Study: U16 social media ban raises privacy questions
June 16, 2026
The UK’s planned ban on under-16s using major social media platforms marks an important step in addressing children’s online safety, but research from Incogni suggests the debate should not stop at screen time, harmful content, or contact with strangers.
Incogni’s latest Social Media Privacy Ranking found that some of the platforms likely to be affected by the ban are also among the most privacy-invasive services investigated. Meta’s products — Facebook, WhatsApp, Instagram, and Facebook Messenger — along with TikTok, ranked as the most privacy-invasive platforms in the study.
The findings come as the UK government prepares to block under-16s from accessing major social media platforms from spring 2027, with additional limits expected for 16- and 17-year-olds. While the policy has been presented as a child-safety measure, its success will depend heavily on how platforms verify users’ ages.
That raises an important privacy question: will children and adults have to hand over more personal information to prove they are old enough to use social media?
“Restricting children’s access to harmful online environments is an important step,” said Darius Belejevas, Head of Incogni. “But enforcement matters. If age checks rely on identity documents, selfies, biometric data, digital ID wallets, or device-level verification, strong safeguards will be essential to ensure age verification does not become another source of sensitive data exposure. Particular attention in this process needs to be given to how sensitive data will be collected, stored, secured, and shared.”
The research analysed 15 of the world’s most popular social media platforms across privacy-related criteria including AI training, data collection, regulatory transgressions, transparency, user control and consent, and user-friendliness.
The results show that many social media platforms are not only places where young users may encounter harmful content, but also data-heavy ecosystems that collect, infer, process, share, and retain significant amounts of personal information.
Key findings
- Meta’s products and TikTok ranked as the most privacy-invasive platforms in Incogni’s analysis.
- Discord was found to be the least privacy-invasive platform, followed by Pinterest and Quora.
- Meta’s platforms, YouTube, Snapchat, Pinterest, X, and LinkedIn indicate that they may use user data to train AI models.
- Telegram, Twitch, and Discord indicate that user data will not reach AI models.
- Facebook was the most-fined platform for privacy-related regulatory violations in the study.
- Sensitive personal information – such as health information, sexual orientation, race or ethnicity data, and certain audio, visual, or location-related information – could be collected and processed by Discord, Twitch, Snapchat, TikTok, YouTube, and Meta’s products, except WhatsApp.
- Snapchat had the highest rate of disclosure in response to government requests among platforms with available data, followed by Meta’s products and Discord.
Meta platforms and TikTok ranked as the most privacy-invasive
Incogni evaluated the platforms using 14 criteria across six categories. Meta’s products and TikTok received the highest privacy-invasiveness scores in the study.
Their results were affected by penalties across multiple categories, including extensive data collection, AI-related privacy concerns, regulatory history, transparency issues, and the level of control users are given over their information.
Facebook stood out as the most-fined platform for privacy-related violations. Incogni found that Facebook had been named in four GDPR fines in the EU, once in the US, and five times in other jurisdictions.
The study also found that Facebook and Instagram’s Android apps interacted with 37 out of 38 possible data types assessed, making them the most data-intensive mobile apps in the ranking.
“The platforms at the centre of children’s online-safety debates are also some of the most privacy-invasive platforms people use every day,” said Belejevas. “That should be part of the policy conversation.”
Age verification could become the next privacy battleground
The UK ban’s effectiveness will depend on whether platforms can reliably identify underage users. Possible methods include facial age estimation, photo ID matching, digital identity wallets, checks through banks, credit-card providers or mobile networks, and device-level age assurance through operating systems.
While these tools may help prevent underage access, they could also introduce new risks if they require users to share sensitive identity or biometric information with platforms or third-party age-verification providers.
The concern is not only whether children’s data is protected. If every user must prove they are over 16, adults may also be pushed through new identity-checking systems before accessing everyday online services.
“Age verification must follow strict data-minimization principles,” said Belejevas. “Platforms should verify only what is necessary, avoid storing sensitive documents, and clearly explain who processes the data, where it is stored, and how long it is retained.”
Social media privacy risks go beyond content moderation
Public debate around the UK ban has largely focused on harmful content, screen time, algorithms, and children being contacted by strangers. Incogni’s findings suggest that privacy should be treated as a central part of the same discussion.
The study found that several major platforms indicate that user data may be used to train AI models, including Meta’s platforms, YouTube, Snapchat, Pinterest, X, and LinkedIn.
TikTok’s privacy policy does not directly mention AI, but Incogni’s researchers found that it does refer to user data being used to improve machine-learning models and develop products. Given the platform’s AI-based products, researchers inferred that user data could be used to develop generative AI models.
Other platforms performed better in this area. Telegram, Twitch, and Discord indicate that user data will not reach generative AI models.
“Children’s safety online is not only about what content they see,” said Belejevas. “It is also about what data is collected from them, whether that data can be used to profile them, whether it can feed AI systems, and how much control they have over it.”
Other posts by :