The End of the Checkbox
Poland is about to make the internet card you. The rest of the world got there first—and the lessons are humbling.
Among the small fictions that hold the internet together—the terms of service we have read, the cookies we have considered, the passwords known only to us—none has been told more often, or more cheerfully, than the answer to a single question: “Are you eighteen?” For three decades, the question has stood guard at the gates of the web’s adult quarters like a sentry who has been instructed, under no circumstances, to look at anyone’s face. You clicked “Yes.” The sentry waved you through. Somewhere, a lawyer felt briefly better.
In the physical world, we long ago stopped finding this arrangement acceptable. A British supermarket clerk confronted with a youthful customer buying wine applies a policy called Challenge 25: if you look under twenty-five, you get carded, the seven-year buffer existing precisely because human judgment wobbles. The internet ran the same transaction with the buffer set to infinity and the judgment set to none. A nine-year-old with a tablet could clear a barrier that a twenty-four-year-old with a passport, standing in a checkout line in Leeds, could not.
That era is ending—not metaphorically but statutorily, one jurisdiction at a time. Britain ended it in 2025. France ended it that April, Italy that November, Germany in December. The Supreme Court of the United States, in June of 2025, removed the constitutional obstacle that had stalled the project in America for a generation. And now Poland is ending it, too. A draft law finalized at the Council of Ministers stage, dated June 2, 2026—its title, in the unhurried manner of Polish legislation, is the Act on the Protection of Minors from Access to Pornographic Content on the Internet—contains, in Article 4, a sentence of almost funerary simplicity: an age-verification mechanism may not consist of a user’s own declaration of age.
One sentence, and the checkbox is dead. What replaces it is the more interesting question, and the answer turns out to be a tour of the modern regulatory imagination: cryptographic wallets, face-scanning algorithms, banks vouching for your birthday, a secret government blacklist, and a continent-wide experiment in whether it is possible to prove you are a grown-up without telling anyone who you are.
A Movement with a Body Count of Checkboxes
The statistics that drive this movement are grim in a quiet, cumulative way. A British study cited by regulators found that eight per cent of children between the ages of eight and fourteen had visited a pornographic site or app within a single month. Polish research, conducted by NASK, the state institute that monitors the national internet, supplied the detail that most shaped Warsaw’s bill: roughly a third of children’s first encounters with pornography—32.8 per cent—are accidental. The child is not looking for it. It finds the child.
Lawmakers on four continents have drawn the same three conclusions. First, that parental controls and digital-literacy curricula, however worthy, have lost the arms race; responsibility is being shifted from parents to platforms. Second, that self-declared age is not verification at all—a proposition now written into law in London, Paris, Berlin, Rome, Brussels, and, prospectively, Warsaw. Third, that whatever replaces the checkbox must thread an unforgiving needle: it has to be reliable enough to stop a determined teen-ager and discreet enough that adults are not required to file their identities with a pornography site—an entity that ranks, on most people’s lists of institutions deserving custody of their passport, somewhere below a parking-lot attendant.
The legal dominoes fell quickly. Britain went first, in its second attempt; the Digital Economy Act of 2017 had made the United Kingdom the first country on earth to mandate age verification for online pornography, and then collapsed before implementation, a cautionary tale about announcing a revolution before building it. The Online Safety Act of 2023 was the patient sequel. Since 2025, any commercial pornography service reachable from Britain must deploy what the statute calls “highly effective age assurance”—a phrase that has acquired, in regulatory circles, the totemic status of an incantation, usually abbreviated, with no apparent irony, to HEAA.
The British regulator, Ofcom, then did something genuinely useful: instead of decreeing a technology, it defined a result. An age check, Ofcom said, must be technically accurate, robust, reliable, and fair—measured in lab conditions and in the wild, resistant to the workarounds a child could plausibly attempt, consistent in its outputs, and untainted by demographic bias. The regulator published a list of methods capable of clearing the bar: open banking, in which your bank confirms you are over eighteen without revealing your birthday; photo-ID matching, in which your face is compared with your document; facial age estimation, in which an algorithm squints at you the way the Tesco clerk does; mobile-carrier checks; credit cards; digital identity wallets. And it published the methods that can never clear it: the checkbox, the debit card (teen-agers have those), and the site’s terms of service solemnly declaring everyone to be an adult—the legal equivalent of a “No Wolves” sign on a henhouse.
