UK Online Safety Act: What It Means for Your Privacy in 2026
The UK Online Safety Act is the most significant piece of internet regulation Britain has ever passed. Marketed as a law to protect children and curb illegal content, it also reshapes how platforms handle your personal data, identity, and private communications. For the average user, that means new age-verification checks, new data-collection requirements, and ongoing debate over the future of end-to-end encryption.
This guide explains, in plain English, what the Online Safety Act actually does, how it affects your privacy as a UK resident, and the practical steps you can take to limit your exposure in 2026.
What is the UK Online Safety Act?
The Online Safety Act 2023 is a UK law that places legal duties on online services — from social networks and search engines to messaging apps and adult sites — to reduce harm to users, especially children. It is enforced by Ofcom, the UK's communications regulator, which can fine non-compliant companies up to £18 million or 10% of global annual turnover, whichever is higher.
The Act became law in October 2023, but its duties are being phased in throughout 2024, 2025, and 2026 as Ofcom publishes its codes of practice. By 2026, most major duties — including illegal content removal, child safety codes, and age assurance for pornography and high-risk platforms — are active.
Which services are in scope?
The Act applies to any service with a "significant number of UK users" or that targets the UK market, regardless of where the company is based. That includes:
- Social media platforms (Facebook, Instagram, TikTok, X, Reddit)
- Search engines (Google, Bing, DuckDuckGo)
- Messaging apps (WhatsApp, Signal, Telegram, iMessage)
- Adult content sites
- File-sharing services, forums, dating apps, and gaming platforms
- Smaller user-to-user services, including many community sites and tools
The Three Pillars of the Act
The Online Safety Act is built around three overlapping sets of duties. Each one has direct privacy implications.
1. Illegal content duties
All in-scope services must proactively prevent users from encountering priority illegal content — including terrorism, child sexual abuse material (CSAM), fraud, and incitement to violence. To meet these duties, platforms are expected to deploy content-scanning systems, hash-matching databases, and AI-based detection tools.
2. Child safety duties
Services likely to be accessed by children must conduct child risk assessments and implement "highly effective" age assurance. This is the most visible part of the Act for everyday users: it is the reason you may now be asked for an ID, selfie, or credit-card check just to browse certain sites.
3. Duties on the largest platforms (Categories 1, 2A, 2B)
The biggest services — designated Category 1 — face extra duties around transparency, user empowerment tools, and content moderation reporting. They must give adult users the option to filter out certain categories of legal-but-harmful content and to verify their identity.
How the Online Safety Act Affects Your Privacy
The Act was written with safety in mind, but several of its mechanisms create real privacy trade-offs. Here are the main ones you should understand.
Age verification means more data collection
To prove you are over 18, platforms now collect data they previously had no business holding. "Highly effective age assurance" can include:
- Photo ID checks (passport, driving licence)
- Facial age estimation via selfie
- Credit card or open banking verification
- Mobile network operator age confirmation
- Digital identity wallet checks
Even when handled by third-party providers, this represents a major expansion in the sensitive personal data tied to your online activity. A data breach at an age-verification provider could expose ID documents, biometric templates, and a record of which adult or sensitive sites you visited.
Encryption is under pressure
Section 121 of the Act gives Ofcom the power to require services to use "accredited technology" to identify CSAM and terrorism content — including in private messages. End-to-end encrypted (E2EE) services like Signal and WhatsApp have stated they would withdraw from the UK rather than weaken encryption.
The government has said the power will only be used when "technically feasible," and as of 2026 no notice has been issued. But the legal mechanism remains, and client-side scanning — where your device checks your messages before they are encrypted — is the leading proposed approach. Critics argue this is mass surveillance by another name.
More data retention by platforms
To demonstrate compliance, platforms must keep detailed records of risk assessments, moderation actions, and user reports. That generally means more logging of user behaviour, longer retention periods, and more data available to subpoenas or breaches.
