UK Online Safety Act: What It Means for Your Privacy
The UK Online Safety Act is one of the most significant pieces of internet legislation Britain has ever passed. Designed to make the UK "the safest place in the world to be online," it imposes sweeping duties on social media platforms, search engines, and messaging services. But behind the headlines about protecting children and tackling illegal content lies a far more complicated story — one with serious implications for the privacy of every British internet user.
This guide breaks down exactly what the Online Safety Act does, how it affects your personal privacy, and the practical steps you can take to stay in control of your data in 2026 and beyond.
What Is the UK Online Safety Act?
The UK Online Safety Act is a 2023 law that places legal duties on online platforms to protect users — particularly children — from illegal and harmful content. It is enforced by Ofcom, which has the power to fine companies up to £18 million or 10% of global annual turnover for non-compliance.
The Act covers three broad categories of services:
- User-to-user services: social media platforms, forums, dating apps, and messaging services.
- Search services: general search engines like Google and Bing.
- Pornography providers: any site publishing adult content accessible from the UK.
Although the legislation is framed as a safety measure, several of its provisions touch directly on encryption, identity verification, and content monitoring — all areas where privacy and safety intersect uncomfortably.
Key Dates and Enforcement Timeline
- October 2023: The Act receives Royal Assent.
- 2024: Ofcom publishes draft codes of practice on illegal harms.
- March 2025: Illegal content duties come into force.
- July 2025: Age verification and child safety duties begin enforcement.
- 2026 onward: Full enforcement, including categorised services and transparency reporting.
How the Online Safety Act Affects Your Privacy
The Online Safety Act affects privacy in four major ways: through age verification requirements, content scanning powers, identity-linked accounts, and weakened end-to-end encryption protections. Each of these introduces new data flows that didn't exist before.
1. Mandatory Age Verification
Sites hosting pornography or content deemed harmful to children must implement "highly effective" age assurance. In practice, this usually means uploading a government-issued ID, a face scan, a credit card check, or a digital identity wallet to a third-party verification service.
The privacy risk is obvious: huge databases of people's identities are now linked to the websites they visit. Even when verification providers claim not to retain data, breaches of similar systems abroad have already exposed millions of users.
2. Pressure on End-to-End Encryption
Section 122 of the Act gives Ofcom power to require services to use "accredited technology" to scan private messages for child sexual abuse material (CSAM) and terrorism content. Major providers, including Signal and WhatsApp, publicly stated they would withdraw from the UK before breaking encryption.
The government has since said the powers will only be used when "technically feasible" — but the legal mechanism remains on the statute book. If client-side scanning is ever mandated, every photo and message you send could be analysed on your device before encryption.
3. Identity-Linked Online Accounts
Category 1 services (the largest platforms) must offer users tools to verify their identity and to filter out interactions from unverified accounts. While optional for users, this normalises identity-linked browsing and creates yet another data set tying real names to online behaviour.
4. Expanded Content Monitoring
Platforms must proactively detect a wide range of illegal content. To meet these duties, services are deploying more automated scanning, behavioural analysis, and metadata collection — all of which expand how much information is stored about ordinary users.
Who Is Most Affected?
While the Act technically applies to platforms rather than individuals, the downstream effects vary considerably depending on how you use the internet.
| User Group | Primary Privacy Impact | Severity |
|---|---|---|
| Adults visiting adult sites | ID or biometric verification required | High |
| Users of encrypted messengers | Potential client-side scanning | High |
| Children and teenagers | Age-gated content, increased moderation | Medium |
| Social media users | Identity verification tools, more scanning | Medium |
| Journalists and whistleblowers | Reduced anonymity, scanning risks | High |
| Small forum operators | Compliance burden, data retention | Medium |
The Encryption Debate: Why It Matters
End-to-end encryption (E2EE) is the technology that ensures only you and the person you're communicating with can read your messages. It underpins banking apps, medical consultations, journalist source protection, and everyday family chats.
