For years, a checkbox asking “Are you 18?” was the industry standard for age gating adult content. That approach is finished. Following the Supreme Court’s June 2025 ruling in Free Speech Coalition v. Paxton, which upheld Texas’s mandatory age verification law under intermediate scrutiny, the constitutional debate in the US is settled. In the EU, enforcement under the Digital Services Act is accelerating. States and regulators on both sides of the Atlantic are moving fast, and the trajectory is in one direction.
As of June 2026, more than 25 US states have active age verification laws requiring adult websites to confirm users are of legal age before granting access. Most apply when a “substantial portion” of site content, typically one-third or more, is sexually explicit. What counts as compliant verification varies by state: government-issued ID, digitised ID cards, transactional data (mortgage, employment, credit records), and in some states, at least one privacy-preserving anonymous option. Florida requires an anonymous path. Ohio requires periodic re-verification. Tennessee resets verification every 60 minutes. North Dakota has shifted responsibility upstream to device manufacturers and app stores entirely.
The patchwork nature of these laws is itself the problem. A platform serving US traffic is simultaneously subject to over two dozen different regulatory frameworks, each with its own threshold, method, data retention rule, and enforcement mechanism.
The EU Picture
The EU’s approach runs on a different architecture but is converging on the same outcome. The Digital Services Act (DSA), fully in force since 2024, requires all online platforms accessible to minors to implement appropriate and proportionate measures to protect them. The European Commission’s July 2025 guidelines under Article 28 made the practical implication explicit: self-declaration is insufficient for high-risk content such as pornography. ID-grade verification is expected.
Enforcement is no longer theoretical. In March 2026, the Commission issued preliminary findings against Pornhub, Stripchat, XNXX, and XVideos for failing to take adequate measures to protect minors, the clearest signal yet that adult platforms face DSA liability regardless of their size or jurisdictional registration. Non-compliance can attract fines of up to 6% of global annual turnover.
At the member state level, the picture is uneven but tightening. France operates one of the strictest frameworks: verification must be handled by an independent third party, sites cannot process age checks themselves, and user identity cannot be linked to browsing activity. Germany requires certified verification under its JMStV framework, with identity-level assurance and liveness checks. The UK, outside the EU but aligned in direction, enforced mandatory age checks under the Online Safety Act in mid-2025.
The EU’s longer-term solution is structural. The Commission released an age verification blueprint in July 2025, described as a “mini-wallet” built on the same specifications as the forthcoming EU Digital Identity Wallets, and declared it feature-ready in April 2026. Member states are expected to roll out compatible national implementations by end of 2026. The design principle is privacy-first: a token confirming a user is 18+ without transmitting any other personal information. For adult merchants operating across the EU, this is ultimately the destination, though the practical infrastructure is still being deployed.
What This Means for Your Merchant Account
Age verification was already an informal acquirer expectation before the legislative wave. Visa and Mastercard both require adult merchants to demonstrate that depicted performers are adults, and Mastercard has mandated government-ID verification for content uploaders since 2021. But state and regulatory laws have raised the stakes considerably by creating civil liability and, in some jurisdictions, criminal exposure for non-compliance.
Acquirers underwriting adult merchants now treat age verification infrastructure as a hard requirement, not a best practice. During onboarding, expect to document exactly which verification method you use, which vendor supplies it, how records are stored and for how long, and how you handle jurisdictional variations. A site that geo-blocks non-compliant states rather than verifying will face questions about whether the blocking is technically robust.
The connection to payment risk is direct. Verified users dispute less. A properly gated checkout reduces the privacy-driven chargebacks that have historically plagued adult subscriptions, where customers dispute charges not because the transaction was fraudulent, but because they don’t want it appearing on a bank statement. Under Visa’s VAMP program, which now treats fraud and dispute ratios as a unified metric, those disputes are a direct threat to processing access. Compliance and chargeback management are no longer separate conversations.
What Compliant Looks Like in Practice
There is no single globally-mandated standard, which means merchants serving both US and EU markets need to build to the strictest applicable requirement in each jurisdiction. The practical baseline emerging from the current landscape: ID verification through a third-party vendor capable of checking government-issued documents, with an anonymous or privacy-preserving option available where required, no long-term retention of raw identity data, and a documented data deletion process.
Several vendors have established traction specifically in the adult space. AgeChecked stands out as the most specialist option, active in age verification exclusively since 2014, UK government-approved, and built with the adult industry in mind from the start. Unlike general-purpose identity platforms that treat adult content as one vertical among many, AgeChecked offers direct expertise on how verification interacts with recurring billing, multi-site network deployments, and the specific compliance pressures adult merchants face. Yoti is the most widely deployed option in the UK and EU markets, used by OnlyFans, BongaCams, and several major tube platforms. It offers both document-based checks and a document-free facial age estimation option that satisfies the anonymous verification requirements in states like Florida. AgeID, operated by Aylo (formerly MindGeek), uses a single sign-on model allowing a verified identity to carry across any participating site, reducing per-session friction for returning users. Veriff covers 12,500+ document types across 230+ countries and uses a tiered “waterfall” approach, starting with low-friction database checks before stepping up to document verification only when needed. Sumsub offers a broader KYC/AML stack alongside age verification, useful for merchants who need to satisfy both user-facing compliance and acquirer due-diligence requirements under a single integration.
Per-verification pricing is the most common model, and costs vary by provider and volume. Conversion impact is real: sites in early-implementing states and in France reported measurable traffic declines when verification went live. The calculation for most merchants is not whether to absorb that friction, but how to minimise it through UX design while remaining compliant.
The shift toward device-level and app-store-level age signals, already law in North Dakota, baked into California’s Digital Age Assurance Act effective 2027, and underpinning the EU’s own wallet rollout, suggests the long-term trajectory moves verification upstream and away from individual websites. That may reduce per-site compliance burden eventually. For now, the obligation sits squarely with the merchant.
The bottom line: Age verification is no longer a legal nicety. It is a condition of maintaining a merchant account, managing chargeback exposure, and operating across the majority of the US market and the EU. Merchants who treat it as a checkbox are carrying acquirer risk, legal risk, and chargeback risk simultaneously, across multiple jurisdictions.
