facebook-pixel

UK Online Safety Act: What It Means for Your Privacy

L
Lunyb Security Team
··10 min read

The UK Online Safety Act is one of the most significant pieces of internet regulation the United Kingdom has ever passed. It reshapes how platforms handle harmful content, how children access the web, and — critically — how your personal data is scanned, verified and stored. If you live in Britain and use the internet daily, this law already affects you, even if you have never heard of it.

This guide breaks down what the Online Safety Act actually does, how it interacts with your privacy, and the practical steps you can take to keep control of your personal information in 2026 and beyond.

What Is the UK Online Safety Act?

The UK Online Safety Act is a British law that requires online platforms to protect users — especially children — from illegal and harmful content. It received Royal Assent in October 2023 and is being enforced in phases by Ofcom, the UK communications regulator.

The Act applies to any service that allows users to encounter content generated by other users, or that provides search results. That covers a huge range of platforms: social networks, messaging apps, video-sharing sites, dating apps, forums, cloud storage with sharing features, search engines and even some gaming services. Crucially, it applies to any service with a significant UK user base, regardless of where the company is headquartered.

Key Duties Imposed on Platforms

  1. Illegal content duties — proactively identify and remove content relating to terrorism, child sexual abuse material (CSAM), fraud, and other priority offences.
  2. Child safety duties — prevent children from seeing pornography, self-harm content, or material promoting eating disorders.
  3. Age assurance — use "highly effective" age verification for sites hosting adult content.
  4. Transparency reporting — publish regular reports on moderation actions.
  5. Risk assessments — document and mitigate the risks their service poses to UK users.

Failure to comply can result in fines of up to £18 million or 10% of global annual turnover — whichever is higher — plus potential criminal liability for senior managers.

Why the Online Safety Act Raises Privacy Concerns

While the Act's aims are widely supported, privacy advocates have flagged several serious concerns. The law asks platforms to do things that traditionally required a warrant or targeted investigation — but at population scale, and using automated systems.

1. Age Verification and Identity Exposure

To comply with child safety duties, adult sites and many mainstream platforms must now verify that users are over 18. "Highly effective" age assurance, per Ofcom guidance, can include:

  • Photo ID uploads (passport, driving licence)
  • Facial age estimation via webcam or phone camera
  • Credit card checks
  • Mobile network operator checks
  • Open banking–based age confirmation
  • Digital identity wallets

Each of these methods creates a data trail linking your legal identity to specific browsing activity — something that, historically, UK users have never been required to hand over.

2. Pressure on End-to-End Encryption

Section 121 of the Act gives Ofcom the power to require platforms to use "accredited technology" to identify CSAM or terrorist content — even in private messages. Critics argue this is functionally incompatible with end-to-end encryption, because scanning content requires access to it before or after encryption (so-called client-side scanning).

The UK government has said the power will only be used when "technically feasible." That phrasing has not reassured Signal, WhatsApp, or numerous cryptographers, all of whom have warned that any scanning backdoor weakens security for every user.

3. Data Retention and Third-Party Processors

Age verification is usually handled by third-party providers such as Yoti, VerifyMy, or Persona. Even when these companies say they don't retain your ID, the verification event itself generates logs, tokens and metadata that can be linked back to accounts. If any of those providers suffers a breach, the fallout could be severe — as we saw with several identity providers globally in 2024.

How the Act Affects Everyday UK Internet Users

Here is what has already changed, or is changing, for people browsing from the UK:

Adult Content and Age Gates

Since mid-2025, major adult platforms including Pornhub, XVideos, and Reddit's mature communities have introduced age verification for UK visitors. Attempting to access these without verification results in a block. Some smaller sites have chosen to geoblock the UK entirely rather than comply.

Social Media Feeds

Platforms like TikTok, Instagram, X and Snapchat have adjusted their algorithms for UK users under 18, restricting content categorised as harmful. Adults may notice more aggressive content warnings, reduced visibility of some posts, and additional friction when accessing sensitive topics — including legitimate journalism about war, protest, or mental health.

Search Engines

Google, Bing and DuckDuckGo now apply UK-specific filters that demote or hide certain content from search results. This can affect research, academic study, and access to controversial but lawful material.

Forums and Small Communities

Some smaller UK-run forums, hobby communities and independent platforms have closed rather than absorb the compliance cost. This includes the well-publicised shutdowns of LFGSS (a cycling forum) and several niche discussion boards in 2025.

Online Safety Act vs GDPR: How They Interact

The Online Safety Act does not repeal the UK GDPR — the two operate in parallel. But their goals sometimes pull in opposite directions, and platforms must navigate both.

AspectUK GDPROnline Safety Act
Primary goalProtect personal dataReduce online harm
RegulatorICOOfcom
Data minimisationRequiredSometimes in tension with verification duties
EncryptionEncouraged as security measureMay be required to scan content
User consentCentral principleNot required for safety-driven scanning
Max penalty£17.5m or 4% global turnover£18m or 10% global turnover

In practice, the ICO and Ofcom have issued joint guidance urging platforms to apply age assurance in the most privacy-preserving way possible — but the compliance burden falls on the platform, and users have limited say in which vendor scans their face or ID.

Practical Steps to Protect Your Privacy Under the Act

You cannot opt out of the Online Safety Act, but you can make thoughtful choices about how much personal data you expose. Here are eight practical steps for UK users in 2026.

  1. Prefer age estimation over ID upload. When you are given a choice, facial age estimation (which returns an approximate age and typically deletes the image) leaks less data than uploading a passport or driving licence.
  2. Use a dedicated email for verified accounts. Separate identity-verified services (adult sites, gambling, dating) from your primary inbox to limit cross-linking if there's a breach.
  3. Enable encrypted DNS. Turn on DNS-over-HTTPS in your browser (Firefox, Chrome and Edge all support it) so your internet provider cannot easily log every domain you visit.
  4. Use a privacy-first browser. Firefox with strict tracking protection, Brave, or Mullvad Browser reduce fingerprinting and third-party tracking that could otherwise be combined with verification data.
  5. Review permissions on verification providers. Companies like Yoti let you delete your account and associated data — do it once you no longer need the linked service.
  6. Shorten and control links you share. When posting links publicly, using a privacy-conscious shortener such as Lunyb lets you rotate or revoke URLs, and avoids exposing raw destination data in public posts. See our honest review of Lunyb for details on how it handles link data.
  7. Keep messaging apps end-to-end encrypted. Use Signal or the encrypted modes of WhatsApp and iMessage. Watch for any policy updates: if a platform introduces client-side scanning, consider migrating.
  8. Exercise your data rights. Under UK GDPR you can request access to, or deletion of, data held by any verification provider or platform. The ICO's website has free templates.

What Businesses and Website Owners Should Do

If you run a UK-facing website or online service, the Act likely applies to you if users can post content, share files, comment, or message each other. Even small operators must complete a documented risk assessment. Key steps include:

1. Determine Your Category

Ofcom divides services into categories based on size and functionality. Category 1 (the largest platforms) has the heaviest duties, but even small "user-to-user" services have baseline obligations around illegal content.

2. Complete Risk Assessments

You must assess the risk of illegal content, and — if your service is likely to be accessed by children — the risk of harmful content. Ofcom provides templates.

3. Implement Proportionate Safety Measures

This might include reporting tools, moderation, content filters, and — where relevant — age assurance. Measures must be proportionate to your size and risk.

4. Publish Terms and Reporting Channels

Clear, accessible terms of service are now a legal requirement, along with a functioning way for users to report content and appeal decisions.

5. Handle Links and Redirects Responsibly

If your service uses redirects or shortened URLs, be mindful that these can be exploited to disguise harmful content. Marketers looking at link tools should compare options carefully — our 2026 buyer's guide to URL shorteners and our comparison of Rebrandly's pricing both cover moderation and abuse-handling features worth reviewing.

The Bigger Picture: Where UK Online Regulation Is Heading

The Online Safety Act is not a one-off. It sits alongside the Data (Use and Access) Act 2025, the ongoing debate about the Investigatory Powers Act, and pending regulation on AI-generated content. Together, they signal a shift: the UK is moving from a lightly regulated internet to one where platforms carry substantial legal duties — and where users are expected to be identifiable more often.

Whether this ultimately makes the internet safer without eroding privacy depends on how Ofcom uses its enforcement powers, whether courts push back on scope creep, and how much technical resistance encryption providers can sustain. Users who care about their digital privacy will need to stay informed, use privacy-preserving tools where possible, and actively exercise their rights.

Frequently Asked Questions

Does the Online Safety Act require me to verify my age everywhere?

No. Age verification is only mandatory on services hosting pornography or content likely to be harmful to children. Mainstream platforms may introduce age estimation for under-18 protections, but adults browsing general content should not be required to upload ID for most services.

Can Ofcom read my private messages under the Act?

Not directly. Ofcom can require platforms to use "accredited technology" to detect CSAM or terrorist material — including potentially in private messages — but only when the government considers it technically feasible. As of 2026, no such notice has been issued to a major encrypted messaging provider, and several have said they would leave the UK rather than comply.

What happens to my ID after age verification?

It depends on the provider and method. Reputable services using facial age estimation typically delete the image within seconds. ID document uploads may be retained briefly for audit purposes, then deleted. You have a right under UK GDPR to ask any provider what data they hold and to request deletion.

Does the Act apply to overseas websites?

Yes, if the service has a significant number of UK users or targets the UK market. Ofcom can take enforcement action against foreign companies, including seeking court orders to block access from the UK or requiring payment providers to cut them off.

How can I keep browsing privately without breaking the law?

Nothing in the Online Safety Act makes private browsing illegal. Using encrypted DNS, privacy-first browsers, end-to-end encrypted messaging, and separate email addresses for different services all remain lawful and are actively recommended by privacy regulators including the ICO. The Act targets platforms, not the everyday privacy practices of individual users.

Final Thoughts

The UK Online Safety Act is a genuine attempt to make the internet safer for children and to force accountability on platforms that have spent years hosting harmful content without consequence. But it comes with real privacy trade-offs: more identity checks, more data held by more third parties, and ongoing tension with encryption. Understanding how the Act works — and taking a few sensible steps — is the best way to enjoy its protections without giving up more privacy than you need to.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles