Reasonable efforts in this case would be to send the RTA header. That's it. Done and dusted. If the client is able to browse your site that would mean that either parental controls are not enabled or they are enabled and your site was approve-listed in the client. This of course depends on changing the laws anywhere that require using a third party data-leakage site to verify ID.