UK Online Safety Act Explained: Purpose, Penalties & Age Verification
Did you know that children in the UK are first exposed to explicit material online at the tender age of 13, and one in ten children in the UK has encountered explicit online content by the age of only nine?
These statistics explain why the UK’s Online Safety Act (OSA) exists: to define how online businesses should manage user safety, especially where children may access content, communities, search results, or adult material. So, if you’re a business operating an internet service accessible to UK users, you need to understand the OSA.
This article breaks down what the Act requires, who it applies to, how it’s being enforced, and what your organization should do to stay on the right side of the law.
The Core of the Online Safety Act
The Online Safety Act received Royal Assent on October 26, 2023, making it law in the UK. However, its roots stretch back further, as it grew from years of public pressure, parliamentary debate, and a growing recognition that self-regulation by tech platforms simply wasn’t working.
The OSA is a duty-of-care framework. Meaning, it requires online platforms and services to proactively identify, assess, and reduce the risk of harm their services could cause to users, particularly children. Rather than waiting for harmful content to be reported and removed, the Act requires safety to be built in from the start.
The official explainer says that the Act puts new duties on social media companies and search services, making them more responsible for user safety. And the UK’s independent communications regulator, Ofcom, is the designated enforcer and has been handed significant new powers to back it up.
Timeline of the UK Online Safety Act
The Online Safety Act 2023 appeared after years of policy work around child protection, illegal content, and platform accountability. Here is how the main milestones unfolded:
- 2017: Digital Economy Act passes, including provisions for age verification on adult content sites, but these measures are delayed and ultimately abandoned.
- 2019: UK Government publishes its Online Harms White Paper, setting out its vision for platform regulation.
- 2021: Draft Online Safety Bill introduced to the Parliament.
- 2022: “Legal but harmful” provisions for adults removed following free speech concerns. Debates around freedom of expression, encryption, children’s safety, and platform duties ensue.
- October 2023: The Online Safety Act receives Royal Assent. (The bill’s full parliamentary history is available on the UK Parliament website)
- 2024: Ofcom consults on draft codes of practice and guidance for illegal harms, child safety, age assurance, and enforcement.
- January 2025: Ofcom publishes guidance on effective age checks for adult content and child protection, stating that age assurance methods must be “highly effective” where required.
- March 2025: Platforms gain a legal duty to protect users from illegal content online (Illegal content duties).
- April 2025: Ofcom publishes final Protection of Children Codes and Guidance.
- July 25, 2025: Children’s safety duties come into force and age assurance requirements become enforceable for adult content platforms.
- 2026: Full enforcement; Ofcom shifts focus to measurable compliance outcomes.
To sum up, the first attempts of the Digital Economy Act 2017 to introduce age verification for pornographic websites failed in 2019 due to privacy concerns and implementation challenges. This served as a good lesson for the proponents of the OSA, who learned from that failure by taking a broader, more technology-neutral approach and giving Ofcom the teeth to actually enforce it.
Key Goals of the UK Online Safety Act
Following the enforcement of the OSA, platforms that likely to be accessed by children must take action to protect them from harmful and age-inappropriate content, including pornography, self-harm, suicide, eating disorder content, bullying, hate, and dangerous challenges.
The OSA is built around several interconnected goals.
To protect children from harmful content
The Act’s most prominent aim is stopping children from accessing content that could harm them – whether that’s pornography, self-harm content, eating disorder material, or content promoting violence.
To remove illegal content
Platforms must have systems to proactively detect and remove illegal material, including child sexual abuse material (CSAM), terrorism content, fraud-related content, intimate image abuse, harassment, and other priority offenses.
To create a duty of care
The Act shifts platforms’ responsibility from reactive takedown to proactive risk management. They now owe their users, especially vulnerable ones, a legally enforceable duty to keep them safe.
To make platforms more transparent and accountable
Larger platforms must publish transparency reports, conduct risk assessments, use better reporting tools, and appoint senior managers accountable for safety compliance.
To empower users
Users must have clear, accessible tools to report problems, make complaints, and control their own safety settings.
Main Requirements Under the Online Safety Act
The Online Safety Act applies to a wide range of online services, such as social media platforms, messaging platforms, search engines, adult-content websites, and even smaller community-based services.
