UK Online Safety Act: What It Means for Your Privacy
The UK Online Safety Act is one of the most significant pieces of internet regulation the United Kingdom has ever passed. It reshapes how platforms handle harmful content, how children access the web, and — critically — how your personal data is scanned, verified and stored. If you live in Britain and use the internet daily, this law already affects you, even if you have never heard of it.
This guide breaks down what the Online Safety Act actually does, how it interacts with your privacy, and the practical steps you can take to keep control of your personal information in 2026 and beyond.
What Is the UK Online Safety Act?
The UK Online Safety Act is a British law that requires online platforms to protect users — especially children — from illegal and harmful content. It received Royal Assent in October 2023 and is being enforced in phases by Ofcom, the UK communications regulator.
The Act applies to any service that allows users to encounter content generated by other users, or that provides search results. That covers a huge range of platforms: social networks, messaging apps, video-sharing sites, dating apps, forums, cloud storage with sharing features, search engines and even some gaming services. Crucially, it applies to any service with a significant UK user base, regardless of where the company is headquartered.
Key Duties Imposed on Platforms
- Illegal content duties — proactively identify and remove content relating to terrorism, child sexual abuse material (CSAM), fraud, and other priority offences.
- Child safety duties — prevent children from seeing pornography, self-harm content, or material promoting eating disorders.
- Age assurance — use "highly effective" age verification for sites hosting adult content.
- Transparency reporting — publish regular reports on moderation actions.
- Risk assessments — document and mitigate the risks their service poses to UK users.
Failure to comply can result in fines of up to £18 million or 10% of global annual turnover — whichever is higher — plus potential criminal liability for senior managers.
Why the Online Safety Act Raises Privacy Concerns
While the Act's aims are widely supported, privacy advocates have flagged several serious concerns. The law asks platforms to do things that traditionally required a warrant or targeted investigation — but at population scale, and using automated systems.
1. Age Verification and Identity Exposure
To comply with child safety duties, adult sites and many mainstream platforms must now verify that users are over 18. "Highly effective" age assurance, per Ofcom guidance, can include:
- Photo ID uploads (passport, driving licence)
- Facial age estimation via webcam or phone camera
- Credit card checks
- Mobile network operator checks
- Open banking–based age confirmation
- Digital identity wallets
Each of these methods creates a data trail linking your legal identity to specific browsing activity — something that, historically, UK users have never been required to hand over.
2. Pressure on End-to-End Encryption
Section 121 of the Act gives Ofcom the power to require platforms to use "accredited technology" to identify CSAM or terrorist content — even in private messages. Critics argue this is functionally incompatible with end-to-end encryption, because scanning content requires access to it before or after encryption (so-called client-side scanning).
The UK government has said the power will only be used when "technically feasible." That phrasing has not reassured Signal, WhatsApp, or numerous cryptographers, all of whom have warned that any scanning backdoor weakens security for every user.
3. Data Retention and Third-Party Processors
Age verification is usually handled by third-party providers such as Yoti, VerifyMy, or Persona. Even when these companies say they don't retain your ID, the verification event itself generates logs, tokens and metadata that can be linked back to accounts. If any of those providers suffers a breach, the fallout could be severe — as we saw with several identity providers globally in 2024.
How the Act Affects Everyday UK Internet Users
Here is what has already changed, or is changing, for people browsing from the UK:
Adult Content and Age Gates
Since mid-2025, major adult platforms including Pornhub, XVideos, and Reddit's mature communities have introduced age verification for UK visitors. Attempting to access these without verification results in a block. Some smaller sites have chosen to geoblock the UK entirely rather than comply.
Social Media Feeds
Platforms like TikTok, Instagram, X and Snapchat have adjusted their algorithms for UK users under 18, restricting content categorised as harmful. Adults may notice more aggressive content warnings, reduced visibility of some posts, and additional friction when accessing sensitive topics — including legitimate journalism about war, protest, or mental health.
Search Engines
Google, Bing and DuckDuckGo now apply UK-specific filters that demote or hide certain content from search results. This can affect research, academic study, and access to controversial but lawful material.
Forums and Small Communities
Some smaller UK-run forums, hobby communities and independent platforms have closed rather than absorb the compliance cost. This includes the well-publicised shutdowns of LFGSS (a cycling forum) and several niche discussion boards in 2025.
Online Safety Act vs GDPR: How They Interact
The Online Safety Act does not repeal the UK GDPR — the two operate in parallel. But their goals sometimes pull in opposite directions, and platforms must navigate both.
| Aspect | UK GDPR | Online Safety Act |
|---|---|---|
| Primary goal | Protect personal data | Reduce online harm |
| Regulator | ICO | Ofcom |
| Data minimisation | Required | Sometimes in tension with verification duties |
| Encryption | Encouraged as security measure | May be required to scan content |
| User consent | Central principle | Not required for safety-driven scanning |
| Max penalty | £17.5m or 4% global turnover | £18m or 10% global turnover |
In practice, the ICO and Ofcom have issued joint guidance urging platforms to apply age assurance in the most privacy-preserving way possible — but the compliance burden falls on the platform, and users have limited say in which vendor scans their face or ID.
Practical Steps to Protect Your Privacy Under the Act
You cannot opt out of the Online Safety Act, but you can make thoughtful choices about how much personal data you expose. Here are eight practical steps for UK users in 2026.
- Prefer age estimation over ID upload. When you are given a choice, facial age estimation (which returns an approximate age and typically deletes the image) leaks less data than uploading a passport or driving licence.
- Use a dedicated email for verified accounts. Separate identity-verified services (adult sites, gambling, dating) from your primary inbox to limit cross-linking if there's a breach.
