Online Safety Act forces age verification

September 1, 2025

On 26 October 2023, the Online Safety Act was passed into law following a six-year legislative journey. Its primary goal is to reduce the risks posed by illegal and harmful content online while balancing the protection of freedom of expression. The Act applies to a wide range of services, including social media platforms, search engines, video-sharing sites, online forums, and messaging services, even if they are based outside the UK but have significant UK user bases.

The Act, which officially came into effect on 25 July 2025, marks a transformative moment in the UK’s approach to regulating digital platforms. Designed to protect users—especially children—from harmful online content, the Act introduces a comprehensive framework that places legal responsibilities on tech companies to ensure safer online environments.

The Act introduces several core duties for regulated services:

  • Protection Against Illegal Content—Platforms must identify and swiftly remove illegal content, including illegal content such as terrorism, child sexual exploitation, threats to kill, fraud, and human trafficking.
  • Child Safety Measures – The strongest protections are aimed at children. Platforms must prevent access to harmful and age-inappropriate content and implement age assurance mechanisms.
  • Adult User Protections – Adults are given more control over the content they see, but platforms must be transparent about what types of potentially harmful content are allowed and offer tools for users to customise their experience.
  • Transparency and Accountability – Companies are required to publish reports detailing how they manage harmful content. Ofcom, the UK’s communications regulator, oversees compliance and has powers to issue fines and enforcement notices.
  • New Criminal Offences – The Act also introduced criminal offences related to online harm, including cyberflashing and sharing intimate images without consent.

Implementation

Internet users in the UK can use the following methods to prove their age, Ofcom has said.

  • Facial age estimation – you show your face via photo or video, and technology analyses it to estimate your age.
  • Open banking – you give permission for the age-check service to securely access information from your bank.
  • Digital identity services – these include digital identity wallets, which can securely store and share information which proves your age in a digital format.
  • Credit card age checks – you provide your credit card details, and a payment processor checks if the card is valid.
  • Email-based age estimation – you provide your email address, and technology analyses other online services where it has been used, such as banking or utility providers, to estimate your age.
  • Mobile network operator age checks – you give your permission for an age-check service to confirm whether or not your mobile phone number has age filters applied to it. If there are no restrictions, this confirms you are over 18.
  • Photo-ID matching –you upload an image of a document that shows your face and age and an image of yourself at the same time. These are compared to confirm if the document is yours.

The introduction is all well and good, but will it work or potentially cause bigger issues?

However, the very process of providing age verification means companies now hold sensitive data and documents, and these are inevitably going to become a target for hackers. The cost and complexity of implementing age verification, content moderation, and transparency reporting could force some services to exit the UK market or reduce their offerings, potentially stifling innovation and competition.

But the most interesting development is the rise in use of Virtual Private Networks, known as VPNs. A VPN is a client/server system where the client is loaded on your device and connects to a remote server. These servers are located in various countries throughout the globe and effectively mask your real location. Everyone who accesses the internet needs an address, known as an IP address. This can identify where you access the internet from, a bit like a post code. But imagine you dig a tunnel from your house to another house in, say, France; you can use that tunnel to exit from the front door of a house in France.

And it’s very clear that people are opting to use VPNs, as researchers at vpnMentor saw the demand for VPN services in the UK increase steadily following the Act coming into effect. Demand peaked at 6,430% and remained at that level for nearly two hours. As of 30 July, half of the top ten free apps in Apple’s app download charts in the UK appeared to be for VPN services.

Stopping children from accessing porn is one thing, but it’s clear ways are being exploited to bypass this requirement. But aside from porn, what are we doing to limit access? After all, many children under thirteen years of age are using social media, with parents having very little knowledge of what goes on.