UK Online Safety Act: What It Means for Your Privacy
The UK Online Safety Act is one of the most far-reaching pieces of internet legislation Britain has ever passed. Designed to make the UK "the safest place in the world to be online", it places sweeping new duties on platforms — but it also raises serious questions about user privacy, encryption, and how much of your online life regulators and platforms will now be expected to monitor.
This guide breaks down exactly what the Act is, which parts are already in force in 2025-2026, and what it practically means for your privacy as a UK internet user.
What Is the UK Online Safety Act?
The Online Safety Act 2023 is a UK law that requires online services — from social networks and search engines to messaging apps and pornography sites — to protect users (especially children) from illegal and harmful content. It is enforced by Ofcom, which can fine non-compliant platforms up to £18 million or 10% of global annual turnover, whichever is greater.
The Act covers any service with a "significant number of UK users" or that targets the UK market, regardless of where the company is based. That means US, EU and Asian platforms must comply if British people use them.
Key Dates and Phases
- October 2023: Act receives Royal Assent.
- March 2025: Illegal content duties go live — platforms must proactively detect and remove illegal material.
- July 2025: Highly effective age assurance required for adult content sites and services hosting pornography.
- Late 2025 onwards: Child safety duties, transparency reporting and categorised-service rules phase in.
Why the Act Matters for Your Privacy
On paper, the Online Safety Act is about safety, not surveillance. In practice, several of its provisions create direct tension with established privacy expectations. The three biggest pressure points are age verification, content scanning, and encrypted messaging.
1. Mandatory Age Verification
Sites hosting pornography, and many platforms with adult or risky content, must now use "highly effective" age assurance. Ofcom has indicated that simple self-declaration ("I am over 18") is no longer acceptable. Acceptable methods include:
- Photo-ID matching (passport or driving licence upload)
- Facial age estimation via webcam
- Credit card or open banking checks
- Mobile network operator age confirmation
- Digital identity wallets
Each method involves sharing sensitive personal data with a third-party age assurance provider. Even when platforms use "double-blind" tokens that don't tell the website who you are, the age-check provider still sees your face, ID or financial data.
2. Content Scanning Duties
Platforms must use "proportionate" technology to detect illegal content, particularly child sexual abuse material (CSAM) and terrorism content. For public posts this is largely uncontroversial. For private messages, it is the most contested part of the entire Act.
3. The Encryption Question
Section 121 gives Ofcom the power to require a service to use "accredited technology" to identify illegal content — including in private, end-to-end encrypted messages. The government has stated this power will only be used when "technically feasible", and as of 2025 no such notice has been issued. But the power exists on the statute book, and services like Signal and WhatsApp have publicly stated they would rather leave the UK market than break encryption.
What Personal Data Will You Be Asked to Share?
The biggest day-to-day change for UK users is the volume of identity data now flowing to platforms and their verification partners. Below is a comparison of what a typical user shared before and after the Act came into force.
| Activity | Before Online Safety Act | After Online Safety Act |
|---|---|---|
| Watching adult content | Click "I am 18+" | ID upload, facial scan or bank check |
| Signing up to a social network | Email + date of birth | Email + age estimation for under-25s |
| Joining a dating app | Email + photo | Email + photo + age assurance |
| Posting in a forum | Username + email | Username + email + risk-based age checks |
| Using encrypted messaging | Phone number | Phone number (scanning powers exist but unused) |
Pros and Cons for UK Users
Pros
- Better protection for children: Stronger duties to keep minors away from pornography, self-harm and grooming content.
- Faster takedowns: Platforms must remove illegal content quickly or face large fines.
- Clearer complaints process: Users have a statutory right to appeal moderation decisions.
- Transparency reports: Big platforms must publish data about harms and enforcement.
- Accountability: Named senior managers at large platforms can be held personally liable.
Cons
- More personal data in circulation: Age checks create new honeypots of ID data attractive to attackers.
- Encryption risk: Latent legal power to mandate client-side scanning of private messages.
- Smaller services squeezed: Compliance is expensive; some niche UK forums have closed rather than risk fines.
- Over-removal of legal content: Platforms may delete borderline content to stay safe, narrowing legitimate speech.
- Geo-blocking: Some overseas services now refuse UK traffic entirely.
What This Means for Your Day-to-Day Privacy
You don't need to be a lawyer to feel the impact. Here is what changes in practical terms for a typical British internet user.
You'll Hand Over More ID, More Often
Expect to verify your age on a growing list of services — not just adult sites. Dating apps, social networks with adult communities, some gaming platforms and certain video sites all fall within scope. Each verification creates a record somewhere.
Your Browsing Patterns Become More Traceable
When age-check providers handle identity for many sites at once, they accumulate signals about which adult or sensitive services you use. Reputable providers use token-based systems to prevent this, but not all do, and breaches happen.
Encrypted Apps May Behave Differently in the UK
Several messaging services have warned they may withdraw UK features rather than comply with any future scanning notice. If you rely on private messaging for journalism, activism, legal work or simply personal privacy, watch for changes to terms of service aimed specifically at UK accounts.
Link Sharing and Privacy
The Act focuses on platforms hosting content, but it also affects how links are shared. Long, parameter-heavy URLs often leak referral data, campaign tags and tracking identifiers. Using a privacy-respecting short link service such as Lunyb can strip those parameters and give you a clean, neutral link to share — useful both for protecting your own analytics and for reducing what third parties learn about your recipients. For a deeper look at the service, see our honest Lunyb review or compare options in our 2026 URL shortener buyer's guide.
