EU Finds Meta Failed to Block One in Ten Children Under 13 from Facebook and Instagram
Brussels, Wednesday, 29 April 2026.
European regulators discovered approximately 10% of children under 13 are actively using Facebook and Instagram, exposing Meta’s age verification failures under new digital rules. The preliminary breach finding could trigger fines up to 6% of Meta’s global revenue—potentially billions of dollars. Despite requiring users to be 13 or older, Meta’s current system relies mainly on self-declared birth dates with minimal verification, allowing children to simply enter false ages. This marks a significant enforcement milestone under the Digital Services Act, coming just weeks after the EU launched its own age verification solution.
Commission’s Findings Expose Systematic Age Verification Failures
The European Commission’s preliminary finding on April 29, 2026, revealed that Meta’s platforms fail to adequately prevent minors under 13 from accessing their services or promptly identify and remove them if they already gained access [1]. The Commission determined that roughly 10-12% of children under 13 are using Instagram and Facebook, contradicting Meta’s internal assessments [2]. This finding represents a significant departure from Meta’s public stance, as the company has maintained that its measures effectively detect and remove underage accounts [2]. The breach centers on Article 28(1) of the Digital Services Act, which requires platforms to implement appropriate and proportionate measures to ensure minors’ safety and prevent below-minimum-age access [3].
Technical Weaknesses in Current Age Verification Systems
Meta’s current age verification system relies primarily on self-declaration and AI-based age estimation, allowing children to circumvent restrictions by simply entering false birth dates [1][3]. When creating an account, minors below 13 can enter a false birth date that makes them at least 13 years old, with no effective controls in place to check the correctness of the self-declared date of birth [1]. While Meta told TechCrunch in 2024 that its internal tests claimed to stop 96% of teens attempting to change birthdays from under 18 to over 18, the Commission’s preliminary finding deems these measures inadequate under the DSA’s ‘appropriate and proportionate’ standard [3]. Research conducted by Interface-EU in 2025 demonstrated these vulnerabilities by testing sign-up flows across major platforms, including Instagram, finding that a simulated 14-year-old could create an account by entering a false birthdate with ‘no document check, no third-party verification, no friction beyond a click’ [3].
EU’s Age Verification Solution and Platform Response
The Commission’s enforcement action comes just weeks after the EU launched its own age verification solution on April 15, 2026, designed to help platforms verify age without sharing personal data through zero-knowledge proofs [3]. European Commission President Ursula von der Leyen announced that the EU’s age-verification app is ‘technically ready for rollout’ and told social media platforms there were ‘no more excuses’ for not protecting children online [1][2]. However, security researchers demonstrated that the EU age-verification app could be bypassed within two minutes of its release on April 15, 2026 [3]. Despite this vulnerability, the Commission focuses on whether Meta has deployed a comparably robust alternative and rejects the company’s ‘technical-infeasibility’ defense now that an EU solution exists [3]. Meta has stated it ‘will have more to share next week about additional measures rolling out soon,’ with the company spokesperson emphasizing that ‘understanding age is an industry-wide challenge, which requires an industry-wide solution’ [2].
Financial Penalties and Regulatory Precedent
If confirmed, the Commission can issue a formal non-compliance decision and impose fines up to 6% of Meta’s worldwide annual turnover, potentially amounting to several billion dollars based on the company’s 2025 revenues [2][3]. The preliminary finding against Meta follows the Commission’s March 2026 action against four pornographic platforms—Pornhub, Stripchat, XNXX and XVideo—for allowing minors access ‘by a simple click confirming they are over 18’ [3]. This enforcement pattern demonstrates the Commission’s systematic approach to age verification compliance across different platform categories. The formal proceedings against Meta opened in May 2024, targeting DSA Articles 28, 34 and 35, with the Commission also issuing preliminary findings against Meta on multiple fronts the same day, including addictive design and recommender systems [3]. Regulators are demanding that Meta overhaul its risk-assessment methodology and significantly strengthen its measures to prevent, detect, and remove underage users from both platforms, though no specific deadline or implementation dates have been provided [2].