UK Online Safety Act: What It Means for Your Privacy
The UK Online Safety Act is one of the most sweeping pieces of internet legislation Britain has ever passed. Marketed as a law to protect children and clamp down on illegal content, it also has wide-reaching consequences for the privacy of every adult who uses online services in the UK. If you send messages, browse social platforms, or run a website, the Act touches you.
This guide explains what the Online Safety Act actually does, how it interacts with your personal privacy, and what realistic steps British users can take to stay in control of their data.
What Is the UK Online Safety Act?
The Online Safety Act 2023 is a UK law that places legal duties on tech companies — from social networks to search engines and messaging apps — to protect users from illegal content and, in some cases, content that is legal but harmful to children. Ofcom is the regulator responsible for enforcing it, with powers to fine non-compliant companies up to £18 million or 10% of global annual turnover, whichever is higher.
The Act came into force in stages from late 2023 through 2025, with the most consequential provisions — including age assurance requirements and illegal content duties — taking effect in 2025 and 2026.
Who the Act Applies To
The law applies to any service with a meaningful UK user base, regardless of where the company is headquartered. That includes:
- Social media platforms (Facebook, Instagram, TikTok, X)
- Search engines (Google, Bing, DuckDuckGo)
- Messaging services (WhatsApp, Signal, Telegram)
- Adult content websites
- File-sharing services and forums
- Smaller user-to-user platforms, including community sites and some link-sharing tools
The Core Privacy Concerns
While the Act's intent is child safety and crime prevention, several provisions sit in direct tension with personal privacy. Three areas matter most for everyday users: age verification, message scanning, and data retention.
1. Mandatory Age Verification
Services that host pornographic content — and many that host content deemed harmful to children — must now use "highly effective" age assurance. In practice, this means submitting government ID, a credit card check, a facial age estimation scan, or going through a third-party age verification provider.
The privacy concern is straightforward: large databases of identity documents tied to browsing habits become attractive targets for hackers. Even when providers claim not to store data, the trust model requires you to take their word for it.
2. Pressure on Encrypted Messaging
One of the most controversial sections empowers Ofcom to require platforms to use "accredited technology" to identify illegal content, including in private messages. End-to-end encrypted services like Signal and WhatsApp argued this would effectively force them to break encryption through client-side scanning — analysing your messages on your own device before they are encrypted.
The government has said the power will not be used until it is "technically feasible" to do so without weakening encryption. That language reassures no one in the security community, because the consensus is that secure mass scanning of private content is not possible without introducing vulnerabilities.
3. Expanded Data Collection and Retention
To prove compliance, platforms now collect and retain more data: age signals, content moderation logs, user reports, and risk assessments. More data sitting on servers means a larger attack surface and more material that can be requested by law enforcement or leaked in a breach.
How the Act Changes Your Daily Browsing
If you are a typical UK internet user, here is what you have likely already noticed — or will soon.
More Identity Checks
Adult sites, dating apps, alcohol retailers, and some social platforms now ask for age verification before you can access them. Some use face-scan estimation; others require a passport or driving licence upload. Even Wikipedia raised concerns about whether it could fall under the rules.
Geo-Blocking and Service Withdrawal
Several smaller platforms have pulled out of the UK rather than comply. Some forums and adult sites display a message saying they no longer serve British users. Expect this to continue as compliance costs rise.
Friction in Sign-Ups
Account creation now often includes age estimation, identity checks, or extra verification steps. This particularly affects gaming, video, and community platforms with younger user bases.
Comparison: Before vs After the Online Safety Act
| Area | Before the Act | After the Act |
|---|---|---|
| Accessing adult content | Self-declared age | Verified ID, card, or face scan |
| Private messaging | End-to-end encrypted, no scanning | Legal power for content scanning exists |
| Platform data retention | Driven by GDPR minimisation | Expanded for safety compliance |
| Small forums/sites | Few regulatory duties | Risk assessments and reporting required |
| Cross-border services | Operated freely in UK | Some withdrawing from UK market |
What the Act Does Not Change
It is worth being clear about what stays the same. The UK GDPR and Data Protection Act 2018 still apply. Companies must still minimise data collection, secure it appropriately, and respond to subject access requests. The Online Safety Act sits alongside these, not above them.
You also retain the right to use privacy-enhancing tools: encrypted browsers, private DNS providers, password managers, and privacy-focused search engines. None of these are illegal under the Act.
Practical Steps to Protect Your Privacy
You cannot opt out of the law, but you can reduce how much of your personal data ends up in compliance databases. The following steps are realistic for ordinary users.
- Use age verification providers selectively. Where you have a choice between uploading a passport directly to a site or using a reusable third-party verifier (such as Yoti or 1Account), the third-party route often shares less data with the destination site.
- Move to encrypted DNS. Switch your phone and home router to a DNS provider that supports DNS-over-HTTPS or DNS-over-TLS (Cloudflare 1.1.1.1, Quad9, or NextDNS are popular choices). This stops your internet provider seeing every domain you visit.
- Use a privacy-respecting browser. Firefox, Brave, and Safari all offer stronger anti-tracking defaults than Chrome. Pair them with uBlock Origin where possible.
- Audit which apps need real ID. If a service insists on a passport scan but you can achieve the same thing elsewhere with a card check, choose the lower-data option.
- Compartmentalise your accounts. Use different email addresses (with aliases like Apple's Hide My Email or SimpleLogin) for different categories of service so a breach on one does not link to all the others.
- Watch what you share through link shorteners. If you publish links — on social media, in newsletters, or via QR codes — use a shortener that respects privacy and does not track your audience beyond what you need. Tools like Lunyb let you shorten and share links without bulk profiling of every click.
- Review your messaging app settings. Turn on disappearing messages where appropriate, verify safety numbers with key contacts, and keep apps updated so security patches land quickly.
What the Act Means for Website Owners and Creators
If you run a UK-facing website with user-generated content — even a small forum, comment section, or community newsletter — you may have duties under the Act. The smallest services face lighter obligations, but everyone in scope must complete an illegal content risk assessment.
Quick Checklist for Small Site Operators
- Determine whether your service falls in scope (user-to-user or search functionality serving UK users)
- Complete and document an illegal content risk assessment
- Publish clear terms and a reporting mechanism for illegal content
- Keep records of moderation decisions
- Review whether children are likely to access your service; if yes, additional duties apply
If you publish or share links as part of your work, picking the right tools matters. Our 2026 buyer's guide to URL shorteners compares the major options on privacy, analytics, and compliance, and our honest review of Lunyb walks through what to expect from the platform itself.
How the UK Compares to the EU and US
The Online Safety Act is part of a global wave of platform regulation, but each jurisdiction takes a different angle.
| Jurisdiction | Main Law | Primary Focus | Privacy Tension |
|---|---|---|---|
| United Kingdom | Online Safety Act 2023 | Illegal content, child safety | Age checks, message scanning powers |
| European Union | Digital Services Act | Transparency, systemic risk | Mostly process-based, less invasive |
| United States | Section 230 + state laws | Liability shield with carve-outs | State-level age verification laws |
| Australia | Online Safety Act 2021 | Cyberbullying, abuse material | Takedown powers, ID checks rolling out |
The UK sits at the more interventionist end of this spectrum, particularly on age assurance and encrypted messaging.
The Road Ahead
The Online Safety Act is not a finished product. Ofcom continues to publish codes of practice, and the government has signalled appetite for further legislation on misinformation, AI-generated content, and small but high-risk platforms. Expect more identity checks, more compliance friction, and ongoing legal battles over where safety ends and surveillance begins.
For individual users, the practical posture is the same as it always was: assume your data is being collected somewhere, minimise what you hand over, and use tools that take privacy seriously by default. The law has shifted the ground, but the principles of good personal data hygiene have not.
Frequently Asked Questions
Does the UK Online Safety Act ban end-to-end encryption?
No, it does not explicitly ban encryption. However, it gives Ofcom the power to require platforms to use "accredited technology" to detect illegal content, which security experts argue cannot be done in encrypted environments without weakening encryption. The government has said it will not enforce this power until it is technically feasible without compromising security — a condition many experts believe cannot be met.
Do I have to upload my passport to use adult websites in the UK?
You have to prove you are over 18 using a method the platform considers "highly effective", but passport upload is only one option. Most compliant sites also accept credit card checks, facial age estimation, mobile network checks, or third-party age verification services such as Yoti. Third-party verifiers typically share less personal data with the destination site.
Does the Act apply to small websites and personal blogs?
It applies to user-to-user services and search services with a UK user base. A personal blog with no comments or user-generated content is generally out of scope. A small forum, comment section, or community platform is likely in scope, though the obligations scale with size and risk. Ofcom has published guidance specifically for small services.
Can I still use privacy tools like encrypted DNS or private browsers?
Yes. The Online Safety Act regulates platforms and services, not the privacy tools individuals use to access them. Encrypted DNS, privacy-focused browsers, password managers, email aliases, and tracker blockers all remain fully legal and are sensible choices for anyone wanting to limit how much data they leak online.
Will my private messages be scanned by the government?
Not currently. The Act creates the legal power for Ofcom to require scanning of private communications for child sexual abuse material, but the government has committed not to use it until secure technology exists to do so. No mass scanning is in effect at the time of writing, but the legal mechanism is in place and could be activated in future.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore's Online Safety Act 2026 expands the scope of regulated services, introduces tougher penalties, and adds new duties around scams, child safety, and link services. This complete guide explains who it applies to, what your obligations are, and how to prepare.
OAIC Complaints: How to Report a Privacy Breach in Australia
A complete Australian guide to lodging OAIC complaints for privacy breaches. Learn the step-by-step process, evidence requirements, timeframes, and remedies available under the Privacy Act 1988.
ePrivacy Regulations Ireland: Latest Updates for 2026
Ireland's ePrivacy regime is evolving fast, with the DPC stepping up enforcement on cookie consent and direct marketing. This 2026 guide explains the current rules, recent updates, and what Irish businesses need to do to stay compliant.
GDPR in Ireland: Your Privacy Rights Explained
A complete guide to your GDPR privacy rights in Ireland. Learn what data is protected, how to exercise your eight core rights, and how to complain to the Data Protection Commission when companies fall short.