facebook-pixel

UK Online Safety Act: What It Means for Your Privacy in 2026

L
Lunyb Security Team
··10 min read

The UK Online Safety Act is one of the most far-reaching pieces of internet legislation ever passed in Britain. Introduced to protect children and tackle illegal content, it also hands regulators sweeping new powers over how platforms handle your messages, your identity and your online activity. If you live in the UK, this law affects almost every website and app you use daily — from WhatsApp and Instagram to search engines, forums and even URL shorteners.

This guide breaks down what the UK Online Safety Act actually says, what it means for your privacy, and the practical steps you can take to stay in control of your personal data in 2026.

What Is the UK Online Safety Act?

The UK Online Safety Act 2023 is a British law that requires online platforms to protect users — particularly children — from illegal and harmful content. It received Royal Assent in October 2023 and is being rolled out in phases through 2024, 2025 and 2026 by the regulator, Ofcom.

The Act applies to any service that allows users to share content or interact with each other, and to search engines. Crucially, it applies to services anywhere in the world if they have a significant number of UK users. That means US-based social networks, EU messaging apps and global forums all fall within scope.

The Three Core Duties

  1. Illegal content duty — platforms must proactively prevent and quickly remove illegal material such as terrorism content, child sexual abuse imagery, fraud and intimate image abuse.
  2. Child safety duty — services likely to be accessed by children must protect them from legal-but-harmful content like pornography, self-harm promotion and cyberbullying.
  3. Transparency and user empowerment duty — the largest platforms ("Category 1" services) must publish risk assessments and give adult users tools to filter unverified accounts or specific content types.

Why Privacy Advocates Are Worried

Although the Act is framed as a child safety measure, several provisions have serious implications for the privacy of every UK internet user — including adults with nothing to hide.

1. The Encrypted Messaging Problem

Section 121 of the Act gives Ofcom the power to require platforms to use "accredited technology" to scan private messages for illegal content. This is aimed at end-to-end encrypted services like WhatsApp, Signal, iMessage and Meta's Messenger.

The problem is technical: you cannot scan an end-to-end encrypted message without breaking the encryption. Any "client-side scanning" system installs surveillance software on your own device before the message is encrypted. Signal's president Meredith Whittaker and WhatsApp's Will Cathcart have both publicly stated they would withdraw from the UK rather than compromise encryption.

The government has said it will not use this power "until it is technically feasible" — but the power remains on the statute book and could be activated at any time.

2. Age Verification and Identity Checks

From July 2025, sites hosting adult content must implement "highly effective" age assurance. Acceptable methods include:

  • Photo ID matching (uploading a passport or driving licence)
  • Facial age estimation via webcam
  • Credit card verification
  • Mobile network operator age checks
  • Digital identity wallet verification

Each of these creates a new data trail linking your real-world identity to specific browsing behaviour. Even if the third-party verifier promises not to store data, breaches happen — and the mere existence of these databases creates risk.

3. Content Monitoring at Scale

To comply with illegal content duties, platforms are deploying automated scanning across posts, images, uploads and even usernames. This means more of what you say and share is being analysed by algorithms — and potentially retained for compliance auditing.

Who Does the Act Apply To?

The scope is enormous. Ofcom estimates that more than 100,000 services fall under the Act. Here's a simplified breakdown:

CategoryExamplesMain Duties
Category 1 (largest user-to-user)Facebook, X, TikTok, Instagram, YouTubeAll duties + transparency reports, user empowerment tools, fraud advertising duty
Category 2A (large search)Google, BingIllegal content, child safety, transparency
Category 2B (large user-to-user)Reddit, Discord, TwitchIllegal content, child safety, transparency
Non-categorised servicesSmall forums, niche apps, link toolsIllegal content and (if applicable) child safety
Adult content servicesPornography sitesHighly effective age assurance

Practical Privacy Impact for UK Users

Here's how the Act changes the day-to-day experience of using the internet in the UK.

More Data Collection at Sign-Up

Expect more platforms to ask for age verification or ID even where it wasn't required before. Some sites are choosing to age-gate their entire service rather than risk misclassification.

Geo-Blocking and Withdrawals

Some services — particularly smaller US-based forums, niche communities and privacy-focused messengers — have simply blocked UK users rather than comply. Wikipedia has publicly considered its position, and several smaller services have already pulled out.

Weaker End-to-End Encryption Guarantees

Even if the client-side scanning power is never activated, its existence chills investment in strong encryption. Some vendors may quietly weaken their protections or add backdoors to stay on the right side of Ofcom.

More "Legal but Harmful" Content Removal

Although the controversial adult "legal but harmful" clause was dropped from the final Act, Category 1 platforms must still offer filtering tools. Many are erring on the side of over-removal to avoid regulatory risk — meaning legitimate speech gets caught in the net.

How to Protect Your Privacy Under the Online Safety Act

You cannot opt out of the Act, but you can significantly reduce your personal exposure with the right habits and tools.

1. Minimise the Identity You Share

Where age verification is required, prefer options that use "zero-knowledge" or "attribute-based" verification — services that confirm you are over 18 without sharing your actual date of birth, name or ID document with the platform. Look for providers certified under the UK's digital identity trust framework.

2. Use Privacy-Respecting Tools by Default

  • Browser: Use Firefox, Brave or Safari with tracking protection enabled. Turn on HTTPS-Only mode.
  • DNS: Switch to encrypted DNS (DNS-over-HTTPS or DNS-over-TLS) via providers like Cloudflare 1.1.1.1, Quad9 or NextDNS. This prevents your internet provider from logging every domain you visit.
  • Search: Use privacy-first search engines such as DuckDuckGo, Startpage or Mojeek that don't build behavioural profiles.
  • Email: Consider Proton Mail, Tuta or Fastmail rather than Gmail or Outlook.

