UK regulators clarify how platforms should verify users’ age under safety and data protection laws
A joint statement by Ofcom and the Information Commissioner’s Office explains how online services should implement age checks while complying with both online safety and data protection rules.
The UK’s Ofcom and Information Commissioner’s Office (ICO) have issued a joint statement setting out how online services should implement age assurance, a process used to determine whether a user is a child or an adult.
The document explains that age assurance is necessary to protect children from harmful content, such as pornography or self-harm material, and from risks related to how their personal data is used. It applies to services likely to be accessed by children and covered by the UK’s Online Safety Act and data protection laws.
The statement clarifies that platforms must use methods that are effective in identifying whether a user is a child. Simply asking users to confirm their age is not considered sufficient, as it can be easily bypassed.
Instead, services are expected to choose more reliable methods, such as document checks, facial age estimation, or digital identity tools, depending on the level of risk. At the same time, regulators emphasise that these methods must be proportionate and respect users’ privacy, since they involve processing personal data.
The guidance also explains that platforms must balance two obligations. Under online safety rules, they must prevent children from accessing harmful content. Under data protection law, they must ensure that any personal data collected for age checks is handled lawfully, used only for its intended purpose, and not kept longer than necessary.
For services that set a minimum age, such as 13, the statement notes that companies should use effective age checks to prevent underage users from accessing the platform. If they cannot reliably determine users’ ages, they may need to apply child protection standards to all users by default.
The document provides examples of how different services, including social media platforms and pornography sites, can implement age assurance in practice. These examples show how age checks can be integrated into user access controls while meeting legal requirements.