Ofcom even imported Challenge 25 wholesale. Under its guidance, an estimation algorithm must apply a “challenge age”: anyone scored under twenty-five gets routed to a second, stricter check. The supermarket squint, formalized in code.
France, characteristically, decided the British had under-theorized the privacy problem. Under the SREN law and a standard issued by Arcom, the French audiovisual regulator, every pornographic site accessible from France must verify age before showing a single pixel—and must do it through an independent third party, under a rule the French call, with a certain Gallic flourish, double anonymat. Double anonymity means the site never learns who you are, and the verifier never learns where you went. The system is built so that no one, anywhere, holds both halves of the sentence “this particular citizen visited this particular site.” Germany, ever the engineer, maintains the world’s only official registry of pre-approved verification systems—operators can simply pick from the list—and, as of December, 2025, acquired a colder instrument: regulators can order banks and payment processors to stop moving money to noncompliant sites. You can outrun a blocked domain. Outrunning your own revenue is harder. Italy ordered verification at every single session, on the theory that a borrowed login should be worth nothing. And in Washington, in [Free Speech Coalition v. Paxton](https://firstamendment.mtsu.edu/article/free-speech-coalition-v-paxton/), the Supreme Court held, six to three, that requiring proof of age before access to material obscene to minors does not offend the First Amendment—and the dam that had held since the two-thousands broke. Twenty-five American states now have such laws. Australia banned social media for children under sixteen and watched platforms purge 4.7 million under-age accounts in weeks. Brazil passed the broadest child-protection statute on the planet. South Korea, which has required real-name identity verification since the two-thousands, watches all of this with the mild bemusement of a country that solved the assurance problem decades ago by abolishing the privacy problem—an approach Europe regards the way a vegetarian regards a steakhouse.
Warsaw’s Entry
Into this crowded field comes the Polish bill, and the first thing to say about it is that it is, by the standards of the genre, a careful piece of work—procedurally fastidious, technologically open-minded, and candid about its own limits in a way that legislative prose rarely manages.
Its jurisdictional reach is borrowed from the European Union’s Digital Services Act: the law follows the user, not the company. A service offered to people located in Poland is covered regardless of where the operator keeps its brass plate—Warsaw, Limassol, Amsterdam, a post-office box in Costa Rica. The drafters have seen the standard first move of the offshore adult industry and pre-empted it in Article 1. Private messaging is excluded; the law gates publishers, not conversations.
The second notable choice is an absence. The bill never defines pornography. This sounds like an oversight and is in fact a doctrine: Polish courts have long held that deciding whether material is pornographic is a job for a judge, not an expert witness—an evaluative call, made case by case. The contrast with America is instructive. Texas’s H.B. 1181 applies to sites where more than one-third of the content is “sexual material harmful to minors,” which has the virtue of precision and the vice of inviting arithmetic. (One imagines the compliance officer with a calculator, auditing the catalogue toward 33.3 per cent.) The Polish approach trusts judgment; the Texan approach trusts fractions. Each jurisdiction gets the litigation it deserves.
The core of the bill occupies two sentences. Article 3 obliges any provider giving access to pornographic content to verify age and to actually prevent minors from getting in—a duty of result, not merely of paperwork. Article 4 kills the checkbox and then, in its second paragraph, names the state’s preferred replacement: an electronic attestation of age delivered through the European Digital Identity Wallet, the pan-E.U. credential system that every member state must offer its citizens by the end of 2026. The word the statute uses is “in particular”—w szczególności—which in Polish legislative dialect means the list is open. Other methods will qualify, provided they genuinely establish adulthood. The bill’s explanatory memorandum even tells you where to look for the eventual fine print: it cites Ofcom’s guidance and the European Commission’s, by name, as the benchmarks Polish regulators intend to follow. Warsaw is not pretending to invent the field. It is, sensibly, copying the homework of countries that did the suffering first.