The Online Safety Act doesn't ban encryption outright, but it leaves the door open for Ofcom to require scanning tools that effectively undermine it. Security researchers have repeatedly warned that:
- Client-side scanning creates a permanent surveillance backdoor on every device.
- Scanning systems can be expanded over time to detect other categories of content.
- Hash-matching databases can be poisoned or weaponised by malicious actors.
- Once the cryptographic guarantee is broken, it cannot be selectively restored.
For now, encrypted messengers continue to operate in the UK, but the regulatory pressure is constant. Privacy-conscious users should pay close attention to Ofcom's published codes and any technology notices issued under Section 122.
Age Verification: A Closer Look
Age verification has become the most visible consumer-facing element of the Act. From July 2025, adult sites accessible in the UK must use "highly effective" methods to confirm users are 18 or over.
Common Age Assurance Methods
- Photo ID upload: passport or driving licence submitted to a third party.
- Facial age estimation: a selfie analysed by AI to estimate age.
- Credit card checks: verification via a payment card linked to an adult.
- Mobile network checks: age confirmation through your mobile operator.
- Digital identity wallets: reusable credentials issued by certified providers.
Privacy Risks of Age Verification
- Data breaches: centralised identity databases are high-value targets.
- Profiling: verification providers may build cross-site behavioural profiles.
- Chilling effects: users avoid legal content rather than hand over ID.
- Exclusion: people without ID or credit cards may be locked out entirely.
Ofcom's guidance requires that age assurance be privacy-preserving, but the technical reality varies enormously between providers. Always check whether a verifier uses "double-blind" architecture — where the website doesn't learn your identity and the verifier doesn't learn which site you visited.
What You Can Do to Protect Your Privacy
You can protect your privacy under the Online Safety Act by using privacy-respecting tools, minimising data shared with verifiers, choosing encrypted services, and being deliberate about which platforms you use. Here are practical steps that work in 2026.
1. Use Privacy-Focused Browsers and DNS
Switch to a browser that blocks trackers by default (such as Firefox with strict mode, Brave, or Mullvad Browser). Pair it with encrypted DNS (DNS-over-HTTPS or DNS-over-TLS) so your internet provider cannot easily log every domain you visit.
2. Choose Verifiers Carefully
If you must verify your age, pick a provider that:
- Has been certified to an established age assurance standard (e.g. ACCS or IEEE 2089.1).
- Offers a "verify once, reuse" model so you don't repeatedly upload ID.
- Publishes a clear data retention policy — ideally deleting data within minutes.
- Uses on-device or zero-knowledge techniques where possible.
3. Be Selective About Identity-Linked Accounts
You are not required to verify your identity on social media. Treat platform "verified user" features as opt-in, and weigh whether the benefit of filtering unverified replies outweighs handing over more personal data.
4. Use Encrypted Messengers — While You Still Can
Signal remains the gold standard for private messaging. WhatsApp also offers strong end-to-end encryption. Avoid SMS for anything sensitive, and turn on disappearing messages where appropriate.
5. Reduce Your Link Footprint
Every link you share is a potential data leak — referrers, tracking parameters, and analytics tags can reveal far more than you realise. A privacy-respecting URL shortener like Lunyb lets you share clean, branded links without exposing recipient data to third-party trackers. You can read our honest review of Lunyb for more on how it compares to alternatives, or browse the 2026 buyer's guide to URL shorteners for the wider market view.
6. Exercise Your Data Rights
UK GDPR still applies alongside the Online Safety Act. You have the right to:
- Request a copy of your data (Subject Access Request).
- Ask for inaccurate data to be corrected.
- Request deletion in many circumstances.
- Complain to the Information Commissioner's Office (ICO) if a platform mishandles your data.
The Bigger Picture: Safety vs Privacy
There is no doubt that the Online Safety Act addresses real harms. Child sexual abuse material, terrorist content, and fraud all cause genuine damage and need to be tackled. The controversy isn't about whether these harms matter — it's about whether the chosen tools are proportionate and effective.
Privacy advocates argue that:
- Mass scanning treats every user as a suspect.
- Age verification databases create new harms even as they address others.
