The UK Online Safety Act has made age verification a legal requirement for a wide range of online services. If your platform hosts content that isn't suitable for children, you now need to think seriously about age assurance. This guide breaks down what the Act requires, who it applies to, and how to comply without turning a compliance step into a data liability.
This article is a practical overview, not legal advice. Always confirm your specific obligations with a qualified adviser.
What the Online Safety Act requires
At its core, the Act requires in-scope services to protect children from harmful or age-inappropriate content. For the most sensitive categories — notably pornographic content — that means using highly effective age assurance to keep under-18s out.
Ofcom, the regulator, has set out that age-assurance methods must be:
- Technically accurate
- Robust
- Reliable
- Fair
A self-declared age gate — a checkbox or a date-of-birth prompt — does not meet this standard, because it cannot actually confirm a user's age.
Who is in scope?
The Act covers a broad set of "user-to-user" and "search" services, including:
- Adult-content platforms — subject to the strictest 18+ age-assurance duty. See our guide to age verification for adult content.
- Social media and user-generated-content platforms — expected to know which users are children and apply age-appropriate protections. See age verification for social media.
- Websites and online services more broadly, where age-restricted content or features are offered. See age verification for websites.
The exact obligations vary by service type and risk, which is why Ofcom's codes are tiered rather than one-size-fits-all.
What "highly effective" means in practice
"Highly effective" is the bar that rules out the easy options. In practice, acceptable methods include:
- AI facial age estimation — estimating age from a live selfie.
- Photo-ID verification — checking a passport or driving licence and matching it to the user.
- Other robust signals — such as verified payment or mobile-network data, depending on context.
Simple credit-card checks and self-declaration are generally not sufficient on their own. The method has to genuinely establish age, not just ask for it.
The privacy tension — and how to resolve it
Here's the catch that trips up many services: doing age verification badly creates a brand-new privacy risk. If you ask every visitor to upload an identity document and you store it, you've built a honeypot of sensitive data — exactly what attackers want and regulators scrutinise. For adult content, a record linking a real person to that usage is uniquely sensitive.
Ofcom expects services to handle this data proportionately. The cleanest way to satisfy both the effectiveness and the data-minimisation expectations is a privacy-first design:
- Process all biometrics in memory and discard them immediately.
- Store only an over-threshold yes/no outcome and a tamper-evident audit record.
- Never retain a record linking an individual's identity to your platform.
A practical compliance checklist
- Identify whether your content or features are age-restricted, and at what age.
- Choose age-assurance methods that meet the "highly effective" standard.
- Apply a proportionate, tiered approach — light-touch estimation with escalation where needed.
- Minimise data: keep a result and an audit trail, not identity documents.
- Keep evidence — a tamper-evident log that a check ran, for regulator review.
How Verisoar helps with Online Safety Act compliance
Verisoar provides highly effective age assurance designed around the Act: AI age estimation, active liveness, and document verification, with automatic escalation for borderline cases. Everything is processed in memory and discarded — only a coded yes/no and an audit hash are kept — so you meet the effectiveness bar and the proportionality expectation at once.
See how it maps to your use case, or start free and test the full flow today.