Law should not be excessively prescriptive, especially in the case of rapidly-evolving technologies (and business sectors) for all the obvious reasons.
What's far more useful is to propose effective incentives and disincentives, and let the participants work this out for themselves. There are some useful principles and examples which come to mind:
- Business is profit-oriented. Attack the basis of profits, in a readily-identifiable and enforceable way, and activity which pursues those markets will tend to dry up.
- Business is profoundly risk-averse. Raise the risks of an activity, or remove protections or limitations on threads (e.g., Section 230 of the CDA in the US), and incentives to participate in that activity will be greatly reduced. Penetrating corporate and third-party veils would be particularly useful, in this case, of service providers (aiding and abetting in a proscripted commerce) and advertisers (profiting by same). Lifting any limitations on harms which might occur (bullying, induced suicides, addiction, or others) would similarly be crippling.
As to how age might be ascertained:
- Self-reporting. Not terribly reliable, but a decent first cut.
- Profiling. There are exceedingly strong indicia of age which can be made, including based on a particular account's social graph, interests, online activity, location data (is the profile spending ~6h daily at an elementary school, and not lunching in the teacher's lounge?), etc. One strong distinction is between legislation and regulation, where the latter is imposed (usually with rulemaking process) through the executive branch (SCOTUS's Loper v. Raimondo being a phenomenally stupid rejection of that principle). Such regulation could then on a more flexible basis identify specific technical means to be imposed, reviewed, and updated on a regular schedule.
- Access providers. Most people now access the Internet through either fixed-location (home, work, institutional) providers, or their own mobile access provider. Such accounts could well carry age (and other attestation) flags which online service providers could be obliged to respect as regards regulation.
Jumping in before a few obvious objections: no, these mechanisms are not perfect but I'll assert they can be practically effective; and yes, there are risks for authoritarian regimes to abuse such measures, but then, those are already abusing present mechanisms. I'd include extensive AdTech-based surveillance in that, which is itself ripe for abuse and has demonstrated much of this already.
(That said, I'd welcome rational "what could possibly go wrong" discussion.)