What the wallet promises is the conceptual heart of the entire European project, and it deserves a moment of appreciation, because it is one of those rare cases where cryptography and civil liberties point the same direction. The E.U.’s age-verification solution—a “mini wallet,” feature-complete as of April, 2026, and piloted in Denmark, France, Greece, Italy, and Spain, among others—issues single-use cryptographic proofs of exactly one fact: that the holder is over eighteen. Not a name, not a birthday, not a photograph. The proof provider never learns which site requested it; the site never learns anything but the answer. Some implementations use zero-knowledge proofs, a mathematical construction whose name is also its job description: you demonstrate that a statement is true while conveying nothing else whatsoever. It is the Tesco clerk’s glance, reduced to its informational minimum and rendered unforgeable—a bouncer with perfect judgment and total amnesia.
The Secret List
Then there is the registry, which is where the Polish bill becomes distinctively itself.
A law that obliges foreign pornography sites to behave needs an answer to the obvious question: what if they simply don’t? Poland’s answer is a blacklist of domains that serve pornography without verification, maintained by the president of the Office of Electronic Communications, known as UKE—the telecom regulator that already serves as Poland’s coördinator under the Digital Services Act. Once a domain is entered, every internet provider in the country must stop resolving it within forty-eight hours, redirecting visitors to a government information page; when a domain is removed, access must be restored just as fast. The model is not novel in Poland—the country has run a similar register for illegal gambling domains since the twenty-tens—but one design choice is quietly elegant: the list is secret. A public register of unverified pornography sites would be, after all, a state-curated directory of unverified pornography sites, lovingly maintained at taxpayer expense and updated within forty-eight hours. Somewhere in a ministry, a drafter thought this through, and deserves our thanks.
The procedure around the list is unusually solicitous for the genre. Anyone—any citizen with a grievance and a web form—can nominate a domain. Before an entry is made, UKE must consult expert bodies, and the domain holder must be notified and given a chance to respond; an objection is available, and after that, an appeal to the administrative courts. Plenty of blocking regimes elsewhere in the world dispense with most of this. Poland’s, whatever else one says about it, intends to block people only after letting them argue.
And the law contains one provision of genuine cunning. Article 34 says that an age verification performed before the statute takes effect remains valid afterward, so long as it met the statute’s standards. Operators who comply early will never have to herd their entire user base through the turnstile a second time; operators who wait will do their verifying in a stampede, in 2027, competing for the attention of verification vendors whose order books will resemble a Black Friday checkout line. It is the rare transitional provision that functions as a marketing incentive: the law rewards the punctual.
The Million-Złoty Question
Now for the soft spot, which the bill’s own authors do not entirely hide.
The maximum fine for a provider that ignores Article 3 is one million złoty—about two hundred and thirty thousand euros. In the comparative table of deterrence, this is not merely the smallest number; it is a different genre of number. Britain can fine ten per cent of global revenue. France, two per cent, doubling to four for the recalcitrant. The Digital Services Act, for the largest platforms, six. Australia’s ceiling converts to roughly twenty-nine million euros. For a multinational adult conglomerate with revenues in the hundreds of millions of dollars, Poland’s maximum penalty is a sum that would not survive a quarterly rounding error—a cost of doing business so small it barely qualifies as a cost, more a gratuity.
The drafters’ explanation is disarmingly honest: calculating the global revenue of an offshore pornography company is, in practice, somewhere between difficult and divinatory. True enough—but France and Britain solved the same problem with a simple hybrid, “the greater of a fixed cap or a percentage of turnover,” and Poland could, too. The more charitable reading is that the fine was never meant to be the weapon. The registry is the weapon. A million złoty is an inconvenience; losing every Polish visitor within forty-eight hours is a market amputation. The Polish system, read as a whole, has shifted its center of gravity from financial punishment to infrastructural punishment—from taking a company’s money to taking its audience. Whether that bet pays off depends on a question the bill cannot answer alone: how much a global platform values a mid-sized European market when the alternative is building a verification system it will eventually need everywhere anyway.
There is a second gap, subtler and arguably more consequential. The bill does not require double anonymity. It gestures toward privacy—the memorandum recites the data-minimization principles of European law, and UKE must alert the national data-protection authority if a site’s verification method looks legally dubious—but nothing in the statute forbids the cheapest possible compliance: a site simply collecting scans of identity documents and keeping them. The French would call this unthinkable. The Polish bill calls it nothing at all, which means some operators will do it, because it is the lowest-cost path through the letter of the law. The result would be databases pairing the legal identities of citizens with their pornography consumption—a class of data so radioactive that the only safe storage strategy is nonexistence. Britain’s regulator learned this the hard way, intervening with guidance precisely to stop bargain-basement verification schemes from metastasizing. The most useful sentence Polish regulators could write into their forthcoming guidelines is the one the cryptographers have been repeating all along: the best way to secure this data is not to have it.
