Lorrie Faith Cranor, Carnegie Mellon University
Twenty-five U.S. states have laws requiring some websites to perform "strong" age verification to ensure that visitors to sites containing "material harmful to minors" are over-age – and more states are considering similar laws. Under these laws, self-attesting one's age by checking a box is insufficient. Users must verify their age by using IDs, AI facial analysis, or other "commercially reasonable" options. However, users may find these approaches to age verification privacy-invasive, insecure, or inconvenient, and some users may even turn away from a website entirely if prompted with one of these methods. Our team at Carnegie Mellon University ran a 1,635-participant experiment to find out what users do when they encounter various age verification options and followed up with a survey to probe their reasoning. We'll talk about our study methods, our findings, and what policy makers and organizations that are required to age verify can learn from our results.
Lorrie Faith Cranor is Director and Bosch Distinguished Professor of the CyLab Security and Privacy Institute and FORE Systems University Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University. She directs the CyLab Usable Privacy and Security Laboratory (CUPS) and co-directs the Privacy Engineering program. In 2016 she served as Chief Technologist at the US Federal Trade Commission. She co-founded Wombat Security Technologies. She is a fellow of the ACM, IEEE, and AAAS; a member of the ACM CHI Academy; and the author of a children's book about privacy.
author = {Lorrie Faith Cranor},
title = {User ({Non-)Compliance} with Age Verification: Evidence from a Deceptive Web Experiment},
year = {2026},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = jun
}