The law makes clear that both UK-based and international companies serving UK users must comply. And when it comes to exact duties, they depend on the type, size, risk level, and features of a service or a platform. Here’s what the law actually requires platforms to do:
Risk assessments
All in-scope services must conduct and record illegal content risk assessments and, where relevant, children’s risk assessments. These assessments should consider the service’s users, features, content types, and potential harms. Moreover, platforms must update them regularly and be ready to submit them to Ofcom on request. In 2026, Ofcom has already issued formal information requests to 30 providers across 43 services, demanding records of more than 70 risk assessments.
Content moderation systems
Platforms must have clear, fast-acting processes to identify and remove illegal content. For example, if a user flags a post containing a credible threat of violence, the platform can’t let that sit in a queue for three days. The Act requires meaningful action, not just a ticket number.
Safety measures
Businesses must use proportionate systems to reduce identified risks, including moderation, automated detection, human review, safer default settings, age assurance, limits on risky features, user reporting tools, and escalation processes.
Reporting and complaints
Every in-scope service must offer users an easy-to-find, accessible complaints mechanism. If a user reports something, the platform must take appropriate action. Users should also have a way to complain if they believe moderation decisions are wrong or if the platform fails to act.
Record-keeping and transparency reporting
Ofcom expects services to keep risk assessments up to date, especially after major product, audience, or feature changes. Also, categorized services (larger platforms) must publish regular transparency reports setting out the risks their service poses and what they’re doing about them.
Age assurance
Services likely to be accessed by children or that host adult content must implement age assurance measures. For adult content platforms, this means “highly effective” age checks. Ofcom’s age assurance guidance says effective methods should meet criteria for technical accuracy, robustness, reliability, and fairness.
Algorithm safety
The following requirement represents a significant shift in child protection against illegal content. For children’s services, recommendation algorithms must be configured to filter out harmful content from children’s feeds. This means that services must actively ensure the algorithm doesn’t show bad content to children.
Senior manager accountability
Finally, safety is now also a company’s boardroom concern and responsibility, because senior managers can face criminal liability if they fail to comply with their duty of care to children.
How the Online Safety Act is Enforced and Penalized
When it comes to the OSA enforcement, Ofcom doesn’t wait.
Since enforcement began in March 2025, Ofcom has opened investigations into pornography providers, file-sharing services, and small but high-risk platforms. It has also issued the UK’s first fine exceeding £1 million under the OSA (issued to AVS Group Ltd for not having robust age checks on their various adult websites in line with OSA requirements), which is a clear signal that enforcement is no longer theoretical.
Ofcom penalties for non-compliance are severe:
- Financial penalties of up to £18 million or 10% of qualifying worldwide annual revenue – whichever is higher. And for a large global platform, 10% of global revenue can mean billions of pounds.
- Criminal liability for senior managers who fail to comply with children’s safety duties and with Ofcom information requests.
- Business disruption orders – Ofcom can instruct UK internet service providers to block access to non-compliant platforms entirely, or demand that advertisers stop working with a non-compliant service, effectively shutting them out of the British market.
- Daily penalties for continued non-compliance after a formal notice.
Here is a real-life example: When Ofcom issued its first provisional notice of contravention to 4chan, a US-based platform that failed to respond to two statutory information requests, it included an intention to impose a £20,000 fine with daily penalties accumulating thereafter.
Who is Affected by the UK Online Safety Act?
The OSA is broad in its scope. The rule of thumb is: if your service is accessible in the UK and allows users to interact or find content, you’re likely in scope, regardless of where your company is headquartered. Let’s zoom in on the main categories:
User-to-User Services
The largest category are user-to-user services – platforms where users can post, upload, share, or interact with each other.
- Social media platforms – Facebook, Instagram, TikTok, X (Twitter), and similar platforms with large user bases
- Messaging apps – services such as WhatsApp, Signal, and Telegram, especially where encryption and user safety issues intersect
- Forums, review sites, and discussion boards – any service with user-generated content or community features
- Gaming platforms with chat functionality
- Video-sharing platforms
Search Services
Search engines are also in scope, with specific duties around how they surface harmful or illegal content. Specifically, Ofcom has published separate codes of practice for search services, requiring governance measures, accountability structures, and complaint handling processes similar to those for user-to-user services.
EXAMPLE: A search engine that consistently returns results linking to sites hosting child sexual abuse material would be in breach. Platforms must take proactive steps to ensure illegal content isn’t surfaced through their results.
Adult Content Platforms
Adult content platforms face stricter scrutiny because the Online Safety Act specifically aims to prevent children from accessing pornography. From July 2025, adult content platforms must implement “highly effective” age assurance to prevent children from accessing their content, with no grace period and no phased approach. This applies to any platform accessible in the UK, whether it’s based in Great Britain or not.
