What is the UK Online Safety Act and why does it matter for your privacy?
The Online Safety Act 2023 is UK legislation that fundamentally changes how platforms operating in or accessible from the UK handle content moderation and user protection. It came into force in stages, with the most privacy-invasive provisions kicking in on 25 July 2025.
The Act requires user-to-user services and search engines accessible in the UK to protect children from harmful content and implement age-verification checks for adult material. Sounds reasonable on paper. The devil's in the implementation.
Quick Answer
The UK Online Safety Act forces platforms to verify every user's age using 'highly effective' methods like facial scans or photo ID. This applies to any UK-accessible site hosting adult content, creating mandatory biometric or identity checks for all adults. Ofcom enforces the Act and can fine companies up to 10% of global annual revenue or £18 million, whichever is greater.
Ofcom, the UK communications regulator, enforces the Online Safety Act. They've published guidance on what counts as 'highly effective age assurance' (HEAA), and the bar is high. Tick-box self-declarations don't cut it anymore.
The Act applies to any search engine or user-to-user service accessible in the UK, even if the provider is overseas. So a platform based in California or Amsterdam still needs to comply if UK users can access it.
Why does this matter for your privacy? Because 'highly effective' age checks mean processing significant personal data. Facial scans. Photo ID. Credit card details. Mobile network verification. All of this creates data that can be stored, shared, breached, or accessed by authorities.
Government guidance says platforms must confirm age 'without collecting or storing personal data, unless absolutely necessary'. That 'unless' is doing a lot of heavy lifting. In practice, document checks, card checks and facial scans all process significant personal data.
10%
Maximum fine: 10% of global revenue or £18m
The UK Online Safety Act sits alongside existing UK privacy law (UK GDPR and Data Protection Act 2018) and the Investigatory Powers Act 2016. That last one grants UK authorities powers for data retention, interception and bulk surveillance. Age-verification data collected under the Online Safety Act could potentially be subject to these existing surveillance authorities.
That's the privacy concern nobody's talking about loudly enough. You're not just handing your face scan or ID to a platform or third-party verifier. You're creating a data trail that exists within the UK's broader surveillance infrastructure.
The age-verification mandate: why adults must now prove their age online
Let's be clear about what changed on 25 July 2025. Before that date, many adult sites used simple tick-boxes or honour-system declarations. Those are now insufficient under the UK Online Safety Act.
The Act requires 'highly effective age assurance' for any platform displaying adult-only content. Ofcom defines HEAA as methods that reliably determine whether a user is a child or adult. Approved methods include:
- Document verification (photo ID like passport or driving licence)
- Facial age estimation (AI scanning your face to estimate age)
- Credit card checks (adult payment methods)
- Mobile network checks (carrier-verified age data)
- Reusable digital IDs (third-party identity tokens)
Notice what's missing? Tick-boxes. Self-declarations. Anything that relies on user honesty rather than verification.
This means every adult accessing adult content on UK-accessible platforms must submit to one of these checks. Not just children. Not just new users. Everyone.
⚠️ Warning: The UK Online Safety Act applies to platforms, not users. You're not breaking the law by accessing adult content. But platforms face massive fines if they don't implement robust age checks, so they're highly motivated to collect your data.
The government's stated goal is child protection. Preventing children from accessing pornography and other adult material. That's a legitimate policy aim. But the mechanism creates a universal adult verification system.
Think about the implications. To access lawful content as an adult, you now need to prove your identity or submit to biometric scanning. That's a significant shift in the privacy baseline for UK internet users.
And it's not just pornography sites. The Act covers any platform displaying adult-only content. That could include social media with age-restricted sections, dating apps, forums, or user-generated content platforms with adult material.
The scope is broad. The privacy impact is significant. And the UK Online Safety Act enforcement is backed by serious financial penalties, so platforms are implementing these systems aggressively.
How age-verification checks work and what data they collect
Let's unpack the technical reality of how age-verification checks work under the UK Online Safety Act. Each method processes different types of personal data, with varying privacy implications.
Document verification (photo ID)
This method requires you to upload a photo of your passport, driving licence, or other government-issued ID. The verification provider (often a third party, not the platform itself) extracts your date of birth, name, and other identity details.
Some providers claim they don't store the full document image. Others do. Some create a reusable digital token. Others require fresh verification for each platform. The data handling varies significantly among certified age-verification providers.
What data is collected: Full name, date of birth, document number, photograph, signature, address (if on document). Potentially biometric data extracted from the photo.
Facial age estimation
This uses AI to analyse your face and estimate whether you're above or below 18. Government guidance emphasises that facial estimation tools can estimate age from an image without saving the image or identifying the person.
In theory, that's true. In practice, many providers do retain some data. At minimum, they process your biometric facial data, even if temporarily. Some create facial templates. Others log metadata about the check.
What data is collected: Facial biometric data (even if temporarily), device information, IP address, timestamp. Some providers create facial templates or store confidence scores.
💡 Pro Tip: Facial biometric data is 'special category' data under UK GDPR, requiring explicit consent and higher protection standards. Always check whether a provider stores facial templates or just processes them transiently.
Credit card checks
This method verifies age based on the assumption that only adults hold credit cards. You enter card details, the provider confirms the card is valid and belongs to an adult, then (supposedly) doesn't store the full card number.
The privacy risk here is different. You're linking your payment identity to your adult-content access. That creates a financial data trail that could be breached, shared, or accessed by authorities.
What data is collected: Card number (or token), cardholder name, billing address, transaction metadata. Some providers store tokens for reuse.
Mobile network checks
Your mobile carrier already knows your age from your contract. Mobile network checks use that data to verify you're over 18. You authenticate via your mobile network, the carrier confirms your age to the platform, and you're in.
This method is relatively privacy-preserving if done right, because the carrier can confirm age without revealing your full identity to the platform. But it still creates a data flow between three parties: you, the platform, and your carrier.
What data is collected: Mobile number, carrier-verified age status, authentication tokens. Potentially device information and location data.
Reusable digital IDs
Some providers offer reusable digital identity tokens. You verify your age once with a trusted provider, receive a digital credential, then use that credential across multiple platforms without re-verifying.
This reduces repeated data collection. But it creates a centralised identity system. If that provider is breached or compelled to share data, your adult-content access across multiple platforms could be exposed.
What data is collected: Varies by provider. Typically includes age-verification status, unique identifier, timestamp. Some providers link to your original verification data (ID document or facial scan).
The UK Online Safety Act doesn't mandate a specific method. Platforms choose based on their risk assessment and user experience preferences. That means you might face different checks on different platforms, with varying data-collection practices.
Protect Your General Online Privacy
While age-verification is a platform compliance issue, you can still protect your broader online privacy with a reputable VPN. NordVPN, based in Panama with no mandatory data-retention laws, offers audited no-logs protection and is a solid choice for UK users concerned about general online security.
NordVPN from £12.99/mo→Third-party age verifiers: data flows, biometrics and the risks nobody talks about
Here's where the UK Online Safety Act gets really murky. Most platforms don't build age-verification systems in-house. They contract with third-party age verifiers.
That means your data flows through multiple parties: you, the platform, and the verification provider. Sometimes more if the verifier uses sub-processors.
Government guidance requires that personal data collected for age checks be minimised and deleted unless retention is 'absolutely necessary'. But enforcement and standards vary among certified providers.
Let's talk about what 'absolutely necessary' means in real contracts. Spoiler: it's often interpreted broadly.
Data-sharing between platforms and verifiers
When you verify your age with a third-party provider, that provider typically shares a verification result with the platform. Sometimes just a yes/no token. Sometimes more detailed data.
The platform's privacy policy and the verifier's terms determine what gets shared. You should read both. Most people don't.
Some verifiers share anonymised age tokens. Others share identifiable data. Some create reusable credentials that track your age-verification across platforms. That last model creates a centralised record of which adult sites you've accessed.
Biometric database risks
Facial age estimation and document verification both process biometric data. Under UK GDPR, biometric data is 'special category' data requiring explicit consent and higher protection standards.
But here's the concern: if verifiers retain facial templates or biometric identifiers, they're building centralised biometric databases. Those databases become attractive targets for breaches, state access, or repurposing beyond child safety.
Civil-society groups describe mandatory age-verification as a 'surveillance system' for exactly this reason. You're creating biometric records to access lawful content.
⚠️ Warning: The UK Online Safety Act doesn't prohibit biometric database creation. It requires data protection, but the standards and enforcement vary. Always check whether a verifier stores biometric templates or processes them transiently.
Data breaches and security risks
Any system collecting identity documents, facial scans, or payment data is a breach target. The more centralised the system, the more attractive the target.
If a major age-verification provider is breached, millions of users' identity data and adult-content access records could be exposed. That's not hypothetical. Adult sites have been breached before, exposing user data.
