UK Online Safety Act: What It Means for Your Privacy
The UK Online Safety Act is one of the most far-reaching pieces of internet legislation Britain has ever passed. Introduced to tackle illegal content, child sexual abuse material and online harms, the Act also reshapes how platforms handle your personal data, age verification, encrypted messages and even the links you share. If you live in the UK or run a website that British users access, the Act now directly affects your day-to-day privacy.
This guide explains what the Online Safety Act actually does, where the genuine privacy risks lie, what Ofcom can require platforms to do, and what practical steps you can take to keep your online life private without falling foul of the law.
What Is the UK Online Safety Act?
The Online Safety Act 2023 is a UK law that places legal duties on online services to protect users — especially children — from illegal and harmful content. It is enforced by Ofcom, the UK's communications regulator, with powers to fine companies up to £18 million or 10% of global annual turnover, whichever is higher.
The Act applies to a huge range of services: social networks, search engines, messaging apps, forums, dating sites, video-sharing platforms, gaming services, file-sharing tools, and even smaller user-to-user platforms. Crucially, it applies to any service "with links to the UK" — meaning a platform based abroad still falls under its scope if British users can access it.
Key Categories Under the Act
- Category 1: The largest user-to-user services with the highest reach (think major social networks).
- Category 2A: The largest search services.
- Category 2B: Smaller user-to-user services with specific risk factors.
- All other regulated services: Subject to baseline illegal content duties and, where relevant, child safety duties.
Why the Online Safety Act Matters for Your Privacy
On the surface, the Act is about safety. In practice, several of its provisions create new obligations that touch personal data, identity verification and message content. The privacy implications fall into four broad areas: age assurance, content scanning, identity verification, and data retention.
1. Age Assurance and Age Verification
Services likely to be accessed by children — and any service hosting pornography — must use "highly effective" age assurance. In practice that often means uploading a photo of your passport or driving licence, having your face scanned for age estimation, or linking a payment card or mobile account.
Every one of those methods involves sharing biometric or identity data with a third-party verification provider. Even if the provider claims to delete the data immediately, you are now in a system where adult browsing is tied — at least momentarily — to a real-world identity.
2. Pressure on Encrypted Messaging
Section 121 of the Act gives Ofcom power to require platforms to use "accredited technology" to detect child sexual abuse material and terrorism content, including in private messages. The government has said this power will only be used when "technically feasible", but it has not been removed from the legislation.
Privacy advocates argue that scanning the content of end-to-end encrypted messages — sometimes called client-side scanning — fundamentally weakens encryption for everyone. Signal and other secure messengers have publicly stated they would withdraw from the UK rather than compromise encryption.
3. Identity, Anonymity and "Verified User" Status
Category 1 services must offer adult users a tool to verify their identity and to filter out interactions with non-verified accounts. You are not legally required to verify yourself, but the social pressure (and reduced reach) of being an "unverified" account may push people toward handing over ID documents.
4. Data Retention and Investigatory Cooperation
Platforms must keep records to demonstrate compliance, cooperate with Ofcom investigations, and in some cases hand over information about users suspected of posting illegal content. This sits alongside existing UK data retention rules and the Investigatory Powers Act.
What Changes for Everyday UK Users
For most people, the Online Safety Act will show up in small but noticeable ways across the websites and apps you already use.
- More age gates. Expect to be asked to prove you are over 18 on adult sites, gambling platforms, alcohol retailers and some social networks.
- More content removals. Platforms are incentivised to over-remove borderline content to avoid fines, which may affect legitimate speech, journalism and activism.
- More identity friction. Posting on large platforms may increasingly nudge you toward verification.
- Geo-blocking. Some smaller foreign sites have already blocked UK visitors entirely rather than comply — a trend that started with US local-news sites under GDPR and is now repeating.
- Tighter rules on shared links. Platforms must assess links shared by users for illegal content, which affects how URL shorteners, redirects and embedded media are treated.
How the Act Affects Links, Redirects and URL Shorteners
Shortened links sit in an interesting position under the Act. A URL shortener doesn't host content itself, but it does direct users to destinations that might. Responsible shortener providers now need to consider whether their service could be used to obscure illegal content, and many have strengthened abuse reporting, scanning and takedown processes.
If you use shortened links for marketing, customer service or social posts, choose a provider that is transparent about its abuse policies, offers HTTPS by default, and gives you analytics without invasive tracking. We cover this in detail in our 2026 buyer's guide to URL shorteners and our honest review of Lunyb, which looks specifically at how a privacy-respecting shortener should behave.
Comparing Pre- and Post-Online Safety Act Browsing
| Aspect | Before the Act | After the Act |
|---|---|---|
| Access to adult sites | Self-declared age | Highly effective age assurance (ID, face scan, card check) |
| Posting on large social networks | Anonymous by default | Optional identity verification with social pressure to verify |
| Private messaging | End-to-end encryption widely supported | Potential client-side scanning powers held in reserve |
| Content moderation | Mostly platform-driven | Legally mandated risk assessments and removal duties |
| Small overseas forums | Generally accessible | Some geo-blocking UK users to avoid liability |
| Regulator powers | Limited to data protection (ICO) | Ofcom with major fines and business disruption powers |
Pros and Cons of the Online Safety Act from a Privacy Perspective
Pros
- Stronger duties on platforms to remove genuinely illegal content quickly.
- Clear protections for children, including default safety settings.
- More transparency reporting from major platforms.
- Better mechanisms for victims of intimate-image abuse and cyberflashing.
- Independent oversight by Ofcom rather than self-regulation alone.
Cons
- Age verification creates new databases of identity documents that can be breached.
- Encrypted messaging is legally pressured even if the government says it won't act yet.
- Smaller platforms may shut UK access rather than carry compliance costs.
- Risk of over-removal of lawful speech as platforms err on the side of caution.
- Anonymity online becomes harder to maintain on mainstream services.
Practical Steps to Protect Your Privacy Under the Act
You cannot opt out of the law, but you can reduce how much personal data you expose while still using British internet services lawfully.
- Use age-assurance providers that offer "zero-knowledge" or token-based checks. These confirm you are over 18 without storing your ID against your browsing history.
- Prefer end-to-end encrypted messengers that have publicly committed to leaving the UK rather than weaken encryption. Signal remains the gold standard.
- Enable encrypted DNS (DNS-over-HTTPS or DNS-over-TLS) in your browser or operating system so your network provider sees fewer of the domains you visit.
- Use a privacy-respecting browser such as Firefox or Brave, with tracker blocking and fingerprinting protection turned on.
- Compartmentalise accounts. Use separate email addresses (or aliases) for adult services, financial services and social media so a breach in one area does not link to the others.
- Audit what you share. Before posting, ask whether the link, image or comment could later be used to identify you across services.
- Choose privacy-aware tools for shortened links and analytics — services like Lunyb let you create branded short links without invasive tracking, which is increasingly important as platforms scrutinise every URL shared.
- Exercise your data rights. Under UK GDPR you can still request access to and deletion of your data from any verification provider, and Ofcom's rules do not override those rights.
What Businesses and Creators Need to Do
If you run a website, newsletter, forum, Discord server or e-commerce shop that UK users access, you may be in scope of the Act — even if you're based outside the UK. Steps to take now include:
- Carry out an illegal content risk assessment covering the priority offences listed in the Act.
- If children can access your service, complete a children's access assessment and a children's risk assessment.
- Publish clear terms of service that explain how you handle illegal and harmful content.
- Set up reporting and complaints mechanisms that are easy to find and use.
- Review your data processors — including link shorteners, analytics tools and age assurance providers — for UK GDPR and Online Safety Act alignment. Tools like Rebrandly and Lunyb take different approaches; our detailed Rebrandly review compares the trade-offs.
- Keep compliance records ready in case Ofcom requests them.
Where the Act Could Go Next
Ofcom is rolling out the Act in phases through 2025 and into 2026, starting with illegal content duties, then children's safety, then the additional duties on Category 1 services. Several areas remain politically contested:
- The encryption clause. The government has said scanning powers will only be used when "technically feasible". Privacy groups continue to push for its removal.
- Age assurance standards. Expect ongoing debate about which providers and methods count as "highly effective".
- Legal but harmful content for adults. This was removed before the Act passed, but ministers have hinted it could return in future legislation.
- Small platforms. Ongoing lobbying may produce carve-outs for low-risk community sites.
For everyday users the trend is clear: more identity checks, more content moderation, and more pressure on the technologies that have historically kept online life private. Building good privacy habits now — choosing tools that minimise data collection, using encryption where you can, and staying informed about your rights — is the most effective response.
Frequently Asked Questions
Does the Online Safety Act mean I have to verify my identity to use social media?
No. Identity verification on Category 1 services is optional for adults. However, you may notice reduced functionality or reach if you choose not to verify, and certain features — like filtering out non-verified users — only work if others have verified.
Will the Online Safety Act break end-to-end encryption in the UK?
Not immediately. The Act gives Ofcom power to require scanning technology in private messages, but the government has said this power will only be used when it is technically possible without breaking encryption. Major encrypted messengers have said they would leave the UK rather than comply, so the practical impact is still uncertain.
Do I have to upload my passport to watch adult content in the UK?
You have to pass a "highly effective" age check, but uploading your passport is only one option. Other methods include face-based age estimation, mobile network checks, credit card verification and digital ID wallets. Choose providers that use token-based systems where the adult site never sees your ID directly.
Does the Online Safety Act apply to overseas websites?
Yes, if the site has "links to the UK" — meaning UK users can access it and it has a significant UK user base, or it is targeted at UK users. Some smaller overseas sites have chosen to block UK visitors entirely rather than carry the compliance burden.
How does this affect URL shorteners and shared links?
URL shorteners don't host content, but they direct users to it, so responsible providers now invest more in abuse detection and takedown processes. For users and businesses, this means choosing shorteners with clear policies, HTTPS by default and privacy-respecting analytics. Our 2026 URL shortener comparison highlights which providers handle this well.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Privacy Rights in Canada 2026: A Complete Guide for Citizens and Businesses
A complete 2026 guide to privacy rights in Canada, covering Bill C-27, the CPPA, Quebec's Law 25, provincial laws, and what citizens and businesses must do. Learn your rights to access, deletion, portability, and how to protect personal data effectively.
Bill C-27 Digital Charter: What You Need to Know in 2026
Bill C-27, Canada's Digital Charter Implementation Act, replaces PIPEDA with a modern privacy framework and introduces Canada's first dedicated AI law. Learn what the CPPA and AIDA require, the new penalties (up to 5% of global revenue), and how Canadian businesses should prepare.
UK Data Protection Act vs GDPR Explained: Key Differences for 2026
The UK Data Protection Act 2018 and the GDPR work together but are not identical. This guide breaks down the differences, overlaps, fines, and practical compliance steps every UK business needs to know in 2026.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face an evolving privacy landscape shaped by PIPEDA, Quebec's Law 25, and the proposed Bill C-27. This practical guide explains compliance obligations, breach response, vendor management, and how to build a privacy program that earns customer trust.