3. Separate Identities for Different Activities

Use different email addresses, usernames and payment methods for different areas of your life. Email aliasing services like SimpleLogin or AnonAddy let you generate throwaway addresses without giving out your real one.

4. Be Careful with Links You Share

Under the Act, platforms are increasingly scanning shared links — and long, tracker-laden URLs leak information about you and the recipients. Using a reputable link shortener strips tracking parameters and gives you control over what happens after a click. If you regularly share links on social media, in newsletters or with clients, a trustworthy shortener like Lunyb can help by producing clean, branded short links without embedding third-party trackers. For a wider comparison of options available in 2026, see our best URL shorteners guide.

5. Review App Permissions Quarterly

Every three months, go through your phone and browser and revoke permissions you don't use. Location, microphone, contacts and photo library access are the most sensitive — and the most over-requested.

6. Understand Your Rights Under UK GDPR

The Online Safety Act does not repeal the UK GDPR. You still have the right to access, correct and delete personal data held by any service. If a platform demands age verification, you can ask exactly what data is collected, how long it is kept and who processes it.

The Act vs. the EU Digital Services Act

The UK Act is often compared to the EU's Digital Services Act (DSA), which came into force in 2024. They share some goals but differ in important ways.

FeatureUK Online Safety ActEU Digital Services Act
RegulatorOfcomEuropean Commission + national coordinators
Maximum fine£18m or 10% of global turnover6% of global turnover
Encryption scanningPower exists (Section 121)No equivalent — proposed "Chat Control" regulation is separate and stalled
Age verificationMandatory for adult contentRisk-based, not universally mandated
Legal-but-harmful adult contentRemoved from final textSystemic risk assessment required
Criminal liabilityYes — senior managers can be jailedNo personal criminal liability

Pros and Cons of the Online Safety Act

Pros

  • Strong protections for children against pornography, grooming and self-harm content
  • Clear legal duties on platforms to remove illegal content quickly
  • New criminal offences for cyberflashing, epilepsy trolling and intimate image abuse
  • Fraud advertising duty on the largest platforms
  • Greater transparency about how algorithms amplify content

Cons

  • Section 121 threatens end-to-end encryption
  • Age verification creates new identity databases and breach risks
  • Compliance costs push smaller services out of the UK market
  • Automated moderation over-removes legitimate speech
  • Concentrates enforcement power in a single regulator (Ofcom)
  • Extra-territorial scope creates conflict with laws in other jurisdictions

What's Coming Next

Implementation continues throughout 2026. Key milestones to watch:

  1. Category 1 designations — Ofcom is finalising which platforms count as "Category 1", triggering the strictest duties.
  2. Codes of practice — new codes on illegal content, child safety and fraud advertising are being consulted on and will become enforceable.
  3. Judicial reviews — Wikipedia, Wikimedia UK and several civil liberties groups have signalled legal challenges to specific provisions.
  4. Review of encryption powers — the government has committed to a review before activating Section 121; the outcome will shape the future of private messaging in Britain.

Final Thoughts

The UK Online Safety Act is a genuine attempt to make the internet safer, particularly for children, and some of its measures — like criminalising cyberflashing and forcing platforms to tackle fraud — are overdue. But it also introduces real risks to adult privacy: potential encryption weakening, mandatory identity checks and vastly expanded content scanning.

The good news is that most of the privacy impact can be mitigated with sensible habits: encrypted DNS, privacy-first browsers, minimal identity sharing, aliasing services and clean, tracker-free links. As Britain settles into life under Ofcom's watch, taking a few minutes to tighten your own digital hygiene is the single most effective response.

For more on picking privacy-friendly tools, read our honest review of Lunyb and our 2026 review of Rebrandly.

FAQ

Does the Online Safety Act ban end-to-end encryption?

No — the Act does not explicitly ban encryption. However, Section 121 allows Ofcom to require platforms to deploy "accredited technology" to detect illegal content in private messages, which in practice would require breaking or bypassing end-to-end encryption. The government has said this power will not be used until technically feasible, but it remains on the statute book.

Do I have to verify my age to use social media in the UK?

Not necessarily for general social media, but platforms likely to be accessed by children must use "proportionate" age assurance to protect minors from harmful content. Adult content sites must use "highly effective" age verification from 2025. Expect more prompts for ID, facial estimation or credit card checks over time.

Can I still use privacy tools like encrypted messengers and Tor?

Yes. Using Signal, WhatsApp, Tor, encrypted DNS or the Tor Browser remains completely legal in the UK. The Act regulates platform behaviour, not individual users' choice of privacy tools. Some messenger providers may exit the UK if forced to weaken encryption, but there is no ban on using strong cryptography.

Who enforces the Online Safety Act?

Ofcom is the sole regulator. It can issue fines of up to £18 million or 10% of a company's global annual turnover, whichever is higher. In serious cases, Ofcom can also seek court orders to block services in the UK and pursue criminal charges against senior managers who fail to comply.

How does the Act affect small websites and blogs?

If your site allows user-to-user interaction (comments, forums, direct messages) and has UK users, you technically fall within scope — but Ofcom has said enforcement will be risk-based and proportionate. Small, low-risk services face far lighter duties than major platforms. Publishing your own content without user interaction is generally outside the Act.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles