The 'Papers, Please' Era — How Age and Identity Mandates Open a New SaaS Market

The UK, EU, US, and Australia are mandating age and identity checks one after another, turning ‘show your ID’ into a condition of getting online. In the US alone, at least 19 states have passed minors’ social-media laws and 20-plus have age-verification laws for adult content. Regulation is both a threat and a market — and privacy-preserving age-estimation SaaS is emerging as a new category.

What Happened

Age and identity mandates spread fast over the past year or two. The UK’s Online Safety Act, in force since 2023, moved into phased enforcement; by 2026 Ofcom has investigated more than 90 platforms and issued six fines — £800,000 against the streaming service Kick and £1 million against an adult-site operator. Platforms hosting content harmful to children must deploy “highly effective” age verification, with facial age estimation and certified digital-identity providers among the accepted methods. Australia banned under-16s from social media in December 2025. In the US, at least 19 states have passed laws on minors’ access to social media and more than 20 have enacted age-verification laws for adult content, while the federal Kids Online Safety Act (KOSA) is being reconciled between the Senate and House — the Senate’s stricter S.1748 imposes a “duty of care,” and the FTC could levy civil penalties of more than $50,000 per violation. France, Spain, Greece, Denmark, and Norway are pursuing similar rules. FIRE calls this the “papers, please” era — de facto compulsory identity verification dressed as age protection. The risk is real: weeks before Australia’s ban took effect, a Discord breach exposed government-ID images and hit 68,000 Australian users.

What This Means for Founders

Regulation has two faces. One is cost. Almost any service that shows content to users now has to stand up an age gate, and getting it wrong means fines — a share of revenue in the UK, more than $50,000 per violation under the FTC track in KOSA. The other face is a market. Companies without the resources to build their own verification infrastructure end up buying outside SaaS, and that opens a category. The key phrase is “privacy-preserving age estimation”: analyze a selfie to infer an age range and clear a threshold like 18+ or 25+ without an ID scan or retained PII. Vendors like Didit sell exactly this at $0.10 per check. The EU Commission’s age-verification blueprint enshrines the same principle — verify age status without disclosing identity, so the user’s real identity never reaches the platform. That splits into two openings for founders. First, if you’re the service carrying the compliance burden, data-minimizing design is your differentiator — the moment you collect and store full IDs, you’ve taken on a liability, as the Discord breach showed. Second, if you sell age and identity verification itself, this is the category-forming moment. But because the rules differ state by state and country by country — the US fragments into a state patchwork while the UK, EU, and Australia run centralized regimes — value accrues to whoever absorbs that fragmentation behind one API.

What You Can Do Now

First, map which age mandates actually touch your service. If your target market includes the UK, EU, or any of those US states, you’re likely already in scope. Second, buy, don’t build. Facial age estimation and digital-identity SaaS plug in for cents per check; designing your own ID-collection flow takes on fine risk and breach liability at once. Third, make data minimization the default. “Take the age signal, not the identity” is both compliance and a trust pitch. Fourth, if you’re chasing this market, make fragmentation your moat. A compliance layer that wraps the differing requirements of 19 US states plus the UK, EU, and Australia into one unified interface is the next wave of demand.