UK Online Safety Act: What It Means for Your Privacy
The UK Online Safety Act (OSA) is one of the most far-reaching pieces of internet regulation ever passed in Britain. Designed to make the UK "the safest place in the world to be online," it places sweeping duties on social networks, messaging apps, search engines and adult sites. But behind the safeguarding headlines lies a more complicated story for everyday users: the Act fundamentally reshapes how platforms handle your data, your messages and your identity.
This guide explains, in plain English, what the UK Online Safety Act actually does, how it affects your privacy in 2026, and the practical steps you can take to protect yourself while staying compliant with the law.
What is the UK Online Safety Act?
The UK Online Safety Act 2023 is a law that requires online platforms to identify, remove and prevent illegal and harmful content accessed by UK users. It is enforced by Ofcom, the UK's communications regulator, which can fine companies up to £18 million or 10% of their global annual turnover for non-compliance.
The Act covers three main categories of service:
- User-to-user services – social networks, forums, messaging apps and comment sections.
- Search services – general-purpose search engines.
- Pornography providers – any commercial site publishing adult content to UK users.
The legislation came into force in stages, with the most consequential duties – including illegal content duties, child safety codes and age assurance requirements – becoming enforceable through 2025 and into 2026.
Who is regulated?
The Act has extraterritorial reach. A platform based in California, Berlin or Singapore must comply if it has a "significant number" of UK users or targets the UK market. This is why global services from Meta to Discord to small niche forums have updated their UK-facing policies.
The Core Privacy Implications
While the Online Safety Act is framed as a child protection and anti-harm measure, several of its provisions have direct consequences for the privacy of ordinary adult users in the UK.
1. Age verification and age assurance
Sites hosting pornography, and many large social platforms, must now use "highly effective" age assurance to keep under-18s away from adult or harmful content. In practice, this can mean uploading a photo of your passport or driving licence, submitting to a facial age-estimation scan, or linking a credit card or mobile contract to your account.
Each of these methods creates a new data trail tying your real-world identity to content you view. Even when verification is handled by a third-party provider, the existence of that record is itself a privacy risk – through data breaches, subject access requests, or future changes in law.
2. Pressure on end-to-end encryption
Section 121 of the Act gives Ofcom the power to require platforms to use "accredited technology" to identify child sexual abuse material (CSAM) or terrorism content, including in private messages. Critics – including Signal, WhatsApp and Apple – have argued this is incompatible with end-to-end encryption, because scanning content on a user's device before it is encrypted ("client-side scanning") effectively breaks the privacy guarantee.
The UK government has said the power will only be used when "technically feasible," but it has not been removed from the statute. The chilling effect is real: any encrypted service operating in the UK now has a regulatory sword hanging over it.
3. Greater data retention by platforms
To demonstrate compliance with their safety duties, platforms must keep more logs: records of moderation decisions, user reports, risk assessments, and in some cases, content that has been removed. This means more of your activity – including content you posted and then deleted – is being stored for longer.
4. Identity-linked accounts
Category 1 services (the largest platforms) must give adults a way to verify their identity and to filter out interactions with unverified accounts. While participation is optional, this nudges the wider internet toward identity-linked use and away from pseudonymity, a long-standing pillar of online privacy.
How Platforms Are Changing Their Behaviour
Since the OSA came into force, UK users have noticed visible changes:
| Change | What you'll notice | Privacy impact |
|---|---|---|
| Age gates on adult sites | ID upload or face scan before access | Identity tied to viewing history |
| Stricter content moderation | More takedowns, account suspensions | More data retained about your posts |
| Reduced features for under-18s | Limited DMs, recommendations, livestreams | Requires age estimation for all users |
| Service withdrawal | Some smaller forums geo-block the UK | Less choice, more concentration on big platforms |
| Default safety settings | Sensitive content hidden by default | Settings tied to declared age/region |
Services that have left or limited UK access
A number of smaller platforms – particularly independent forums, niche adult communities and federated services – have either geo-blocked UK users or shut down UK operations rather than absorb compliance costs. This consolidates online life on a handful of well-resourced US tech giants, which itself has privacy consequences.
What the Act Does NOT Do
It is worth being clear about the limits of the law, because misinformation circulates in both directions.
- It does not ban encryption. The Act does not prohibit end-to-end encrypted messaging. It does, however, give Ofcom powers that could be used against it in future.
- It does not require every website to verify your ID. Age assurance is mandatory only for services hosting pornography or content judged harmful to children, and the standard is risk-based.
- It does not give the government direct access to your messages. Any scanning powers run through platforms and Ofcom, not through a state backdoor.
- It does not override UK GDPR. Platforms must still comply with data protection law, including data minimisation and lawful basis for processing.
Practical Steps to Protect Your Privacy
If you live in the UK and want to maintain a strong privacy posture under the new regime, there are concrete steps you can take today.
1. Choose age verification methods carefully
When you must verify your age, prefer providers that use double-blind systems – where the verifier never learns which site you are accessing, and the site never learns who you are. Look for certification under the UK's Age Assurance code of practice and avoid uploading raw passport scans to sites that handle verification themselves.
2. Reduce your data footprint
Because platforms are retaining more, the best defence is to share less. Audit your accounts, delete old posts, disable unnecessary linked apps, and use email aliases for sign-ups. The less personal data exists in a platform's logs, the less can be exposed in a breach or a legal disclosure request.
3. Use encrypted DNS and a privacy-respecting browser
Even without naming any specific tunnelling tool, you can meaningfully reduce tracking by enabling DNS-over-HTTPS in your browser, switching to a privacy-focused browser such as Firefox or Brave, and installing a reputable content blocker. These steps reduce passive surveillance by networks, ISPs and ad-tech without involving any banned technologies.