The UK Online Safety Act requires platforms and verifiers to protect user data, and companies can face 'heavy penalties' under both the Online Safety Act and UK data-protection law for failures. But penalties after a breach don't un-breach your data.
Third-party commercial use
Some age-verification providers are commercial entities with business models beyond compliance. They might use verification data for analytics, advertising, or other purposes (with consent, theoretically).
Always check the privacy policy. Look for clauses about data sharing with partners, analytics, or commercial use. If a verifier offers 'free' age verification, ask yourself how they're monetising.
The UK Online Safety Act doesn't prohibit commercial use of age-verification data. UK GDPR requires lawful basis and consent, but the consent mechanisms are often buried in lengthy terms.
The upshot? Third-party age verifiers create data flows and risks that government guidance glosses over. You're trusting not just the platform, but also the verifier and potentially their sub-processors. That's a lot of trust for accessing lawful content.
The UK Online Safety Act meets the Investigatory Powers Act: your data in the surveillance landscape
Now we get to the part that really matters for privacy-conscious UK users. The UK Online Safety Act doesn't exist in a vacuum. It sits alongside existing UK surveillance law, particularly the Investigatory Powers Act 2016.
The Investigatory Powers Act (IPA) grants UK authorities powers for data retention, interception, and bulk surveillance. It's sometimes called the 'Snooper's Charter' by critics.
Age-verification data collected under the Online Safety Act could potentially be subject to these existing surveillance authorities. Let's unpack what that means.
Data retention under the IPA
The IPA allows the government to require communications providers to retain certain data for up to 12 months. That includes internet connection records (ICRs), which log which services you've connected to.
If you access an adult site that requires age verification, your ICR will show that connection. If the age-verification provider retains your identity data, that creates a linkable record: your identity, the timestamp, and the adult site.
The IPA doesn't specifically cover age-verification data. But it covers communications data broadly, and age-verification often involves communications between you, the platform, and the verifier.
Bulk surveillance powers
The IPA grants intelligence agencies bulk surveillance powers, including bulk interception, bulk acquisition, and bulk equipment interference. These powers are subject to warrants and oversight, but they exist.
If age-verification creates centralised databases of identity data linked to adult-content access, those databases could theoretically be accessed under bulk powers. That's the surveillance concern civil-society groups raise.
To be clear: there's no public evidence that UK intelligence agencies are targeting age-verification data. But the legal framework allows it, and the data infrastructure being built under the Online Safety Act could facilitate it.
12
Months of data retention allowed under IPA 2016
Law enforcement access
Beyond intelligence agencies, law enforcement can request data under various legal powers. If a platform or age-verification provider holds your identity data and adult-content access records, those records could be subject to lawful access requests.
The UK Online Safety Act doesn't create new surveillance powers. But it creates new data that existing powers can access. That's the privacy risk.
How this differs from other jurisdictions
The UK has some of the most extensive surveillance powers in the democratic world. The IPA is broader than equivalent laws in many EU countries, and the UK is no longer bound by EU privacy protections post-Brexit (though UK GDPR is similar).
If you're using a VPN provider based in the UK, that provider could be subject to IPA data-retention or interception orders. That's why privacy-focused users often choose VPN providers based in jurisdictions without mandatory data-retention laws.
NordVPN, for example, is based in Panama. Panama has no mandatory data-retention laws for consumer VPNs, and it's outside the Five Eyes, Nine Eyes, and Fourteen Eyes intelligence-sharing agreements. That jurisdictional choice matters for UK users concerned about surveillance.
The UK Online Safety Act creates data. The Investigatory Powers Act creates access mechanisms. Together, they form a surveillance infrastructure that civil-society groups argue is disproportionate for child-safety goals.
Are VPNs legal in the UK, and can they help you stay private?
Let's address the VPN question directly, because there's confusion about what VPNs can and can't do under the UK Online Safety Act.
First: yes, VPNs are legal in the UK. The UK government confirms this. VPNs are legitimate privacy tools used for security, encryption, and protecting your online activity from ISP logging, public Wi-Fi snooping, and other threats.
Using a VPN does not break UK law. Full stop.
Quick Answer
VPNs are legal in the UK and protect your general online privacy. However, using a VPN doesn't erase platform obligations under the UK Online Safety Act. Platforms must implement age checks regardless of user location or VPN use. The regulatory responsibility lies with platforms, not users. A VPN protects your broader online security but doesn't exempt platforms from compliance.
