Skip to main content
Information Technology & BPO

The UK's Under-16 Social Media Ban vs. India's DPDP Act and the EU's DSA.

June 20, 2026By HRU LEGAL

The UK's Under-16 Social Media Restrictions: How They Compare to India's DPDP Act and the EU's Digital Services Act

What the UK Just Announced

In June 2026, the UK government confirmed it will move forward with an Australian-style social media ban for under-16s, following Prime Minister Keir Starmer's announcement at London Tech Week and a national consultation that ran from March to May 2026. The government says the consultation drew strong public backing, with the large majority of parents supporting restrictions on under-16 access.

The plan covers two layers of restriction:

  • A platform-level ban: Major platforms, including Instagram, YouTube, TikTok, Snapchat, Facebook, and X, will be required to exclude users under 16. Messaging services like WhatsApp and Signal are not covered.
  • High-risk feature restrictions: Even where a full ban doesn't apply, features such as livestreaming and the ability for strangers to contact children will face additional limits for under-16 users.

The government has also moved separately to close a gap in the 2023 Online Safety Act that left one-on-one interactions with AI chatbots largely unregulated. This gap drew scrutiny after reports of chatbots generating inappropriate content involving minors. Tech companies have been given a short window to roll out device-level safeguards aimed at preventing the sharing of explicit images involving children.

Enforcement will sit with Ofcom, which is expected to study age-verification methods before the rules take effect. Current government messaging points to the legislation reaching Parliament before the end of the year, with the protections themselves coming into force in 2027.

Not everyone is on board. Digital rights groups have warned that a blanket ban could cut young people off from legitimate uses of these platforms, including educational content, community groups, and contact with family, without addressing the underlying design choices that make these platforms risky in the first place. That tension between age-gating and platform redesign is shaping similar debates in several other countries.

How This Compares to India's DPDP Act

India's Digital Personal Data Protection Act, 2023, takes a different legal route to a related goal. Rather than banning platform access outright, it regulates data processing:

  • Definition of "child": Anyone under 18, notably stricter than the UK's 16 threshold, the EU's 13–16 range under GDPR, or the US's COPPA cutoff of 13.
  • Verifiable parental consent: Platforms must obtain verifiable consent from a parent or guardian before processing a child's personal data.
  • Outright prohibitions: Tracking, behavioral monitoring, profiling, and targeted advertising directed at children are barred outright, regardless of consent.
  • Narrow carve-outs: The DPDP Rules, 2025 exempt certain categories, including healthcare providers, educational institutions, and a few other purpose-bound services, from the strictest consent requirements, but only where processing is necessary for health, safety, or essential services.

The practical sticking point is implementation. The rules don't yet specify exactly how platforms should verify a parent-child relationship without over-collecting sensitive identity data, and the suggested approach, leaning on tools like DigiLocker, is still being worked out. For a platform with Indian users, that means the compliance bar is high on paper (an 18-year threshold is broader than almost anywhere else) but the operational mechanics are still settling.

How This Compares to the EU's Approach

The EU's Digital Services Act takes a third route, closer to a duty-of-care model than either an outright ban or strict consent gating:

  • Platforms accessible to minors must take appropriate measures to protect their privacy, safety, and security.
  • Targeted advertising based on profiling using a minor's data is prohibited outright, with no consent mechanism able to override it.
  • Very large platforms face additional risk-assessment obligations specifically addressing how their design (recommender systems, addictive features) affects minors.

Unlike the UK's emerging model, the DSA doesn't set a hard age cutoff for platform access. Unlike India's DPDP Act, it doesn't centre on parental consent as the gating mechanism, instead focusing on what the platform itself must do, regardless of who consented.

What This Means for Platforms Operating Across All Three

A platform serving UK, Indian, and EU users now has to satisfy three different regulatory philosophies at once. The UK's core mechanism is an access ban layered with feature restrictions, set at a 16-year threshold, enforced by Ofcom, though it doesn't yet centrally address targeted advertising to minors. India's DPDP Act works through parental consent and outright processing bans, set at an 18-year threshold (the strictest of the three), with targeted ads to minors prohibited outright and enforcement sitting with the Data Protection Board of India once it is operational. The EU's DSA takes yet another route, imposing platform-design and risk-assessment duties rather than a hard age gate; its age threshold varies by member state under GDPR (typically 13–16), it bans targeted ads to minors outright, and enforcement runs through national regulators alongside the European Commission for the largest platforms.

For compliance teams, the practical takeaway is that age-verification infrastructure is becoming unavoidable everywhere, but the purpose of that infrastructure differs: in the UK it gates access entirely, in India it gates consent for data processing, and in the EU it feeds into broader platform-design obligations. Building a single global compliance layer increasingly means building for the strictest common denominator, which currently looks like a combination of the UK's hard age gate and India's data-processing prohibitions.

Looking Ahead

None of these three frameworks is fully settled. The UK's ban still needs to clear Parliament and won't take effect until 2027. India's DPDP Rules are still missing the technical detail on age verification. And EU regulators continue to issue fresh guidance on what "appropriate measures" for minors actually requires in practice.

For now, firms advising platforms, ed-tech companies, or any business with a meaningful under-18 user base across these three jurisdictions should be building flexible, jurisdiction-aware age-assurance systems rather than betting on regulatory convergence anytime soon.

This Blog is for general informational purposes and does not constitute legal advice. For guidance specific to your platform or business, please contact our team.