Age Assurance Framework for WordPress

[telizarose]

Summary

Add standardized hooks and infrastructure to support age-aware user experiences and regulatory compliance

Problem Statement

Age assurance is becoming a baseline requirement for digital products. Across the U.S., a patchwork of state laws now mandates age verification or age-based restrictions:

• California Digital Age Assurance Act (AB 1043) (effective January 2027) – Enables standardized age signals from operating systems to applications
• California Age-Appropriate Design Code (AB 2273) – Requires services likely used by minors to assess age and mitigate harm
• Protecting Our Kids from Social Media Addiction Act (SB 976) – Mandates age-based restrictions on feeds and engagement features
• App Store Accountability Acts – Shift responsibility to developers for age verification and parental controls
• Texas HB 1181 – Requires age verification for access to certain online content (upheld by U.S. Supreme Court)
• Additional states (Utah, Louisiana, Florida, Arkansas, Tennessee, Virginia, Wyoming, and others) – Impose age verification or age-based restrictions on content, social media, or app usage

Collectively, roughly 25+ states have passed age verification laws in some form, with more legislation pending. Federal policymakers are actively exploring similar requirements.

The Gap

Despite this regulatory shift, WordPress lacks:

1. A standardized way to receive or interpret age signals (from operating systems, browsers, or third parties)
2. A unified model for age-based policy enforcement across plugins, themes, and APIs
3. A consistent mechanism to support developers in meeting regulatory expectations

Currently, age handling in WordPress is fragmented, inconsistent, and largely dependent on isolated plugin logic or manual site-owner implementation. This creates:

• Compliance risk for site owners unable to implement trusted, auditable age systems
• Developer burden – Every implementation reinvents the wheel
• Ecosystem weakness – WordPress will lacks standardized age signals soon to be required for end users

Proposed Solution

WordPress should provide standardized infrastructure—not mandate policy—to enable the ecosystem to build trustworthy, compliant age-aware solutions.

This includes:

1. Age context as first-class user data – Standardized metadata structure for age-related signals and verification state
2. Extensible hooks – Entry points for plugins to receive, validate, and enforce age-based policies
3. REST API alignment – Age context accessible and enforceable in API workflows
4. Audit trail support – Standardized logging mechanism for compliance and accountability

User Stories

Story 1: Site Owner Can Receive and Track Age Signals

As a site owner
I want to receive age verification signals from external sources (OS, browser, third-party providers)
So that I can implement age-aware experiences without building verification from scratch

Story 2: Developer Can Build Age-Based Access Control

As a plugin or theme developer
I want to enforce age-based access rules on content and features
So that site owners can comply with age-awareness regulations without hardcoding policies

Story 3: Developer Can Log Age-Related Events for Compliance

As a compliance or logging plugin developer
I want to capture when age signals are received and when access is granted/denied based on age
So that site owners have an auditable trail for regulatory compliance

Story 4: REST API Respects Age Context

As an API client
I want to receive age-aware responses and permission errors from REST endpoints
So that I can build age-gated experiences on mobile apps, headless frontends, etc.

Why This Matters Now

1. Regulatory acceleration: Laws are passing faster than plugins are developing unified solutions. Core support prevents future fragmentation.

2. Competitive parity: iOS 17+, Android, and web browsers are already standardizing age signals. These regulations will increase this need across more platforms. WordPress needs to participate in this shift.

3. Ecosystem efficiency: Plugins should focus on policy and UX, not infrastructure. Core hooks enable this separation.

4. Trust and compliance: Site owners need an auditable, platform-level approach to age handling, not ad-hoc plugin combinations.

5. Future-proofing: As federal regulations emerge, WordPress sites with standardized age infrastructure will adapt faster than those with fragmented implementations.

Out of Scope

This ticket is not proposing:

• Age verification services or APIs (plugins provide these)
• Specific age-based policies (plugins and site owners decide)
• Content filtering or blocking (core provides hooks; plugins enforce policy)
• Changes to authentication or login flow
• New user roles or capabilities (leverage existing system)
• Breaking changes to existing functionality

References

Federal

• ​U.S. Senate: Kids Online Safety Act (KOSA) - Bipartisan bill addressing age verification and youth online safety

California

• ​California AB 1043 (Digital Age Assurance Act) – Effective January 1, 2027
• ​California AB 2273 (Age-Appropriate Design Code) – Age assessment and design standards for minors
• ​California SB 976 (Protecting Our Kids from Social Media Addiction Act) – Age-based feed/engagement restrictions

Texas

• ​Texas HB 1181 – Age verification for adult content; upheld by U.S. Supreme Court

Other States (Sample)

• Utah – HB 296 (Age Verification for Adult Content)
• Louisiana – HB 1 (Online Age Verification Requirements)
• Florida – HB 1 (Age Verification for Social Media)
• Arkansas – HB 1939 (Age Verification Requirements)
• Tennessee – HB 1414 / SB 1117 (Age Verification for Minors)
• Virginia – SB 427 (Parental Notification and Age Verification)
• Wyoming – HF 0073 (Age Verification for Age-Restricted Services)

Industry Standards & Platforms

• ​Apple Privacy-Preserving Age Signal – iOS 17+, macOS Sonoma+
• ​Google Play App Age Rating – Android age assurance ecosystem
• ​National Conference of State Legislatures (NCSL) Age Verification Tracking

[audrasjb]

Hello and thank you for this ticket,
As the implementation of age verification system is completely dependent from the final website made with WordPress, I think it is the territory of plugins, not core.

[knutsp]

Replying to audrasjb:

As the implementation of age verification system is completely dependent from the final website made with WordPress, I think it is the territory of plugins, not core.

That is exactly why WordPress could offer a framework, making compatibility and interoperability between plugins, regulations in different regions and verifcation systems and apps more robust.

We still miss a content language framework and multi factor authentication, but we now have an AI framework and connectors for different plugins to use as a common base.

Implementations, esecially user facing settings, will be plugin territory, useful frameworks with some basic APIs, especially made early, are real benefits, in this case for the near future.

Add EU regulations to this feature request, embrace, explore the possibilities and start designing it. This could be be part of what is needed to "make WP great again", devs to say "look to WordPress".

[jorbin]

Howdy @telizarose, welcome to WordPress Core Trac!

I completely agree with @audrasjb that this is plugin territory. In the near term (and possibly long term), the overwhelming majority of websites would not use this. If a plugin (or plugins) show that this is something that many websites want, I think it would be worth revisiting, hence the resolution of maybelater.