International Platforms Serving UK Users
The OSA applies based on where users are, not where a company is registered. This means the Act applies to companies outside the UK if their services have links to the UK, including:
- services with a significant number of UK users,
- services targeting the UK market,
- services accessible in the UK where there is a material risk of significant harm to UK users.
Notably, this “extraterritorial” reach is one of the most significant aspects of the law, and it’s already being tested: Ofcom’s enforcement action against 4chan demonstrates that overseas platforms are firmly in scope.
How Age Verification and Age Assurance Work Under the Online Safety Act
Age assurance is one of the most important and arguably operationally complex elements of the OSA. It’s the mechanism by which platforms confirm or estimate whether a user is a child.
Since a whopping 73% of 11- to 17-year-olds say they encounter harmful content online within any given four-week period, it seems like the voluntary measures aren’t working. That’s why getting the age of online visitors right is absolutely critical.
Let’s analyze why age verification and age assurance operate within the OSA.
Age Verification vs. Age Estimation
First, let’s clarify an important distinction between age verification and age estimation, as they are often confused, even though they serve different purposes.
Age verification uses hard evidence, such as an ID document or a financial record, to confirm that a user meets a minimum age threshold. It’s more accurate but more intrusive. Users must share personal data, and that data must be handled securely.
Age estimation uses signals, such as facial analysis, to infer a user’s likely age range without necessarily confirming an exact date of birth. It’s less intrusive but also less precise. Ofcom has indicated it can form part of a HEAA solution but may not be sufficient on its own for the highest-risk services.
So, this means that a business may use one method or a combination of methods. The right approach depends on the content, user journey, risk level, privacy impact, and regulatory expectations.
What is Highly Effective Age Assurance?
Ofcom defines “Highly Effective Age Assurance” (HEAA) as age verification or age estimation methods that can reliably determine whether a user is likely to be a child or adult, thus preventing children from accessing age-restricted content.
Being “highly effective” means more than just asking users to tick a box saying they’re over 18. Platforms must use methods that a determined child could not easily circumvent.
In Ofcom’s guidance on what qualifies as HEAA, it’s clearly stated that low-friction but unreliable methods, like simple self-declaration, won’t meet the standard.
Put simply, the method should work, be hard to bypass, produce consistent results, and avoid unfairly excluding or disadvantaging users.
In 2025, 80% of adults in the UK were broadly supportive of age assurance measures to prevent children from encountering online pornography. Source
Accepted Age Verification Methods
Ofcom recognizes several categories of age assurance technology currently in use:
- Photo ID checks – uploading a government-issued ID, such as a passport or a driver’s license, which is verified, often by an automated system
- Credit card or financial verification – using the existence of a credit account as a proxy for adulthood
- Mobile network operator age verification – using phone contract data to confirm age
- Biometric authentication – including facial age estimation
- Digital identity services – using certified digital identity providers to confirm age attributes
Ofcom takes a technology-neutral, principle-led approach, so no single method is mandated. What matters is effectiveness and privacy compliance, not the specific technology used.
EXAMPLE: If a platform hosts adult content, asking users to click “Yes, I am 18” will not be enough. A stronger approach may involve verifying age through a trusted method before adult content is shown.
Privacy and Data Protection Considerations
Any method that collects personal data, especially biometric data, must comply with the UK’s GDPR and the Data Protection Act 2018. Unfortunately, this creates a genuine tension: the more effective the age check, the more personal data is involved.
Ofcom has acknowledged this tension and requires that age assurance systems be proportionate, privacy-preserving, and data-minimizing wherever possible. Anonymous age verification, in which a third party confirms age without sharing the underlying identity data with the platform, is an approach that is gaining popularity as a potential solution to the tension dilemma.
Yet, the privacy debate isn’t settled, and platforms implementing age assurance should expect ongoing regulatory scrutiny of how they handle the data they collect.
Criticism and Support for the Online Safety Act
Like all ambitious legislations, the OSA has generated strong opinions on both sides. And both sides raise important questions. Let’s review them.
Concerns Raised by Critics
Privacy and surveillance
Civil liberties organizations including the Open Rights Group have warned that mandatory age checks could threaten privacy and undermine freedom of expression in the UK. If identification becomes a default requirement for basic online access, the internet changes fundamentally.
Free speech
The Act’s broad definitions of “harmful content” have raised concerns about over-moderation. Critics point out that AI-driven moderation tools are prone to errors. Content relating to addiction support, reproductive health, and historical art has reportedly been caught in overzealous age-gating filters.
Encryption
This might be the most technically controversial issue. The OSA gives Ofcom the power to require platforms to scan encrypted communications for illegal content. Major messaging platforms including Signal and WhatsApp have pushed back strongly, with some suggesting they would exit the UK market rather than weaken end-to-end encryption. At the moment, the UK government has stated that it doesn’t intend to use these powers immediately, but retains the right to do so.
Implementation complexity
Smaller platforms may face a disproportionate compliance burden. Building risk assessment frameworks, content moderation pipelines, and age assurance systems requires additional resources – something a startup or niche platform may struggle to provide.
Why Supporters Back the Act
It’s the numbers that the advocates of the Act use to make their case.
And the numbers are quite shocking: the average age at which UK children first encounter pornographic content is 13, with one in ten encountering it as young as nine. No surprise that child-safety organizations claim that these figures make inaction morally indefensible.
Not to forget that apart from just pornography, children can encounter serious harm online, including sexual abuse material, grooming, self-harm content, bullying, and other algorithmically recommended harmful material.
In 2024, the Internet Watch Foundation assessed 424,047 reports and confirmed 291,273 reports that contained or linked to child sexual abuse imagery or advertised it, and found that 91% of reports assessed as criminal involved “self-generated” imagery. Source
The OSA works – is the second argument. Since the age assurance requirements took effect on July 25, 2025, visits to pornography sites in the UK have dropped by a third! Early indicators suggest the measures are having an effect, even if full impact takes time to measure.
Thirdly, child protection activists and policymakers demand accountability over years of self-regulation promises that ended up in disappointing results. The OSA is designed to replace voluntary commitments with legally binding duties and real penalties.
Finally, it’s the matter of global positioning for the UK as a leader in online safety regulation. In the EU, the US, and Australia, similar frameworks are emerging globally, which suggests that this tendency is viable and here to stay.
What Businesses Should Do to Stay Compliant
Now let’s move to the practical part. If your business is in scope and you haven’t started your compliance work yet, here’s what you can do:
- Determine your status. Do you know what your status is under the Act? Are you a user-to-user service, search service, or adult content platform? If you have any UK users and enable content sharing or user interaction, you’re almost certainly in scope.
- Conduct your risk assessments. Did you conduct an illegal content risk assessment? It has been required since March 2025, and the children’s risk assessments were due by July 2025. If you haven’t completed these, addressing this should be your immediate priority, as Ofcom is actively requesting them.
- Review your content moderation systems. Do you have a dedicated team or an automated process to detect and remove illegal content? Is there a clear, accountable person responsible for safety duties? Is your complaints process easy to find and genuinely functional?
- Implement age assurance. If your platform is likely to be accessed by children or hosts adult content, assess which age assurance methods are appropriate for your service. Consider a layered approach that balances effectiveness with user privacy.
- Update your internal policies. Do you have a privacy policy, terms of service, and internal procedures that will likely need updating to reflect new obligations? Ensure your legal and compliance teams are aligned on what the Act requires.
- Monitor Ofcom guidance continuously. The OSA is a dynamic regulatory framework. Ofcom is consulting on additional measures and refining its codes on an ongoing basis. So, signing up for Ofcom updates and reviewing guidance regularly is a good idea.
- Prepare for transparency obligations. If you meet the thresholds for a categorized service (platforms with 34 million+ UK monthly users), you will need to publish transparency reports. Even if you don’t meet that threshold, building internal reporting practices now will put you in good shape.
Balancing Safety and Freedom
The UK Online Safety Act is an attempt to answer a genuinely hard question: how do you make the internet safer without making it less free?
On the one hand, the Act makes real trade-offs between privacy and protection, between free expression and harm prevention, between innovation and accountability.
On the other hand, Ofcom acknowledges there is much more for platforms to do to prevent children accessing harmful content online. The organization suggests that further enforcement, further regulation, and, eventually, a harder line on platforms that treat compliance as optional is necessary.
That’s why, for businesses operating online services, the cost of proactive compliance is measurably lower than the cost of enforcement action, reputational damage, or market exclusion. The companies that will navigate this era successfully are those treating online safety as a genuine organizational commitment – one that starts with leadership, runs through product design, and gets measured regularly against outcomes.
FAQ