The Seventeen-Year-Old Problem
Does any of it work? Here the early evidence is humbling, and the British supplied it with characteristic thoroughness. In the weeks after the U.K.’s verification mandate took effect, in July, 2025, discussion of V.P.N.s among British Reddit users rose by four hundred and fifteen per cent; Google searches for V.P.N.s jumped eighty-nine per cent. A virtual private network relocates you, digitally, to a country with laxer rules, and a teen-ager who can install a game mod can install one. Poland’s DNS blocking is, if anything, more porous: changing a phone’s DNS resolver—a settings tweak that takes less time than reading this sentence—routes around it entirely.
Critics treat this as a refutation. It is better understood as a definition of the mission, and the Polish bill, to its credit, defines the mission honestly. The memorandum returns to that NASK figure—32.8 per cent of first exposures are accidental—and plants its flag there. Verification walls and domain blocks are extraordinarily effective against the exposure no one sought: the misclicked link, the autoplay ambush, the nine-year-old following an algorithm downhill. They raise the cost of intentional access, especially for younger children, from zero to something. They will not stop a determined seventeen-year-old, because nothing stops a determined seventeen-year-old; no legal system on earth has ever designed a barrier that adolescence cannot regard as a syllabus. The honest metric is not impermeability. It is moving the age of first contact upward and making the accidental encounter rare—goals that are modest, measurable, and, unlike perfection, available.
Carding the Future
The law still has a road ahead of it—parliament, then a mandatory technical notification to the European Commission with its built-in standstill, then a twelve-month grace period. Realistically, the turnstiles go live in the second half of 2027. By then, if Brussels keeps its schedule, every member state will be issuing digital identity wallets, and the act of proving one’s age online may finally take its intended form: a phone buzzes, a thumb confirms, a single anonymous bit—old enough—crosses the wire, and nothing else about you goes anywhere at all.
It is worth pausing on how strange and how oddly civilized that endpoint is. The first internet asked everyone their age and believed everyone’s lie; the emerging one will believe no one and learn nothing. Between those two settlements lies thirty years of accumulated regret about what happens when an architecture is built on the honor system and inhabited by children. Poland arrives at this project late, which is its quiet advantage: the dead ends are already marked with British, French, and German signage. The bill before parliament has read those signs on technology and procedure; on penalties and privacy, a few remain to be read. There is still time. The checkbox, after all, waited thirty years to be asked a follow-up question.
Further reading
Meta on Trial: How New Mexico’s Child-Safety Case Could Change Social Media Forever
Robert Nogacki – licensed legal counsel (radca prawny, WA-9026), Founder of Kancelaria Prawna Skarbiec.
There are lawyers who practice law. And there are those who deal with problems for which the law has no ready answer. For over twenty years, Kancelaria Skarbiec has worked at the intersection of tax law, corporate structures, and the deeply human reluctance to give the state more than the state is owed. We advise entrepreneurs from over a dozen countries – from those on the Forbes list to those whose bank account was just seized by the tax authority and who do not know what to do tomorrow morning.
One of the most frequently cited experts on tax law in Polish media – he writes for Rzeczpospolita, Dziennik Gazeta Prawna, and Parkiet not because it looks good on a résumé, but because certain things cannot be explained in a court filing and someone needs to say them out loud. Author of AI Decoding Satoshi Nakamoto: Artificial Intelligence on the Trail of Bitcoin’s Creator. Co-author of the award-winning book Bezpieczeństwo współczesnej firmy (Security of a Modern Company).
Kancelaria Skarbiec holds top positions in the tax law firm rankings of Dziennik Gazeta Prawna. Four-time winner of the European Medal, recipient of the title International Tax Planning Law Firm of the Year in Poland.
He specializes in tax disputes with fiscal authorities, international tax planning, crypto-asset regulation, and asset protection. Since 2006, he has led the WGI case – one of the longest-running criminal proceedings in the history of the Polish financial market – because there are things you do not leave half-done, even if they take two decades. He believes the law is too serious to be treated only seriously – and that the best legal advice is the kind that ensures the client never has to stand before a court.