EU Finds Meta in Breach of DSA: Instagram and Facebook Fail to Keep Children Under 13 Off Platforms

The European Commission issued preliminary findings on April 29, 2026 that Meta is in breach of the Digital Services Act (DSA) for failing to prevent children under 13 from accessing Instagram and Facebook. The Commission's investigation found that Meta's age-verification systems are trivially easy to circumvent: any child can create or maintain an account simply by entering a false date of birth, with no effective mechanism to confirm accuracy. The findings mark the first major DSA enforcement action targeting child safety on a major social platform - and the mechanism proposed to fix the problem has significant implications for the privacy of all users.

What the European Commission Found

The Commission's preliminary findings state that Meta has failed to diligently identify, assess, and mitigate the systemic risks that Instagram and Facebook pose to minors. Approximately 10 to 12 percent of children under 13 are currently using these platforms, contradicting Meta's own internal assessments. The Commission also found that Meta "disregarded readily available scientific evidence" indicating that younger children are particularly vulnerable to harms from algorithmically curated social feeds - including addiction mechanisms, exposure to harmful content, and contact risks from adults.

Beyond the age bypass problem, the Commission flagged Meta's reporting tool for underage accounts as "difficult to use," requiring up to seven clicks to access the form. This creates a practical barrier for parents, schools, and other adults who might otherwise report accounts belonging to children - and the Commission found that Meta provides no adequate follow-up on those reports, meaning flagged underage accounts frequently remain active on the platform. The Commission's preliminary conclusion is that Meta has not deployed proportionate or effective safeguards, despite the DSA's explicit requirements.

How Children Bypass the Age Check

The core technical finding is straightforward: Meta's platforms ask users to enter a date of birth at account creation, but they do not verify that the entered date is accurate. A child who enters a birthdate indicating they are 16 or 18 years old encounters no further challenge. There is no document check, no third-party verification service, and no cross-referencing with any identity database. The age gate is, in practice, a text field that can be bypassed by typing any number.

This gap between nominal policy and technical enforcement is precisely what the DSA targets. Article 28 of the DSA requires very large online platforms to implement age assurance measures proportionate to the identified risk. The Commission's preliminary position is that a self-declared date of birth with no verification does not meet this standard for a platform that has identified child safety as a systemic risk.

Consequences: Up to 6% of Global Revenue

Meta now has the right to respond to the preliminary findings before the Commission issues a final decision. If the findings are confirmed, the Commission can impose a fine of up to 6 percent of Meta's total worldwide annual turnover. Based on Meta's 2025 revenue, that would represent a potential penalty of around $12 billion. The Commission can also impose periodic penalty payments to compel compliance, and in cases of repeated or serious infringement, can order temporary access restrictions.

Meta has publicly disagreed with the Commission's findings and stated it will share details of additional measures being rolled out. The company has previously implemented changes including age verification prompts in some markets and parental supervision tools - but the Commission's preliminary assessment is that these measures fall short of the DSA's requirements across the EU.

The Privacy Consequence: Mandatory Age Verification for Everyone

The policy trajectory flowing from this enforcement action is clear: if self-declared dates of birth are insufficient under the DSA, Meta will need to implement a form of age assurance that actually works. The options available are limited. Effective age verification requires either a document check (passport, national ID card, or driving license), a biometric age estimation system, or integration with a third-party identity verification service. All three approaches require collecting sensitive personal data from users - not just those who are under 13, but from every user who needs to prove they are over the age threshold.

This is the same structural problem identified in the UK's age verification regime for adult content sites, Australia's age verification legislation, and the US Parents Decide Act (H.R. 8250): to protect minors, regulators are building verification infrastructure that collects identity data from everyone. The child safety goal is legitimate, but the mechanism creates a database linking real identities to social media accounts across the entire EU user base.

What This Means for VPN Users

A VPN masks your IP address and encrypts your network traffic, providing strong protection against ISP-level surveillance and network-based tracking - and it remains an essential tool for hiding your geolocation, encrypting data on public networks, and shielding your activity from your ISP. But age verification operates at the account layer, above the network entirely. If Meta is required to implement document-based age verification for EU users, your VPN cannot prevent that verification from occurring. The moment you submit an identity document or connect to a third-party age verification service, that data exists independently of which network or IP address you use to do so.

The broader concern for privacy-conscious users is the normalization of identity verification as a prerequisite for accessing online platforms. Each enforcement action - EU DSA, UK age verification, Australian legislation, US H.R. 8250 - expands the perimeter where real identity must be disclosed. VPNs remain effective against network-layer surveillance, but they do not address account-layer identity requirements. As age verification infrastructure matures, the boundary between "internet access" and "verified internet access" is narrowing.

Related Coverage on vpnlab.io

Earlier coverage of age verification legislation and its privacy implications:

• Parents Decide Act: Every Phone and Computer Must Collect Your Birthdate Under H.R. 8250 - the US bill that would move age verification to the OS level, below the network stack entirely.
• EU Age Verification App Hacked in 2 Minutes - Durov Warns of Surveillance Risk - what happens when the verification infrastructure itself becomes an attack surface.
• After the UK's Age Checks on Adult Sites, VPN Usage Skyrockets - the documented privacy response when mandatory age verification reaches end users.

Conclusion