Identity verification on Category 1 services
The largest platforms must offer users the ability to verify their identity and to filter out interactions with unverified accounts. Verification is optional, but the more users adopt it, the more pressure there is on others to follow — gradually eroding pseudonymous use of major platforms.
Privacy Trade-offs at a Glance
| Duty | Stated benefit | Privacy cost |
|---|---|---|
| Age assurance | Keeps children off adult and high-risk sites | ID, biometric and browsing data shared with verifiers |
| Illegal content scanning | Faster removal of CSAM, terror content, fraud | Automated scanning of uploads and potentially messages |
| Encryption notices (s.121) | Detect abuse in private channels | Risk of weakened or client-side-scanned E2EE |
| Identity verification | Reduce trolling and impersonation | Loss of pseudonymity on major platforms |
| Mandatory record keeping | Accountability and Ofcom oversight | More user data retained for longer |
What the Act Does NOT Do
There is a lot of misinformation about the Online Safety Act. To be clear:
- It does not ban VPNs. Using a VPN to access services remains legal in the UK.
- It does not make end-to-end encryption illegal. It creates a power that could be used against E2EE, but that power has not been exercised.
- It does not require every website to verify your age — only those whose content or risk profile triggers the duty.
- It does not override UK GDPR. Platforms must still comply with data-protection law when collecting verification data.
Pros and Cons for UK Users
Pros
- Faster removal of genuinely illegal content like CSAM and fraud
- Stronger protections for children, including default safety settings
- Greater transparency from major platforms about moderation
- User empowerment tools to filter abusive or harmful content
- Clear regulator (Ofcom) with real enforcement powers
Cons
- More personal data — including ID and biometrics — flowing to verification providers
- Ongoing threat to end-to-end encryption via s.121
- Risk of over-blocking legitimate content through automated scanning
- Potential withdrawal of privacy-focused services from the UK market
- Smaller forums and community sites face compliance costs that may push them offline
Practical Steps to Protect Your Privacy
You cannot opt out of the Online Safety Act, but you can reduce the amount of personal data you expose while complying with it.
1. Choose age verification methods carefully
Where you are given a choice, prefer methods that share the least data:
- Facial age estimation (no ID stored) over full ID upload, where the provider deletes the image
- Mobile network age confirmation over credit card checks
- Reusable digital identity wallets that share only a "yes/no" age token
Always check whether the verifier is certified to the Age Check Certification Scheme (ACCS) and read their retention policy.
2. Use end-to-end encrypted messaging
Until and unless Ofcom issues a s.121 notice, services like Signal and WhatsApp still provide genuine E2EE in the UK. Use them for sensitive conversations rather than SMS or platform DMs.
3. Minimise the data trail you create
The more you share publicly, the more becomes available to scanning systems, moderators, and breaches. Lock down your social profiles, prune old posts, and think twice before uploading documents to public platforms.
4. Be careful with shortened links
Link shorteners can collect detailed click data — IP addresses, device fingerprints, referrers — which becomes another file on you. If you use a URL shortener to share content, choose a provider that minimises tracking and is transparent about what it logs. Privacy-focused options like Lunyb aim to keep analytics aggregate rather than tying clicks back to individuals; you can read our independent honest review of Lunyb or compare options in our 2026 URL shortener buyer's guide.
5. Use a reputable VPN where appropriate
A VPN does not exempt you from age verification on UK-targeted services, but it does protect your ISP-level browsing record and can reduce profiling. Choose a provider with a clear no-logs policy and independent audits.
6. Exercise your data rights
UK GDPR still applies. You can ask any platform — including age-verification providers — for a copy of the data they hold on you (a Subject Access Request) and request deletion where there is no lawful basis to keep it.
