the device layer than sprayed across thousands of websites.

The internet does not need a universal ID checkpoint at every door. If we are going to build gates, the least bad place to put them is the one layer that already mediates everything we do online: the device in our pocket.