- Smaller platforms face compliance costs that entrench big tech monopolies.
- Determined bad actors will simply move to non-UK platforms.
Supporters counter that platforms have failed to self-regulate for two decades and that legal duties are the only way to force meaningful change. As with most regulation, the truth is somewhere in between — and the practical detail will be shaped by Ofcom's codes and the courts over the coming years.
What's Next?
The Online Safety Act is a living framework. Expect more codes of practice, new categorisation thresholds, and likely amendments as enforcement reveals gaps. Areas to watch in 2026 include:
- Ofcom's first major enforcement actions and fines.
- Legal challenges to age verification on human rights grounds.
- Industry standards for privacy-preserving age assurance.
- Possible Section 122 technology notices and the encryption industry's response.
- The interaction between the Online Safety Act, UK GDPR, and the Data Protection and Digital Information Bill.
Frequently Asked Questions
Does the UK Online Safety Act ban end-to-end encryption?
No, the Act does not explicitly ban end-to-end encryption. However, Section 122 gives Ofcom the power to require platforms to use "accredited technology" to scan for illegal content, which could in practice undermine encryption. The government has said it will only use these powers when "technically feasible," but the legal mechanism remains in place.
Do I have to upload my passport to visit adult websites in the UK?
Not necessarily a passport, but you will need to prove you are over 18 in some way. Acceptable methods include facial age estimation, credit card checks, mobile operator verification, or digital identity wallets. Choose verifiers that minimise data retention and use privacy-preserving architectures.
Does the Online Safety Act apply to small websites and forums?
Yes, it can. Any user-to-user service with UK users falls within scope, regardless of size. However, the duties are proportionate to risk and size, and the strictest obligations apply to "Category 1" services — the largest and highest-risk platforms. Small forums still need to assess risk and have basic safety measures in place.
Can I be prosecuted under the Online Safety Act as an individual?
The Act mainly imposes duties on platforms rather than individuals, but it did introduce new criminal offences including cyberflashing, threatening communications, and sharing intimate images without consent. Ordinary users are not liable for platform-level compliance, but they can be prosecuted for those new offences.
How does the Online Safety Act interact with UK GDPR?
Both laws apply simultaneously. The Online Safety Act imposes safety duties; UK GDPR governs how personal data is processed. The ICO and Ofcom have published joint guidance to help platforms comply with both. Importantly, your data protection rights — access, correction, deletion, and complaint — are unaffected by the Online Safety Act.
Final Thoughts
The UK Online Safety Act is a landmark piece of legislation that will reshape how Britons experience the internet for years to come. It tackles genuine harms, but it also introduces new privacy risks through age verification, content scanning, and identity-linked accounts. The best response is not panic, but informed choice: pick privacy-respecting tools, understand what data you're handing over, and exercise the rights you still have under UK GDPR.
The internet of 2026 is more regulated than ever — but with the right habits and the right tools, you can still browse, communicate, and share with confidence.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
ePrivacy Regulations Ireland: Latest Updates and Compliance Guide
A complete 2026 guide to ePrivacy regulations in Ireland, covering the latest DPC enforcement priorities, cookie consent rules, direct marketing requirements, and a practical compliance checklist. Learn how the 2011 Regulations interact with GDPR and what changes the proposed EU ePrivacy Regulation may bring.
OAIC Complaints: How to Report a Privacy Breach in Australia
A practical, step-by-step guide to lodging an OAIC privacy complaint in Australia. Learn the process, evidence you need, possible outcomes, and how to protect yourself after a data breach.
PIPEDA vs GDPR: Canadian Privacy Law Explained for 2026
PIPEDA and GDPR both protect personal data, but they differ in scope, consent rules, individual rights, and penalties. This guide explains the key differences and what Canadian businesses need to do to stay compliant with both in 2026.
GDPR in Ireland: Your Privacy Rights Explained
GDPR gives everyone in Ireland eight powerful rights over their personal data — from accessing what's held about them to demanding deletion. This guide explains each right in plain language, how to use it, and what to do when an organisation gets it wrong.