UK Online Safety Act: What It Means for Your Privacy in 2026
The UK Online Safety Act is one of the most far-reaching pieces of internet regulation ever passed in Britain. Designed to make the UK "the safest place in the world to be online", it places sweeping new duties on tech platforms, search engines and messaging apps. But as the law moves from statute book to real-world enforcement in 2026, many UK users are asking a sharper question: what does the Online Safety Act mean for my privacy?
This guide breaks the Act down in plain English. We'll look at what's actually required, how age checks and content scanning interact with your personal data, where the encryption debate stands, and what practical steps you can take to stay private while remaining on the right side of the law.
What is the UK Online Safety Act?
The UK Online Safety Act 2023 is a UK law that imposes a legal duty of care on online services to protect users — particularly children — from illegal and harmful content. It is enforced by Ofcom, which can fine non-compliant companies up to £18 million or 10% of global annual turnover, whichever is higher.
The Act applies to any service with a meaningful UK user base, regardless of where the company is based. That includes social networks, video-sharing platforms, search engines, dating apps, cloud storage, online forums, messaging services and even some smaller community sites.
Key dates and rollout
- October 2023 – The Online Safety Act receives Royal Assent.
- 2024 – Ofcom publishes codes of practice for illegal content.
- March 2025 – Illegal harms duties come into force.
- July 2025 – Child safety duties and age assurance requirements begin to bite.
- 2026 onwards – Full enforcement, including fines and senior manager liability for serious failures.
What the Act actually requires platforms to do
The Act creates tiered duties depending on a service's size and risk profile. The biggest "Category 1" platforms face the heaviest obligations, but even small UK forums must take reasonable steps against illegal content.
Core duties for in-scope services
- Risk assessments – Platforms must regularly assess risks of illegal content and harm to children.
- Illegal content removal – Proactive systems to detect and remove terrorism, CSAM, fraud, intimate image abuse and other priority offences.
- Age assurance – "Highly effective" age checks for services likely to be accessed by children, especially where pornography or other restricted content is present.
- Transparency reporting – Annual reports to Ofcom on moderation, complaints and risks.
- User reporting and appeals – Clear, accessible tools for users to flag content and challenge takedowns.
- Senior manager accountability – Named executives can face criminal liability for serious, repeated failures.
UK Online Safety Act and your privacy: the key tensions
The Act doesn't directly rewrite UK GDPR or the Data Protection Act 2018, but in practice it changes how much data platforms collect about you, how they scan your activity, and who might be asked to identify you. The biggest privacy implications fall into four areas.
1. Age verification and identity data
To comply with child safety duties, many platforms now require some form of age assurance. Acceptable methods set out by Ofcom include:
- Photo ID matching (passport or driving licence upload)
- Facial age estimation via selfie
- Credit card or open banking checks
- Mobile network operator age checks
- Digital identity wallets from certified providers
Each of these involves sharing sensitive personal data — often biometric — with either the platform or a third-party age assurance provider. Even when providers promise "data minimisation" and immediate deletion, you are creating new records that didn't exist before.
2. Content scanning and message monitoring
The Act allows Ofcom, in limited cases, to require services to use "accredited technology" to identify CSAM and terrorism content — including, controversially, in private messages. The government has accepted that this power cannot currently be used against end-to-end encrypted services until the technology exists to do so without breaking encryption. But the legal power remains on the books, and that worries privacy advocates.
3. More data retention by platforms
To demonstrate compliance, platforms are logging more: moderation decisions, reports, user behaviour signals, and evidence of age checks. More logs mean more data that can be breached, subpoenaed or repurposed.
4. Pressure on anonymity
Category 1 platforms must give adult users tools to verify their identity and to filter out non-verified accounts. Verification is optional for users — but if you choose not to verify, you may find more of the internet effectively closed to you.
The encryption debate: is end-to-end encryption safe?
End-to-end encryption (E2EE) is the technology behind Signal, WhatsApp, iMessage and many other private messaging tools. It ensures that only the sender and recipient can read a message — not the platform, not your ISP, and not the government.
Section 121 of the Online Safety Act gives Ofcom the power to require services to use "accredited technology" to scan for CSAM. During the Bill's passage, Signal and WhatsApp publicly warned they would withdraw from the UK rather than weaken encryption. The government's eventual position was that the power would only be used when it is "technically feasible" to do so without undermining privacy — a standard that, in 2026, is not met.
In practice this means:
- E2EE messaging apps still work normally in the UK.
- No mainstream service has been ordered to client-side scan messages.
- The legal power remains and could be activated in future if scanning tech matures.
How the Act compares to other regulations
The Online Safety Act is often compared to the EU's Digital Services Act (DSA) and Australia's Online Safety Act. They share goals but differ in scope and enforcement.
| Feature | UK Online Safety Act | EU Digital Services Act | AU Online Safety Act |
|---|---|---|---|
| Regulator | Ofcom | European Commission + national regulators | eSafety Commissioner |
| Maximum fine | £18m or 10% global turnover | 6% global turnover | AU$49.5m |
| Age verification | Mandatory for adult content | Risk-based, mostly voluntary | Industry codes evolving |
| Encryption scanning power | Yes (dormant) | No direct equivalent | Limited |
| Senior manager liability | Criminal in serious cases | Corporate fines | Corporate fines |
Privacy pros and cons of the Online Safety Act
Potential privacy benefits
- Stronger duties to remove intimate image abuse and doxxing material quickly.
- Clearer obligations to protect children's data and limit profiling of minors.
- Mandatory reporting routes that don't rely on platform goodwill.
- Greater transparency about how algorithms and moderation actually work.
Privacy risks and downsides
- More identity and biometric data collected for age assurance.
- Increased platform-side logging and retention.
- Latent legal power to mandate content scanning in private messages.
- Pressure on anonymity through verified-user tools and filters.
- Smaller, privacy-focused services may exit the UK rather than comply.
Practical steps to protect your privacy under the Act
You can't opt out of the law, but you can shape how much of your data ends up in age-check databases, moderation logs and identity wallets. Here's a practical checklist.
- Choose age assurance methods carefully. Where possible, prefer providers that use "double-blind" tokens — they prove you're over 18 without revealing your identity to the platform.
- Use a reputable password manager and unique passwords. The more services hold your ID, the more important breach resilience becomes.
- Turn on end-to-end encryption in apps that offer it (Signal, WhatsApp, iMessage, Messenger secret chats).
- Limit what you share on Category 1 platforms. Treat any large social network as a public broadcast, not a private space.
- Use privacy-respecting link tools. When sharing URLs publicly, avoid trackers and use a shortener that doesn't sell your click data. Services like Lunyb provide clean, privacy-conscious short links — you can read our honest Lunyb review or compare options in our 2026 URL shortener buyer's guide.
- Exercise your data rights. Under UK GDPR you can ask any platform what they hold and request deletion of unnecessary records.
- Review browser and DNS settings. Encrypted DNS (DoH/DoT) and a trustworthy browser reduce passive tracking.
- Be sceptical of "verify to continue" prompts. Check who actually receives your ID — the platform, a UK-certified provider, or an unknown third party.
What businesses and creators need to know
If you run a UK-facing online service — even a Discord community, a forum, or a small SaaS with user-generated content — you may have duties under the Act. Key actions:
- Document a written risk assessment for illegal content and (if relevant) child safety.
- Publish clear terms of service, reporting tools and complaints procedures.
- Map your data flows so age and identity checks comply with UK GDPR.
- Appoint a named senior person responsible for online safety compliance.
- Keep records — Ofcom can ask for evidence even without a formal investigation.
For marketing teams, this also affects how you share links and track campaigns. Using neutral, well-maintained short links (see our Rebrandly review for an enterprise option) helps keep analytics clean without invasive tracking.
The road ahead: what to watch in 2026 and beyond
The Online Safety Act will keep evolving through Ofcom guidance, court challenges and political pressure. Three things are worth watching:
- Age assurance standardisation. Expect tighter certification of providers and possibly a UK digital identity scheme that integrates with age checks.
- The encryption question. Any attempt to activate Section 121 against E2EE services would trigger a major legal and political fight.
- Scope creep. Future amendments may extend the Act to AI-generated content, deepfakes and "legal but harmful" categories for adults.
FAQ: UK Online Safety Act and privacy
Does the UK Online Safety Act ban end-to-end encryption?
No. The Act does not ban encryption. It does give Ofcom the power to require accredited scanning technology in limited cases, but the government has confirmed this power will not be used until it is technically possible to do so without breaking E2EE. In 2026, no mainstream encrypted service has been ordered to weaken its security.
Do I have to upload my passport to use social media in the UK?
Not for most general social media. Age verification is mandatory for services hosting pornography and certain other adult content, and platforms likely to be accessed by children must use "highly effective" age assurance. Many platforms offer multiple methods, including facial age estimation or mobile operator checks, so you don't always need to upload ID.
Can Ofcom read my private messages?
No. Ofcom has no general power to read your messages. It can require platforms to use approved technology to detect specific illegal content (CSAM and terrorism), but this power is currently dormant against end-to-end encrypted services. Normal law enforcement access still requires warrants under separate legislation like the Investigatory Powers Act.
How does the Online Safety Act interact with UK GDPR?
Both laws apply at the same time. Platforms must comply with Online Safety Act duties and handle any personal data — including age verification data — in line with UK GDPR principles of lawfulness, minimisation and security. The ICO and Ofcom have published joint guidance to help services meet both.
What can I do if a platform removes my content unfairly?
The Act requires in-scope platforms to provide accessible complaints and appeal mechanisms. You should first use the platform's internal appeal route. If you believe the platform is systematically failing its duties, you can report concerns to Ofcom, although Ofcom does not resolve individual content disputes. For data-related complaints, the Information Commissioner's Office (ICO) handles UK GDPR issues.
Final thoughts
The UK Online Safety Act is neither the privacy apocalypse some feared nor the safety panacea its supporters promised. It is a serious, complex regulation that genuinely improves protections against some of the worst online harms — while creating real new privacy pressures around identity, age verification and platform data retention.
For UK users in 2026, the smart approach is informed engagement: understand what's required, push back where age checks feel disproportionate, prefer services and tools that minimise data collection, and use encryption wherever you can. Privacy and safety aren't opposites — but keeping both will take ongoing attention from all of us.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a complex web of federal and provincial privacy laws in 2026. This guide explains PIPEDA, Law 25, breach response, and the practical steps every Canadian organization should take to protect customer data.
Australia Privacy Act 2026: Your Rights Explained
The Australia Privacy Act 2026 introduces sweeping reforms including the right to erasure, a direct right to sue, stricter breach notification timelines, and penalties up to $50 million. Here's what every Australian — and every business operating in Australia — needs to know about their rights and obligations.
GDPR After Brexit: What Changed for UK Businesses and Data Protection
When Brexit ended the UK's EU membership, GDPR didn't vanish — it transformed into the UK GDPR. This guide breaks down what changed, how UK and EU rules now differ, and the practical compliance steps every British business needs to take in 2026.
Data Protection Act 2018 Ireland: Complete Guide for Businesses
Ireland's Data Protection Act 2018 supplements the GDPR with national rules on the DPC, children's data, law enforcement processing, and severe penalties. This guide explains every business obligation, data subject right, and compliance step you need in 2026.