What VPNs do for your privacy
A VPN encrypts your internet traffic and routes it through a server in a location of your choice. This provides several privacy benefits:
- Your ISP can't see which sites you visit (only that you're connected to a VPN)
- The sites you visit see the VPN server's IP address, not yours
- Your traffic is encrypted, protecting against interception on public Wi-Fi or network-level surveillance
- You can appear to be in a different country, useful for accessing geo-restricted content
These are legitimate privacy and security benefits. Many UK users employ VPNs for general online privacy protection, especially given the IPA's data-retention requirements for ISPs.
What VPNs don't do under the Online Safety Act
Using a VPN doesn't erase platform obligations under the UK Online Safety Act. Here's why:
The Act places responsibility on platforms, not users. Platforms accessible in the UK must implement age-verification regardless of whether users connect via VPN.
If you use a VPN to appear to be in another country, the platform might not serve you UK-specific age checks. But that's a platform compliance decision, not a user legal issue.
Ofcom has warned that it will be illegal for platforms to encourage VPN use to circumvent age checks. Platforms should not host content encouraging children to bypass protections. But that's a platform obligation, not a user prohibition.
You're not breaking the law by using a VPN. Platforms are breaking the law if they don't implement robust age checks for UK users.
💡 Pro Tip: A VPN protects your general online privacy from ISP logging and network surveillance. It doesn't make you anonymous to platforms you log into or provide identity data to. Use a VPN for encryption and privacy, not as an age-verification bypass.
Choosing a VPN for UK privacy
If you're using a VPN for general online privacy in the UK, jurisdiction matters. A VPN provider based in the UK or a Five Eyes country could be subject to data-retention or interception orders under the IPA.
Privacy-focused users typically choose providers based in jurisdictions without mandatory data-retention laws. Panama, Switzerland, and the British Virgin Islands are popular choices.
NordVPN, based in Panama, offers several advantages for UK users concerned about the UK Online Safety Act and broader surveillance:
- Panama has no mandatory data-retention laws for consumer VPNs
- NordVPN maintains a strict no-logs policy, independently audited by major firms to confirm it doesn't collect identifiable usage logs
- The service offers strong encryption, a kill switch, and DNS leak protection
- Multi-year plans are competitively priced for UK users
- NordVPN is outside Five Eyes, Nine Eyes, and Fourteen Eyes intelligence-sharing agreements
NordVPN from £12.99/mo→
ProtonVPN, based in Switzerland, is another solid choice. Switzerland has strong privacy laws, and Proton has a long track record of privacy advocacy. Both NordVPN and ProtonVPN are reputable providers with audited no-logs policies.
Proton VPN from £3.59/mo→
VPNs and the broader UK privacy landscape
The UK Online Safety Act is one piece of a broader privacy landscape. The IPA requires ISPs to retain connection records. Government agencies have bulk surveillance powers. Data-protection enforcement is inconsistent.
A VPN protects you from ISP-level logging and network surveillance. It doesn't protect you from data you voluntarily provide to platforms (like age-verification data). But it's a valuable tool in a layered privacy strategy.
Think of a VPN as encryption and anonymisation for your network traffic. It's not a silver bullet, but it's a meaningful privacy enhancement, especially in a jurisdiction with extensive surveillance powers like the UK.
How to protect your privacy under the new rules: practical steps and tools
Right. You understand the UK Online Safety Act, the age-verification risks, and the surveillance landscape. What can you actually do to protect your privacy?
Here are practical steps, acknowledging that you can't entirely opt out of age-verification if you want to access adult content on UK platforms.
1. Review privacy policies before submitting data
Before you verify your age on any platform, read the privacy policy. Look for:
- What data is collected (document, biometric, payment)
- Whether data is stored or processed transiently
- Who the data is shared with (third-party verifiers, partners)
- How long data is retained
- Whether you can request deletion
- What happens if the provider is breached
Most people skip this. Don't. The privacy policy tells you what you're agreeing to.
2. Choose the least invasive verification method
If a platform offers multiple age-verification methods, choose the one that collects the least data.
Mobile network checks are often less invasive than photo ID uploads. Reusable digital tokens can reduce repeated data collection, though they create centralised identity records.
Facial age estimation is a mixed bag. It processes biometric data, but some providers don't store facial images. Check the provider's technical documentation.
3. Use a reputable VPN for general online privacy
A VPN won't bypass age-verification, but it protects your broader online privacy. It encrypts your traffic, hides your activity from your ISP, and reduces network-level surveillance.
