#7 What is the online safety act?

Chris Maynard -

The Online Safety Act 2023 is a UK law designed to make the internet safer, especially for children. It places legal duties on platforms like social media, search engines, and messaging services to:

  • Remove illegal content (e.g. child sexual abuse, terrorism, fraud)
  • Protect children from harmful material, even if it's not illegal (e.g. self-harm, eating disorders, pornography)
  • Enforce age restrictions and provide age-appropriate experiences
  • Offer users more control over the content they see
  • Be transparent about moderation and complaints processes

The regulator Ofcom oversees compliance, with powers to issue fines up to £18 million or 10% of global turnover, and even block access to non-compliant services.

As of 25 July 2025, platforms that host or allow access to adult content must implement robust age verification. This includes:

  • Facial age estimation
  • Photo ID matching
  • Bank or credit card checks
  • Mobile network age checks
  • Email-based age estimation

What are the risks of these checks:

  • Facial age estimation
    • Involves biometric data (your face), which is sensitive under UK GDPR
    • If mishandled, it could lead to identity theft or surveillance concerns
    • Vulnerable to spoofing via deepfakes or masks if not paired with liveness detection
  • Photo ID matching
    • Requires uploading official documents (e.g. passport, driver’s licence) and a selfie
    • If stored insecurely, this poses a major data breach risk
    • Fake or stolen IDs can be used
    • Deepfake tools can manipulate selfies to match stolen documents
  • Bank or credit card checks
    • Involves financial data, which is highly sensitive.
    • Even if no transaction occurs, linking a card to a site is still invasive
    • Risk of credit card fraud and identity theft
  • Mobile network age checks
    • Relies on metadata from your mobile provider
    • If misused, it could expose location or account history
    • Vulnerable to SIM swapping or spoofing if not paired with strong authentication
  • Email-based age estimation
    • Uses metadata from your email (e.g. creation date, linked services)
    • While low friction, it can feel like digital snooping
    • Doesn’t confirm identity or ownership
    • A child could use a parent’s email

The act therefore raises legitimate privacy concerns, which include:

  • Eroding of anonymity online, especially for sensitive topics
  • Exposing personal data to third-party verification providers
  • Creates surveillance risks, particularly if client-side scanning is introduced for encrypted platforms
  • Encourages VPN use, which Ofcom discourages, but which many users are turning to in response

What should people do?

There needs to be a mindset shift to take a privacy as a default stance when online.

  • Read the privacy policy before submitting anything
  • Choose platforms with strong data protection / data handling policies.
  • Avoid uploading sensitive documents directly to content sites
    • use intermediaries (e.g. banks or mobile providers) that confirm age without sharing personal details with the site itself.
  • Use platforms that allow you to delete your data post-verification.
  • Use a VPN cautiously, VPNs can mask your IP and location, potentially bypassing age gates but it just transfers the visibility of what you are doing from your ISP to the VPN provider.
    • Platforms may still be able to track users via cookies, GPS, or device fingerprinting.
  • Use secure browsers or privacy extensions
    • Regularly clear cookies and cache
  • Consider temporary email addresses for one-time verification