What Businesses and Site Owners Should Do
If you run a UK-facing website, forum, app, or community, you may have duties under the Act even if you are a small operator. Practical steps include:
- Carry out an illegal content risk assessment and document it
- Decide whether your service is likely to be accessed by children and assess child-risk if so
- Publish clear terms of service and a complaints process
- Implement proportionate moderation — Ofcom expects effort scaled to risk and size
- Minimise data collection and retention to reduce breach impact
- Review your supply chain — including link shorteners, analytics, and verification vendors — for compliance and privacy
For marketing-heavy stacks, consolidating tools matters. Choosing a privacy-aware link management platform reduces both compliance burden and data exposure compared to ad-tech-heavy alternatives reviewed in our Rebrandly 2026 review.
Looking Ahead: What to Watch in 2026 and Beyond
The Online Safety Act is still bedding in. Three developments to watch closely:
- First s.121 notice. If Ofcom issues a notice requiring scanning in encrypted services, expect immediate legal challenges and possible withdrawal of services from the UK market.
- Age-assurance breaches. The first major breach at a verification provider will be a defining moment for public trust.
- Category 1 designations. The full list of "largest" services subject to extra duties — including identity verification options — continues to evolve.
The Act is also likely to influence regulation elsewhere. The EU's Digital Services Act, Australia's Online Safety Act, and various US state laws are converging on a similar model. Privacy-aware habits you build now will pay off across multiple jurisdictions.
Frequently Asked Questions
Does the UK Online Safety Act mean I have to upload my ID to use social media?
Not for most general social media use. You will be asked to verify your age on adult sites and on services that present significant risk to children. On Category 1 platforms you may be offered optional identity verification to access certain features or filter unverified users, but it is not mandatory to use the service.
Is end-to-end encryption banned in the UK?
No. End-to-end encryption remains legal and widely used. The Act contains a power (s.121) that could require scanning of encrypted content where technically feasible, but as of 2026 it has not been used. Apps like Signal and WhatsApp continue to offer E2EE in the UK.
Can I use a VPN to avoid age verification?
VPNs are legal in the UK, and a VPN may let you access a service as if from another country. However, UK-targeted platforms must still apply their duties to UK users, and circumventing age checks may breach a site's terms of service. A VPN is best thought of as a privacy tool, not a compliance workaround.
What happens to my data after age verification?
Reputable verification providers operate under UK GDPR and should only retain the minimum data needed — often just a confirmation token rather than your ID image. Always check the provider's privacy notice and retention period. You can submit a Subject Access Request to find out exactly what is held.
Does the Act apply to small websites and forums?
Yes, if they allow user-to-user content and have UK users. Ofcom applies a proportionate approach — duties scale with size and risk — but even small forums must complete an illegal content risk assessment and have basic safety measures in place. Sites with very low risk and few users face lighter expectations than mainstream platforms.
The Bottom Line
The UK Online Safety Act delivers real safety benefits, particularly for children and victims of illegal content. But it also normalises identity checks, increases data collection, and keeps a door open to encryption-breaking measures. For UK users in 2026, the smart response is not panic but proportion: understand the law, choose privacy-respecting providers, minimise the data you share, and exercise your rights under UK GDPR. Done well, you can comply with the Act without surrendering your privacy along the way.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How Canadian Businesses Should Handle Data Privacy in 2026
A comprehensive 2026 guide for Canadian businesses on managing data privacy under PIPEDA, Quebec's Law 25, and provincial laws. Learn practical steps for compliance, breach response, vendor management, and emerging AI obligations.
Australia Privacy Act 2026: Your Rights Explained
The Australia Privacy Act 2026 introduces sweeping reforms that give Australians stronger control over their personal data. This guide breaks down your new rights, what businesses must do, and how to protect yourself online.
GDPR After Brexit: What Changed for UK Businesses and Data Protection
Brexit reshaped UK data protection law, creating the UK GDPR alongside the EU GDPR. This guide explains the key differences, the adequacy decision, international transfer rules and practical compliance steps every UK business needs in 2026.
Data Protection Act 2018 Ireland: The Complete Guide for Businesses
A complete 2026 guide to Ireland's Data Protection Act 2018: how it works with GDPR, the rights it grants, compliance steps, fines, and what every Irish business needs to know to stay on the right side of the Data Protection Commission.