facebook-pixel

UK Online Safety Act: What It Means for Your Privacy

L
Lunyb Security Team
··10 min read

The UK Online Safety Act 2023 is one of the most far-reaching internet regulations ever passed in Britain. It changes how platforms handle content, how they verify users, and how they scan private communications. For everyday internet users, that raises a critical question: what does the Online Safety Act actually mean for your privacy? This guide breaks down the law in plain English, explains the trade-offs, and shows you practical steps to protect your personal data in the new regulatory landscape.

What Is the UK Online Safety Act?

The UK Online Safety Act is a piece of legislation that requires online platforms — from social networks to search engines to messaging apps — to take proactive steps to remove illegal content and protect children from harmful material. It became law in October 2023 and is being phased in by Ofcom, the UK's communications regulator, through a series of codes of practice running into 2025 and beyond.

At its heart, the Act imposes a legal "duty of care" on service providers. Companies must risk-assess their platforms, put systems in place to reduce exposure to illegal or harmful content, and face substantial fines — up to £18 million or 10% of global annual revenue, whichever is higher — for non-compliance. Senior managers can even face criminal liability in certain cases.

Who Does the Act Apply To?

The Act has an unusually broad scope. It covers:

  • User-to-user services: social networks, forums, dating apps, gaming platforms, and comment sections.
  • Search services: Google, Bing, and smaller search engines.
  • Pornography providers: any commercial adult site accessible in the UK.
  • Messaging platforms: including end-to-end encrypted services like WhatsApp, Signal, and iMessage.

Even platforms based outside the UK must comply if they have a significant number of UK users or specifically target the UK market.

How the Online Safety Act Affects Your Privacy

The Act's privacy implications fall into four main areas: age verification, content scanning, data retention, and identity assurance. Each one changes how much information platforms collect about you and what they do with it.

1. Age Verification and "Age Assurance"

To protect under-18s from adult content and certain harmful material, platforms must now deploy "highly effective age assurance." In practice, this often means uploading a photo ID, submitting a selfie for facial age estimation, or linking a payment card. Every one of those methods creates a new piece of sensitive personal data — data that historically has been a prime target for breaches.

While Ofcom recommends using third-party age verification providers to minimise the data platforms directly hold, users are still trusting more companies with biometric or identity documents than ever before. If you visit adult content sites, dating apps, or certain social platforms from a UK IP address, expect to encounter these checks in 2025 and beyond.

2. Scanning of Private Messages

The most controversial part of the Act — Section 121 — gives Ofcom the power to require messaging services to use "accredited technology" to detect child sexual abuse material (CSAM) and terrorism content, even in end-to-end encrypted chats. Critics, including Apple, Signal, and WhatsApp, argue this effectively breaks encryption by requiring "client-side scanning" — software that inspects messages on your device before they are encrypted.

The UK government has said the power will only be used when it is "technically feasible" to do so without weakening encryption for everyone. That caveat is doing a lot of work: many cryptographers argue such a system does not currently exist. For now, encrypted messaging remains intact, but the legal framework to compromise it is on the statute books.

3. Increased Data Retention

To comply with reporting duties and user-complaint requirements, platforms are keeping more logs for longer. This includes records of content you posted (even if you deleted it), reports made about you, and metadata about your interactions. If you are the subject of a complaint or investigation, that data can be shared with law enforcement or Ofcom.

4. Identity Verification Options

Category 1 platforms — the largest social networks — must offer adult users the option to verify their identity and to filter out unverified accounts. It is optional for users, but it creates a two-tier internet where fully anonymous participation may be limited in practice.

The Privacy Trade-Off: Safety vs. Surveillance

Supporters of the Act, including children's charities and law enforcement bodies, argue the trade-offs are proportionate. The Internet Watch Foundation reported record volumes of CSAM in recent years, and self-harm content has been linked to teenage tragedies. The Act aims to force platforms to take these harms as seriously as they take advertising revenue.

Privacy campaigners — including the Open Rights Group, Big Brother Watch, and the Electronic Frontier Foundation — take a different view. Their concerns include:

  • Chilling effects on free speech: platforms may over-remove legal content to avoid regulatory risk.
  • Encryption erosion: any mechanism to scan encrypted messages can, in principle, be repurposed.
  • Data honeypots: age verification creates rich databases of ID documents linked to browsing habits.
  • Function creep: powers introduced for CSAM detection could be expanded to other content categories.

What the Act Does NOT Do

There is a lot of misinformation about the Online Safety Act. To be clear, it does not:

  • Ban encrypted messaging apps.
  • Require a national ID to use the internet.
  • Give Ofcom the power to read your private messages directly.
  • Automatically block websites that fail to age-verify — enforcement is via fines and business disruption measures.
  • Override GDPR or the UK Data Protection Act 2018, which still govern how your personal data is processed.

Comparison: UK Online Safety Act vs EU Digital Services Act

The UK is not alone in regulating online platforms. The EU passed the Digital Services Act (DSA) around the same time, and the two frameworks overlap but differ in important ways.