4. Be careful what you share through links
Links are one of the most underestimated privacy leaks. Pasting a long URL with embedded tracking parameters into a public post can reveal which campaign, mailing list, or affiliate you came from. Using a privacy-respecting link shortener like Lunyb strips that exposure: you share a clean short link, and your audience sees nothing about the underlying source. For an independent look at the service, see our honest review of Lunyb, or compare it with alternatives in our 2026 buyer's guide and detailed Rebrandly review.
5. Understand your rights under UK GDPR
You retain all your existing rights, including the right of access, the right to erasure, and the right to object to certain processing. If a platform retains your data "for safety purposes," you can still ask what is held and why. Complaints can be escalated to the Information Commissioner's Office (ICO).
The Bigger Picture: Safety vs. Privacy
The Online Safety Act represents a values trade-off that the UK Parliament has made on behalf of its citizens. The argument is that some loss of anonymity and privacy is a price worth paying for reducing child exploitation, terrorist content and cyber-stalking. Whether that trade-off is the right one is a legitimate political debate – and one that is far from settled.
What is clear is that the Act sets a global precedent. Australia, Canada and the EU are all watching the UK's enforcement approach, and platforms tend to apply the strictest regime they face globally. In other words, decisions Ofcom makes in 2026 will shape how billions of people experience the internet, not just the 67 million in the UK.
Where things go next
Several flashpoints are worth watching:
- Whether Ofcom uses its scanning powers against encrypted messengers, and how the courts respond.
- How the age verification market consolidates – and whether a major breach forces a rethink.
- The interaction between the OSA, the Data (Use and Access) Bill and the UK's evolving data protection framework.
- Legal challenges from civil liberties groups such as the Open Rights Group and Big Brother Watch.
Quick Reference: Your Privacy Under the OSA
| Concern | What the Act does | What you can do |
|---|---|---|
| Age verification | Mandates "highly effective" age assurance for adult/harmful content | Use double-blind, certified verifiers |
| Encrypted messaging | Creates potential scanning powers (not yet used at scale) | Stick with encrypted apps; watch policy changes |
| Anonymity | Allows users to filter out unverified accounts | Verification remains optional for most users |
| Data retention | Requires more logs of moderation and reports | Minimise what you post and link |
| Cross-border data | Applies to overseas platforms targeting UK | Read updated UK-specific privacy notices |
Frequently Asked Questions
Does the UK Online Safety Act mean the end of anonymous accounts?
No. Anonymity and pseudonymity are still permitted on most services. The Act only requires large "Category 1" platforms to offer identity verification and the ability for users to filter out unverified accounts. You are not required to verify your identity to use social media, but other users may choose not to interact with you if you don't.
Will I have to upload my passport to use Reddit, Discord or Twitter/X?
Not for general use. You may be asked to confirm your age – through estimation, a credit card check or an ID document – if you try to access content classified as harmful to children, such as pornography, certain self-harm material, or some violent content. The exact approach varies by platform.
Is end-to-end encryption illegal in the UK now?
No. End-to-end encryption remains lawful, and apps like Signal, iMessage and WhatsApp continue to operate in the UK. The Act gives Ofcom a power to require content-scanning technology in narrow circumstances, but the government has stated it will only be used when technically feasible without breaking encryption – a condition many engineers say cannot currently be met.
How is the Online Safety Act enforced?
Ofcom is the regulator. It can demand information from platforms, issue codes of practice, levy fines of up to £18 million or 10% of global turnover, and in serious cases apply to the courts to block access to a non-compliant service in the UK. Senior managers can face criminal liability for certain failures, including failing to comply with information notices.
What should I do if a platform mishandles my verification data?
You can complain directly to the platform, then escalate to the Information Commissioner's Office (ICO), which enforces UK GDPR. If you believe the platform has breached its Online Safety Act duties – for example by failing to operate effective complaints procedures – you can also report it to Ofcom. Keep evidence: screenshots, dates, and copies of any correspondence.
Final Thoughts
The UK Online Safety Act is neither the dystopia its loudest critics describe nor the silver bullet its supporters promised. It is a complex, evolving regime that genuinely tightens platform accountability while also introducing new privacy risks – particularly around identity verification and the long-term future of encrypted messaging.
For UK users, the sensible response is informed pragmatism: understand the rules, audit your digital footprint, choose tools that minimise data exposure, and pay attention to how Ofcom uses its powers in the months ahead. Privacy in 2026 is no longer something you can take for granted by default – but with the right habits and tools, it is still very much something you can defend.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
PIPEDA vs GDPR: Canadian Privacy Law Explained
PIPEDA and GDPR both protect personal data, but they take very different approaches to consent, individual rights, and penalties. This guide breaks down the key differences and shows Canadian businesses how to build a compliance program that satisfies both laws.
GDPR After Brexit: What Changed for UK Businesses and Data Protection
GDPR didn't disappear when the UK left the EU — it evolved. This guide explains how the UK GDPR differs from EU GDPR, what businesses must do for international transfers, and what to expect from the 2025 adequacy renewal.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a tightening privacy landscape in 2026, from PIPEDA and Quebec's Law 25 to the pending CPPA under Bill C-27. This practical guide explains the laws, builds a step-by-step privacy program, and shows how to handle consent, breaches, vendors, and cross-border transfers.
Data Protection Act 2018 Ireland: The Complete Guide
Ireland's Data Protection Act 2018 gives effect to the GDPR, establishes the Data Protection Commission, and sets out the rules every Irish business must follow. This complete guide explains the Act's scope, individual rights, controller obligations, penalties, and a practical compliance checklist.