- Enable encrypted DNS. Turn on DNS-over-HTTPS in your browser (Firefox, Chrome and Edge all support it) so your internet provider cannot easily log every domain you visit.
- Use a privacy-first browser. Firefox with strict tracking protection, Brave, or Mullvad Browser reduce fingerprinting and third-party tracking that could otherwise be combined with verification data.
- Review permissions on verification providers. Companies like Yoti let you delete your account and associated data — do it once you no longer need the linked service.
- Shorten and control links you share. When posting links publicly, using a privacy-conscious shortener such as Lunyb lets you rotate or revoke URLs, and avoids exposing raw destination data in public posts. See our honest review of Lunyb for details on how it handles link data.
- Keep messaging apps end-to-end encrypted. Use Signal or the encrypted modes of WhatsApp and iMessage. Watch for any policy updates: if a platform introduces client-side scanning, consider migrating.
- Exercise your data rights. Under UK GDPR you can request access to, or deletion of, data held by any verification provider or platform. The ICO's website has free templates.
What Businesses and Website Owners Should Do
If you run a UK-facing website or online service, the Act likely applies to you if users can post content, share files, comment, or message each other. Even small operators must complete a documented risk assessment. Key steps include:
1. Determine Your Category
Ofcom divides services into categories based on size and functionality. Category 1 (the largest platforms) has the heaviest duties, but even small "user-to-user" services have baseline obligations around illegal content.
2. Complete Risk Assessments
You must assess the risk of illegal content, and — if your service is likely to be accessed by children — the risk of harmful content. Ofcom provides templates.
3. Implement Proportionate Safety Measures
This might include reporting tools, moderation, content filters, and — where relevant — age assurance. Measures must be proportionate to your size and risk.
4. Publish Terms and Reporting Channels
Clear, accessible terms of service are now a legal requirement, along with a functioning way for users to report content and appeal decisions.
5. Handle Links and Redirects Responsibly
If your service uses redirects or shortened URLs, be mindful that these can be exploited to disguise harmful content. Marketers looking at link tools should compare options carefully — our 2026 buyer's guide to URL shorteners and our comparison of Rebrandly's pricing both cover moderation and abuse-handling features worth reviewing.
The Bigger Picture: Where UK Online Regulation Is Heading
The Online Safety Act is not a one-off. It sits alongside the Data (Use and Access) Act 2025, the ongoing debate about the Investigatory Powers Act, and pending regulation on AI-generated content. Together, they signal a shift: the UK is moving from a lightly regulated internet to one where platforms carry substantial legal duties — and where users are expected to be identifiable more often.
Whether this ultimately makes the internet safer without eroding privacy depends on how Ofcom uses its enforcement powers, whether courts push back on scope creep, and how much technical resistance encryption providers can sustain. Users who care about their digital privacy will need to stay informed, use privacy-preserving tools where possible, and actively exercise their rights.
Frequently Asked Questions
Does the Online Safety Act require me to verify my age everywhere?
No. Age verification is only mandatory on services hosting pornography or content likely to be harmful to children. Mainstream platforms may introduce age estimation for under-18 protections, but adults browsing general content should not be required to upload ID for most services.
Can Ofcom read my private messages under the Act?
Not directly. Ofcom can require platforms to use "accredited technology" to detect CSAM or terrorist material — including potentially in private messages — but only when the government considers it technically feasible. As of 2026, no such notice has been issued to a major encrypted messaging provider, and several have said they would leave the UK rather than comply.
What happens to my ID after age verification?
It depends on the provider and method. Reputable services using facial age estimation typically delete the image within seconds. ID document uploads may be retained briefly for audit purposes, then deleted. You have a right under UK GDPR to ask any provider what data they hold and to request deletion.
Does the Act apply to overseas websites?
Yes, if the service has a significant number of UK users or targets the UK market. Ofcom can take enforcement action against foreign companies, including seeking court orders to block access from the UK or requiring payment providers to cut them off.
How can I keep browsing privately without breaking the law?
Nothing in the Online Safety Act makes private browsing illegal. Using encrypted DNS, privacy-first browsers, end-to-end encrypted messaging, and separate email addresses for different services all remain lawful and are actively recommended by privacy regulators including the ICO. The Act targets platforms, not the everyday privacy practices of individual users.
Final Thoughts
The UK Online Safety Act is a genuine attempt to make the internet safer for children and to force accountability on platforms that have spent years hosting harmful content without consequence. But it comes with real privacy trade-offs: more identity checks, more data held by more third parties, and ongoing tension with encryption. Understanding how the Act works — and taking a few sensible steps — is the best way to enjoy its protections without giving up more privacy than you need to.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
OAIC Complaints: How to Report a Privacy Breach in Australia
A practical guide to lodging a privacy complaint with the Office of the Australian Information Commissioner. Learn the steps, timelines, evidence you need, and what outcomes you can realistically expect under the Privacy Act 1988.
ePrivacy Regulations Ireland: Latest Updates for 2026
Ireland's ePrivacy landscape in 2026 combines SI 336/2011, GDPR, and active Data Protection Commission enforcement. This guide covers cookie consent, direct marketing rules, DPC penalties, and a practical compliance checklist for Irish businesses.
Australian Data Breach Notification Scheme: The Complete 2026 Guide
The Notifiable Data Breaches scheme is Australia's mandatory framework for reporting eligible data breaches to the OAIC and affected individuals. This 2026 guide explains who it covers, what counts as serious harm, reporting timelines, penalties of up to AUD $50 million, and how to build a compliant breach response program.
Singapore Online Safety Act 2026: Complete Guide for Users and Businesses
A complete guide to the Singapore Online Safety Act 2026, covering scope, harmful content categories, platform obligations, penalties, user rights, and a practical compliance checklist for businesses and everyday internet users.