FeatureUK Online Safety ActEU Digital Services Act
RegulatorOfcomEuropean Commission + national regulators
Encrypted message scanningPossible via Section 121Not currently required (Chat Control proposal debated separately)
Age verification for adult sitesMandatoryRecommended, not uniformly required
Maximum fine£18m or 10% global turnover6% global turnover
User identity verificationOptional for large platformsNot mandated
FocusSafety and harmful contentTransparency and illegal content

Practical Steps to Protect Your Privacy Under the Act

You cannot opt out of the law, but you can be smarter about how you share data with platforms operating under it. Here is a numbered checklist:

  1. Use age verification services that support "double-blind" tokens. Providers like Yoti and AgeChecked can confirm your age to a website without telling the website who you are, and without telling the verifier which site you are visiting.
  2. Prefer encrypted DNS. Enabling DNS-over-HTTPS (DoH) in Firefox, Chrome, or your operating system prevents your internet provider from easily logging every domain you visit.
  3. Audit which platforms hold your ID. If you have uploaded a passport or driving licence for age checks, note the date and check whether the provider deletes it after verification (most reputable ones do within 30 days).
  4. Use privacy-first browsers. Firefox with strict tracking protection, Brave, or Safari with Private Relay reduce the volume of behavioural data collected about you.
  5. Compartmentalise accounts. Use separate email addresses (or aliases via services like SimpleLogin) for high-risk platforms so a breach on one does not expose your entire identity.
  6. Shorten and control your outbound links. When sharing links on regulated platforms, a privacy-respecting URL shortener like Lunyb lets you control click analytics and revoke links without exposing your original URL structure. You can read our honest review of Lunyb for more detail.
  7. Review platform privacy settings quarterly. New Ofcom codes are rolling out throughout 2025, and platforms are updating defaults. Check what has changed.
  8. Report over-removal. If legal content of yours is taken down, use the platform's appeal process. Ofcom expects platforms to have functioning complaints procedures.

What Businesses and Content Creators Need to Know

If you run a website, forum, community, or newsletter with UK users, you may fall within scope even if you are a small operator. Micro-businesses are not automatically exempt — the duties scale with risk, not just size.

Immediate Actions for Small Publishers

  • Conduct an illegal content risk assessment (Ofcom provides free templates).
  • Publish clear terms of service explaining what content is not allowed.
  • Provide a simple way for users to report content.
  • Keep basic records of moderation decisions.
  • Review your link-sharing tools — using a branded, trackable shortener helps you monitor how content is distributed. Our 2026 buyer's guide to URL shorteners compares the leading options for compliance-focused teams.

For businesses that rely on branded links and analytics, comparing providers is worth the time. See our Rebrandly review for 2026 for a look at one popular enterprise option.

The Road Ahead: What to Watch in 2025-2026

The Online Safety Act is not a static piece of law — it is being implemented through dozens of Ofcom codes over several years. Key milestones to watch:

  • Illegal harms codes (in force from March 2025): platforms must have systems to detect and remove illegal content.
  • Child safety codes (rolling out through 2025): stricter obligations for services likely to be accessed by children.
  • Categorisation regulations: Ofcom will designate Category 1, 2A, and 2B services, triggering additional duties for the largest.
  • Judicial reviews: expect legal challenges from platforms and civil society groups testing the boundaries of the Act.
  • International coordination: how the UK approach interacts with the EU DSA, US state-level laws, and Australia's Online Safety Act.

Conclusion

The UK Online Safety Act represents a genuine shift in how the internet is governed in Britain. It brings real benefits — more accountability for platforms that have long dodged responsibility for harm — but it also introduces meaningful privacy costs, from age verification data pools to the constitutional risk of encrypted-message scanning.

The pragmatic response is neither panic nor complacency. Understand what platforms are collecting about you, choose services and tools that minimise unnecessary data exposure, and stay informed as Ofcom's codes evolve. Privacy in 2025 is less about avoiding regulation and more about making informed choices within it.

Frequently Asked Questions

Does the Online Safety Act mean the UK government can read my WhatsApp messages?

Not directly. The Act gives Ofcom the power to require messaging services to deploy "accredited technology" to detect illegal content, but only where it is technically feasible without weakening encryption. As of now, no such technology has been accredited, and WhatsApp, Signal, and iMessage continue to offer end-to-end encryption in the UK.

Do I have to verify my age to use social media in the UK?

For most general-purpose social networks, no — but you will encounter age assurance when accessing adult content, certain gambling services, and features restricted to over-18s on mainstream platforms. Under-18s will face age-appropriate experiences on services likely to be accessed by children.

Is my personal data safe when I use age verification?

Reputable third-party age verification providers use "double-blind" designs and delete ID documents shortly after checking. However, any system that collects biometric data or ID scans creates some risk. Check the provider's privacy policy, look for ISO 27001 or similar certifications, and prefer services that offer facial age estimation without storing your image.

Can I be prosecuted under the Online Safety Act for what I post?

The Act primarily regulates platforms, not individual users. However, it also created new criminal offences — including threatening communications, cyberflashing, and sharing intimate images without consent — that apply to individuals. Ordinary lawful speech is not criminalised by the Act.

Does the Act apply to small websites and personal blogs?

It applies to any user-to-user service accessible in the UK, but the duties are proportionate to risk and size. A personal blog with comments turned off is generally out of scope. A small forum with user posts is technically in scope but faces a much lighter compliance burden than a major social network. Ofcom has published simplified guidance for smaller services.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles