UK Online Safety Act: What It Means for Your Privacy
The UK Online Safety Act is one of the most far-reaching pieces of internet legislation Britain has ever passed. It promises to make online spaces safer for children and to hold tech platforms accountable for harmful content. But behind the headlines about safety lies a complex set of rules that affect every adult user too — touching on identity verification, encryption, content moderation and the very nature of online anonymity.
This guide explains, in plain English, what the Act actually does, how Ofcom is enforcing it, and what the practical privacy implications are for everyday people browsing, posting and messaging in the UK.
What is the UK Online Safety Act?
The Online Safety Act 2023 is a UK law that imposes legal duties of care on online services — particularly user-to-user platforms, search engines and pornography sites — to protect users from illegal content and from content that is harmful to children. Ofcom is the regulator responsible for enforcement.
The Act became law in October 2023, but its duties are being phased in throughout 2024, 2025 and into 2026 as Ofcom publishes codes of practice. By 2026, most major obligations — including age assurance, illegal content duties and transparency reporting — are fully in force.
Who does it apply to?
The Act has extraterritorial reach. It applies to any service with a significant number of UK users, links to the UK, or that is targeted at the UK market, regardless of where the company is based. This includes:
- Social media platforms (Facebook, X, TikTok, Reddit, Discord)
- Messaging services (WhatsApp, Signal, Telegram)
- Search engines (Google, Bing, DuckDuckGo)
- Pornography websites
- File sharing services, forums and online gaming with chat features
- Cloud storage and some commenting systems
The Core Privacy Concerns
The Act's safety goals are widely supported, but several provisions have raised serious concerns among privacy advocates, security researchers and human rights organisations. Here are the main pressure points.
1. Age assurance and identity verification
Platforms that host pornography or content harmful to children must now use "highly effective" age assurance. In practice, this means UK adults are being asked to prove their age before accessing legal adult content, often by:
- Uploading a photo of a passport or driving licence
- Submitting to a live facial age estimation scan
- Providing credit card details for verification
- Using a third-party digital identity wallet
The privacy risk is obvious: a database somewhere now links your real identity to the fact that you visited a specific adult site on a specific date. Even if providers promise not to store the data, breaches happen — and the chilling effect on lawful behaviour is significant.
2. The encryption question
Section 121 of the Act gives Ofcom the power to require platforms to use "accredited technology" to identify child sexual abuse material (CSAM) and terrorism content. The government insists this can be done without breaking end-to-end encryption. Most cryptographers disagree.
The only known way to scan encrypted messages is client-side scanning — software on your phone that inspects every message before it is encrypted. Critics argue this fundamentally undermines the security model of platforms like Signal and WhatsApp, both of which have publicly stated they would withdraw from the UK rather than compromise encryption.
As of 2026, the government has said it will not activate this power until the technology is "feasible" — effectively a pause, not a repeal. The legal mechanism remains on the books.
3. Content moderation and lawful speech
Although the "legal but harmful" category for adults was removed during the Bill's passage, platforms still face large fines (up to 10% of global revenue) for failing to remove illegal content quickly. The practical result is over-moderation: platforms err on the side of removing borderline posts to avoid risk, which can sweep up legitimate political speech, journalism and satire.
4. Data retention and access
To comply with their duties, platforms must keep records of risk assessments, moderation decisions and user reports. Some of this data is accessible to Ofcom, which can issue information notices requiring disclosure. The chain from "I made a post" to "a regulator can see who made what post and when" is shorter than many users realise.
How the Act Changes Everyday Browsing
Here is what UK users are likely to notice, or have already noticed, in 2026.
More verification walls
Expect to encounter age gates on adult sites, gambling sites, alcohol retailers and even some social media features. Reddit, X and Discord have all rolled out age checks for certain categories of content in the UK.
Services geo-blocking the UK
Smaller platforms unable to afford compliance have simply blocked UK visitors. Several US-based forums, independent adult sites and some Wikipedia-style projects have either restricted features or withdrawn from the UK market entirely.
Tighter default settings for accounts
Many platforms have made accounts more private by default for users they suspect might be minors, and have restricted recommendations and direct messaging. Adults sometimes get caught up in these changes when their account is incorrectly flagged.
Your Rights Under the Act
The Act is not all surveillance and gatekeeping — it does give users some meaningful rights.
| Right | What it means |
|---|---|
| Right to appeal | If your content or account is removed, large platforms must offer a clear, accessible appeals process. |
| Right to report | Easy-to-use reporting tools for illegal content and content harmful to children. |
| Right to user empowerment tools | Category 1 services must offer adults tools to filter out certain content types and to verify other users. |
| Right to privacy considerations | Ofcom must have regard to user privacy and freedom of expression when enforcing duties. |
| Right to transparency | Major platforms must publish transparency reports on moderation and risk. |
Practical Steps to Protect Your Privacy
Living under the Act does not mean accepting a loss of privacy as inevitable. Here are practical, lawful steps any UK user can take.
1. Choose age verification methods carefully
If you must verify your age, prefer methods that minimise data: a facial age estimation that processes locally and deletes immediately is usually less risky than uploading a passport photo to a database. Look for providers certified to the Age Check Certification Scheme (ACCS).
2. Use encrypted DNS and a private browser
DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) prevents your internet provider from easily logging every domain you visit. Browsers like Firefox, Brave and Safari all support encrypted DNS. Combine this with strict tracking protection and you reduce the metadata trail considerably.
3. Compartmentalise your identity
Use different email addresses, usernames and even browser profiles for different parts of your online life. Sensitive accounts should not share identifiers with your everyday social media. Email aliasing services make this easy.
4. Be careful with links you share
Tracking parameters in URLs leak information about where you clicked from, what campaign you saw, and sometimes even who you are. A privacy-respecting link shortener like Lunyb lets you share clean, short links without exposing tracking data or the full destination URL to every intermediary. For a broader comparison of options, see our 2026 buyer's guide to URL shorteners.
5. Read the platform's UK-specific privacy notice
Many services now publish a separate UK supplement covering how they handle Online Safety Act compliance data — what they collect for age assurance, how long they keep moderation logs, and what they share with Ofcom. It is worth a few minutes of your time.
6. Use end-to-end encrypted messaging where it matters
Signal, WhatsApp and iMessage remain end-to-end encrypted in the UK as of 2026. The controversial scanning powers in the Act have not been activated. For private conversations, these tools still provide strong protection — though you should keep an eye on policy developments.
The Act vs GDPR: How Do They Interact?
The UK GDPR and Data Protection Act 2018 still apply. The Online Safety Act does not override them — it sits alongside. In practice this means:
- Platforms collecting age verification data must still have a lawful basis under GDPR (usually legal obligation or legitimate interests).
- You retain rights of access, rectification and erasure for your personal data.
- The ICO and Ofcom have signed a memorandum of understanding to coordinate enforcement where the two regimes overlap.
- If a platform retains age verification data longer than necessary, that is potentially a GDPR breach you can report to the ICO.
Comparing the UK Approach to Other Regions
| Region | Key Law | Approach | Encryption Stance |
|---|---|---|---|
| UK | Online Safety Act 2023 | Duty of care + Ofcom enforcement | Scanning powers reserved, not active |
| EU | Digital Services Act | Tiered obligations by platform size | Separate CSAM regulation debated |
| Australia | Online Safety Act 2021 | eSafety Commissioner takedown powers | Industry codes, no mandated scanning |
| USA | Section 230 + state laws | Platform immunity with carve-outs | Strong constitutional protections |
The UK's approach is among the most prescriptive, particularly on age assurance. It is being watched closely by other jurisdictions considering similar legislation.
What's Next for the Act?
Several reviews and amendments are expected through 2026 and 2027:
- Ofcom code updates: New codes covering generative AI content, deepfakes and synthetic media are in consultation.
- Parliamentary review: A statutory review of the Act's effectiveness is due, with particular attention to small platforms and freedom of expression.
- Age assurance standards: Expect stricter certification of age verification providers and clearer rules on data minimisation.
- Legal challenges: Several judicial reviews are working through the courts, particularly around the proportionality of certain duties.
Frequently Asked Questions
Does the Online Safety Act require me to verify my real identity to use social media?
No, not generally. The Act does not require universal ID verification. However, Category 1 platforms must offer optional user verification tools, and you may need to confirm you are over 18 to access certain content. You can still use a pseudonym on most social platforms.
Is end-to-end encryption illegal under the Online Safety Act?
No. End-to-end encryption remains legal in the UK. The Act contains powers that could in theory require platforms to scan encrypted content for CSAM, but the government has said these powers will not be used until technology exists to do so without breaking encryption — which most experts say is not currently possible.
What happens to my data when I verify my age on an adult site?
It depends on the provider. Best practice is that the verification provider confirms only "yes, this person is over 18" to the site, without sharing your identity or browsing history. However, the verification provider itself may retain records. Always check the provider's privacy notice and look for ACCS certification.
Can I be fined personally under the Online Safety Act?
The Act primarily targets platforms, not individual users. However, it created new criminal offences for sending threatening communications, false communications intended to cause harm, and cyberflashing. Posting illegal content was already a crime; the Act adds some new categories.
Will small forums and hobby sites have to comply?
Yes, to a proportionate degree. Even small user-to-user services have illegal content duties, though Ofcom has signalled a lighter-touch approach for low-risk small services. Many small UK forums have nevertheless closed or geo-blocked the UK rather than navigate compliance — a real and unintended consequence of the law.
Final Thoughts
The Online Safety Act is here to stay, and most of its duties are now active. For UK users, the practical upshot is more friction, more verification walls, and a quieter erosion of the casual anonymity that defined the early internet. None of that is reason to despair — but it is reason to be deliberate about the tools and habits you use online.
Stay informed about your rights, choose services that respect data minimisation, and use privacy-friendly tools wherever you can. The law sets the floor; your choices set the ceiling.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Bill C-27 Digital Charter: What You Need to Know in 2026
Bill C-27, Canada's Digital Charter Implementation Act, modernizes privacy law and introduces the country's first AI statute. Learn what the CPPA and AIDA mean for your business, how penalties compare to the GDPR, and the practical steps to prepare.
GDPR After Brexit: What Changed for UK Businesses in 2026
GDPR did not disappear when the UK left the EU - it evolved into the UK GDPR. This guide explains exactly what changed for British businesses, how UK and EU rules now differ, and what compliance teams should prioritise in 2026.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a layered privacy landscape in 2026, from PIPEDA to Quebec's Law 25. This guide breaks down compliance essentials, security safeguards, breach reporting, and the steps every Canadian organization should take to build a defensible privacy program.
Data Protection Act 2018 Ireland: Complete Guide
A complete guide to the Data Protection Act 2018 in Ireland — covering scope, key definitions, individual rights, the Data Protection Commission, penalties, breach notification, and a practical compliance checklist for Irish businesses.