Choose a provider based in a jurisdiction without mandatory data-retention laws. NordVPN (Panama) and ProtonVPN (Switzerland) are both solid choices for UK users.
Make sure the provider has an audited no-logs policy. 'No-logs' claims are meaningless without independent verification.
Our Top VPN Recommendation for UK Privacy
NordVPN offers audited no-logs protection, Panama jurisdiction outside surveillance agreements, and competitive pricing for UK users. It's a strong choice for general online privacy in the UK's surveillance landscape.
NordVPN from £12.99/mo→4. Exercise your UK GDPR rights
Under UK GDPR, you have rights to:
- Access: request what data a platform or verifier holds about you
- Rectification: correct inaccurate data
- Erasure: request deletion (subject to legal retention requirements)
- Portability: receive your data in a machine-readable format
- Object: object to processing based on legitimate interests
Use these rights. Request what age-verification data is held about you. Ask for deletion if retention isn't legally required. Most companies will comply to avoid ICO complaints.
5. Consider whether you need to access a particular service
This is the hard question. If a platform requires invasive age-verification and you're uncomfortable with the data collection, consider whether you actually need to access that platform.
There's no privacy-preserving way to access adult content on platforms that require biometric or identity verification. You either submit to the check or don't access the content.
That's the trade-off the UK Online Safety Act creates. It's not a comfortable trade-off, but it's the reality.
6. Use privacy-enhancing tools for other online activities
Age-verification is one privacy risk. But your broader online activity creates data trails too. Use privacy-enhancing tools across the board:
- Encrypted email (Proton Mail, Tutanota)
- Encrypted messaging (Signal, not WhatsApp)
- Privacy-focused browsers (Firefox with privacy extensions, Brave)
- Ad and tracker blockers (uBlock Origin)
- Encrypted cloud storage (Proton Drive, Tresorit)
A layered privacy strategy reduces your overall data exposure. No single tool solves everything, but together they significantly enhance your privacy.
For UK users particularly concerned about surveillance, consider Proton's suite of privacy tools, which includes encrypted email, VPN, calendar, and cloud storage under one subscription.
7. Stay informed about enforcement and platform practices
The UK Online Safety Act is new. Enforcement practices, platform compliance approaches, and age-verification technologies will evolve.
Monitor Ofcom's official guidance for updates on regulatory interpretation. Follow civil-society organisations like the Electronic Frontier Foundation and UK-based privacy advocates for analysis of enforcement actions and privacy implications.
Platform privacy practices change. A provider that minimises data collection today might change its approach tomorrow. Stay informed.
8. Support legislative advocacy
If you're concerned about the privacy implications of the UK Online Safety Act, support organisations advocating for privacy-preserving alternatives.
Civil-society groups have proposed age-verification approaches that don't require centralised identity databases or biometric collection. Device-level parental controls, for example, can restrict children's access without creating adult surveillance systems.
Legislative change requires public pressure. If enough people raise privacy concerns, future amendments might address the surveillance risks.
The bottom line: navigating privacy in the age of mandatory verification
The UK Online Safety Act creates a fundamental tension between child protection and adult privacy. To keep children safe, the government has built a system that requires adults to prove their identity or submit to biometric scanning to access lawful content.
That's the trade-off. You can agree with the policy goal whilst questioning the implementation. Child safety is important. Universal adult surveillance is concerning. Both things can be true.
What matters now is understanding the privacy risks and taking practical steps to protect yourself. Review privacy policies. Choose less invasive verification methods where possible. Use a reputable VPN like NordVPN for general online privacy. Exercise your UK GDPR rights. Stay informed about enforcement and platform practices.
The UK Online Safety Act is new law. How it's enforced, how platforms comply, and how age-verification technologies evolve will shape the actual privacy impact. The risks outlined here are real, but they're not inevitable. Strong data-protection enforcement, privacy-preserving verification technologies, and public pressure for legislative amendments can all reduce the surveillance implications.
In the meantime, protect your general online privacy with tools like VPNs, encrypted communications, and privacy-focused services. The age-verification requirement is one piece of the UK privacy landscape. The broader surveillance infrastructure matters too.
And remember: VPNs are legal. Privacy tools are legal. Protecting your online security and encryption is not only legal, it's sensible in a jurisdiction with extensive data-retention and surveillance powers.
The UK Online Safety Act changes the rules for adult-content access. It doesn't change the legitimacy of protecting your privacy everywhere else online.