How to Protect Your Privacy Under the Online Safety Act
You cannot opt out of the law, but you can sharply reduce how much personal data ends up in third-party hands. Here is a practical checklist.
- Choose age-assurance methods carefully. Where you have a choice, prefer facial age estimation (which deletes the image after processing) over full ID upload. Avoid uploading passports unless absolutely necessary.
- Use email aliases. Services like Apple Hide My Email, Fastmail or SimpleLogin let you give every platform a unique address, limiting cross-site tracking.
- Enable encrypted DNS. Turn on DNS-over-HTTPS in your browser or operating system so your ISP and local network don't see every domain you visit.
- Prefer privacy-focused browsers. Firefox, Brave and Safari block many trackers by default and reduce the fingerprinting surface available to age-check providers.
- Audit app permissions quarterly. Revoke camera, microphone and contacts access from apps that don't need it.
- Use clean, parameter-free links. When sharing URLs, strip UTM tags and tracking IDs, or use a shortener that does this for you.
- Review platform data downloads. Most large services let you export your data — check what's actually stored about you and delete what you don't need.
- Keep payment details separate. Where age checks accept it, use a dedicated card or virtual card number so a breach doesn't expose your main banking details.
Who Enforces the Act and What Are Your Rights?
Ofcom is the regulator. It can investigate platforms, demand information, fine them, and in extreme cases apply to courts to block services in the UK. For users, the Act creates several specific rights:
- The right to an effective complaints mechanism on in-scope platforms.
- The right to appeal removed content or suspended accounts.
- The right to user-empowerment tools on Category 1 services — for example, filters to hide content from unverified accounts.
- Continuing UK GDPR rights of access, rectification and erasure for any personal data collected during age checks.
If a platform mishandles your age-verification data, the Information Commissioner's Office (ICO) — not Ofcom — is the body to complain to.
The Bigger Picture: Safety vs Privacy
The Online Safety Act represents a deliberate policy choice: in the trade-off between online anonymity and child protection, Parliament has tilted firmly towards protection. Whether that balance is the right one is a debate that will continue for years, and Ofcom's codes of practice will shape the answer just as much as the statute itself.
What is clear is that the era of casual, frictionless, identity-light browsing in the UK is ending. Sensible users will treat every age check as a data-sharing decision, every platform sign-up as a privacy trade, and every shared link as a small piece of metadata that says something about them. Tools that minimise that footprint — encrypted DNS, alias emails, privacy-respecting browsers and clean link shorteners — are no longer niche. They are part of how a privacy-conscious Briton uses the internet in 2026.
Frequently Asked Questions
Does the Online Safety Act apply to small UK websites and blogs?
It can. The Act applies to "user-to-user services" and search services accessible in the UK, regardless of size. A small blog that doesn't allow user comments or uploads is largely out of scope. Add a comments section, forum or chat, and duties begin to apply — though smaller services face lighter requirements than the large "Category 1" platforms.
Will my passport photo be stored forever when I do an age check?
It shouldn't be. Ofcom's guidance and UK GDPR require age-assurance providers to use the minimum data necessary and delete it after verification, unless they have a separate lawful basis to retain it. Always check the provider's privacy notice — reputable ones delete biometric data within minutes or hours. If a service wants to keep your ID indefinitely, that is a red flag.
Can I be prosecuted for what I post under the Online Safety Act?
The Act introduces new criminal offences for individuals, including sending threatening communications, false communications intended to cause harm, and cyberflashing. Most enforcement, however, targets platforms rather than ordinary users. Standard UK speech laws — Malicious Communications Act, Public Order Act and so on — still apply alongside.
Does the Act break end-to-end encryption?
Not yet. Section 121 gives Ofcom power to require accredited scanning technology, but the government has said it will only use this power when it is "technically feasible" to do so without breaking encryption — and currently no such technology exists at scale. Major encrypted services continue to operate in the UK unchanged, but the legal lever remains in place.
What's the safest way to share links without exposing personal data?
Strip tracking parameters (anything after a question mark in a URL is worth reviewing), avoid sharing links from logged-in sessions that contain session IDs, and consider a privacy-respecting shortener that doesn't fingerprint clickers. Services like Lunyb produce neutral short links without aggressive tracking — see our 2026 shortener comparison for alternatives.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
DPC Ireland: How to File a Privacy Complaint (2026 Guide)
A practical, step-by-step guide to filing a privacy complaint with Ireland's Data Protection Commission (DPC), covering evidence, timelines, the one-stop-shop, and what to expect after submission. Learn how to assert your GDPR rights effectively as an Irish or EU resident.
OAIC Complaints: How to Report a Privacy Breach in Australia
If an Australian organisation has mishandled your personal information, you can lodge a free complaint with the OAIC. This guide walks through eligibility, evidence, the complaint process and the remedies you can realistically expect.
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore's Online Safety Act 2026 expands platform obligations around harmful content, scams, deepfakes, and child safety. This complete guide explains who it applies to, the key compliance duties, IMDA enforcement powers, and what businesses and users should do to prepare.
Data Protection Act 2018 Ireland: Complete Guide
A complete guide to Ireland's Data Protection Act 2018: how it works with GDPR, the rights it grants, the obligations it imposes on businesses, and the penalties for non-compliance. Includes a practical compliance checklist and FAQs for Irish organisations.