UK civil society calls for regulation of age-assurance providers under the Online Safety Act
Open Rights Group and the Age Verification Providers Association warn that unregulated age-assurance services mandated by the Online Safety Act expose UK users to unnecessary privacy and security risks, urging government intervention ahead of a parliamentary debate on the law.
Open Rights Group has called on the UK Government to introduce compulsory regulation for age-assurance providers operating under the Online Safety Act, arguing that millions of users are now required to disclose sensitive personal data to companies that face no statutory privacy or security standards. The organisation has written to the Secretary of State for Science, Innovation and Technology, Liz Kendall, with the letter co-signed by the Age Verification Providers Association and more than 600 individuals.
Since July, platforms covered by the Online Safety Act have begun requiring users to verify their age. This obligation extends far beyond pornography sites and now includes social media services such as Reddit and Bluesky, dating apps, music-streaming platforms like Spotify, and gaming services such as Xbox. In practice, users have no control over which age-verification provider handles their data. The choice rests entirely with platforms, which may be incentivised to opt for cheaper providers with weaker safeguards or commercial models that rely on collecting and monetising additional user data.
Open Rights Group argues that this creates clear and avoidable risks, pointing to high-profile breaches such as the October leak of 70,000 Discord user IDs. The organisation is urging the Government, the Information Commissioner’s Office and Ofcom to establish mandatory privacy, security and data-minimisation requirements for all age-assurance providers operating in the UK market.
James Baker, Platform Power Programme Manager at Open Rights Group, said the Online Safety Act has effectively forced adults to submit sensitive information to access everyday digital services, without any guarantee that the companies handling their data meet basic standards of trustworthiness. The Age Verification Providers Association echoed the call, noting that while the industry has put self-regulatory measures in place – including a code of conduct, audits and certification – formal oversight is still needed.
The renewed attention arrives as MPs prepare to debate the Online Safety Act on Monday 15 December, following a petition signed by more than 550,000 people calling for the law to be repealed. Open Rights Group has published a briefing outlining areas where the legislation could be strengthened, including stronger safeguards for age-assurance systems that have rapidly become central to its implementation.
