By Ramón Villot Sánchez, Legal, Compliance & GRC Director
The use of the internet, social media, and other digital platforms by adolescents has become a widespread phenomenon. Between the ages of 14 and 16, many young people regularly access online services, which poses growing challenges in terms of how to protect their well-being, safety, and privacy in increasingly complex digital environments.
Today, these concerns have moved to the forefront of public debate following the announcement by the President of the Spanish Government, Pedro Sánchez, of a series of measures aimed at limiting access by minors under the age of 16 to digital platforms and social networks, requiring companies to implement effective age-verification systems to ensure that only individuals above that age can use certain services.
This announcement adds to an already evolving regulatory context in Spain. Currently under consideration is a draft Organic Law for the protection of minors in digital environments, which also proposes raising the minimum age for giving consent to the processing of personal data from 14 to 16 years— a legal requirement to be able to register on social media platforms without parental authorization.
Why this change now?
Until recently, many platforms unilaterally set the minimum age of use at 13 or 14, based on internal criteria or international standards such as U.S. online privacy laws. However, these limits are often applied without robust verification mechanisms and are easy to circumvent.
The proposal to establish a legal threshold of 16 years is not an exception, but rather an option provided for under the GDPR and already applied by several EU Member States for years. As such, the Spanish initiative aligns with an increasingly strong European trend.
This approach must be accompanied by robust age-verification systems. Such measures combine the goal of minimizing the risks of access to inappropriate content, algorithmic manipulation, and digital addiction with the logic of the draft law aimed at protecting personal data.
One of the most complex tensions in this debate is how to verify someone’s age without collecting or disclosing unnecessary personal data. Traditional verification methods (such as uploading a copy of an identity document or simply providing a date of birth) can generate security risks and facilitate user profiling. As a result, the technology sector is exploring solutions based on verifiable credentials, which make it possible to confirm a specific attribute (such as being of legal age or having a certain age) without revealing identity or other personal details.
In these models:
- A trusted issuer provides a digital credential certifying legal age or a specific age.
- The credential does not contain identifying data such as name or date of birth.
- The user presents this credential to the service, and only the relevant requirement (age) is verified, avoiding the collection of additional information.
This approach, beyond fulfilling the purpose of age filtering, promotes better digital privacy practices by reducing data accumulation and limiting the possibility of cross-platform tracking.
Minimum age of 16
If this mandatory minimum age is enshrined in law and specific regulation, as announced by the Government, it will have concrete effects:
- Platforms will be required to implement robust verification mechanisms, such as those based on verifiable credentials or other reliable, privacy-respecting technologies.
- Minors aged between 14 and 16 will need explicit authorization from parents or legal guardians to legally access digital services that process personal data, in line with the draft Organic Law currently under review.
A technical and social debate will open regarding the balance between protection, digital rights, and youth autonomy, particularly in a context where early access to the internet is the norm.
Towards a new European standard?
The Spanish announcement does not occur in isolation. At the European level, institutions such as the European Parliament have supported proposals for a harmonized minimum age of 16 for certain digital interactions, together with reliable age-verification systems that—while protecting minors—also preserve the privacy of all users.
Conclusion
Today’s announcement highlights the convergence of technological approaches and regulatory frameworks: it is not enough to define a minimum age; it must also be verified effectively and in a privacy-respecting manner. In an environment where digital presence between the ages of 14 and 16 is commonplace, this combination of regulation and technology points toward a future in which the protection of minors, parental control, and digital privacy can coexist without sacrificing fundamental rights or security for all.