UK Online Safety Act: What It Means for Your Privacy
The UK Online Safety Act became law in October 2023 and is now being phased in by Ofcom throughout 2025 and 2026. Marketed as a child-protection and anti-harm law, it also reshapes the privacy landscape for every internet user in Britain. From age verification on adult sites to potential scanning of private messages, the Act has sweeping implications for how you browse, communicate, and share links online.
This guide breaks down what the Online Safety Act actually does, where the genuine privacy risks sit, and what practical steps you can take to keep your personal data protected without breaking the law.
What Is the UK Online Safety Act?
The UK Online Safety Act 2023 is a regulatory framework that imposes duties of care on online platforms to protect users — particularly children — from illegal and harmful content. It is enforced by Ofcom, which can fine non-compliant services up to £18 million or 10% of global annual turnover, whichever is greater.
The law applies to a vast range of services that have links to the UK, including:
- Social media platforms (Facebook, X, TikTok, Instagram)
- Search engines (Google, Bing, DuckDuckGo)
- Messaging apps (WhatsApp, Signal, Telegram)
- Adult content websites
- File-sharing services and cloud storage
- Online forums, gaming platforms, and dating apps
Crucially, the Act has extraterritorial reach. A platform based in the United States, Germany, or anywhere else must comply if it has a significant number of UK users or is targeted at the UK market.
Key Dates for Implementation
- March 2025: Illegal content duties came into force, requiring platforms to assess and mitigate risks of illegal material.
- July 2025: Age assurance requirements for services hosting pornography or content harmful to children took effect.
- 2026 onwards: Categorised services (the largest platforms) face additional transparency, user empowerment, and risk-assessment duties.
How the Online Safety Act Affects Your Privacy
While the Act's stated purpose is safety, several of its mechanisms create direct tension with the privacy rights enshrined in UK GDPR and the Data Protection Act 2018. Here are the most important areas to understand.
1. Age Verification and Identity Checks
Any service likely to be accessed by children that hosts adult content, gambling, or other restricted material must now use "highly effective" age assurance. In practice, this means one or more of the following:
- Uploading a photo of a government-issued ID
- Submitting a selfie for facial age estimation
- Linking a credit card or bank account
- Verification through a mobile network operator
- Open-banking-style "digital identity" providers
Even when age checks are performed by third-party providers rather than the platform itself, you are still handing over biometric or identity data to a company you may have never heard of. The Information Commissioner's Office (ICO) has issued guidance requiring data minimisation, but breaches and misuse remain a serious risk.
2. Pressure on End-to-End Encryption
Section 121 of the Act gives Ofcom the power to require platforms to use "accredited technology" to detect child sexual abuse material (CSAM) and terrorist content — even in private, encrypted messages. This is the so-called "spy clause."
The government has stated this power will only be used when "technically feasible," and currently no such technology exists that can scan encrypted messages without breaking encryption itself. Signal, WhatsApp, and other secure messengers have publicly stated they would withdraw from the UK rather than weaken encryption. The clause remains on the books, however, and represents an ongoing threat to private communications.
3. Content Scanning and Metadata Retention
Platforms must proactively detect illegal content, which in practice means more automated scanning of uploads, messages, and shared links. Even when content itself is not read, metadata — who you talked to, when, from where, and what you linked to — is increasingly logged and retained for compliance audits.
4. The End of Easy Anonymity
Categorised platforms must offer adult users tools to verify their identity and to filter out unverified accounts. While verification is optional for users, the infrastructure incentivises platforms to push everyone toward identifying themselves, eroding the practical anonymity that has been a hallmark of the open web.
Privacy Risks: A Practical Breakdown
The following table summarises where the most significant privacy trade-offs sit under the Act.
| Area | What Changes | Privacy Risk Level | Who Holds Your Data |
|---|---|---|---|
| Age verification | ID or biometric checks for restricted content | High | Third-party age assurance providers |
| Encrypted messaging | Potential client-side scanning | High (if enacted) | Platform + government agencies |
| Social media posts | More aggressive automated moderation | Medium | Platform + Ofcom audits |
| Search behaviour | Filtering of "priority harmful" content | Low–Medium | Search engine providers |
| Link sharing | Scanning of URLs for illegal destinations | Low | Platforms + URL reputation services |
| User verification tools | Optional identity verification on big platforms | Medium | Platform + identity partners |
Pros and Cons of the Act for UK Users
Pros
- Stronger legal protections for children online
- Clearer duties for platforms to act on illegal content
- New rights to appeal content moderation decisions on large platforms
- Mandatory transparency reports from major services
- Tools to filter out anonymous accounts if you choose
Cons
- Wide-ranging data collection for age assurance
- Legal pressure on end-to-end encryption
- Increased automated scanning of user content and metadata
- Smaller platforms may exit the UK market, reducing choice
- Compliance burden falls on companies that then pass costs to users
- Vague definitions of "harm" risk over-moderation of lawful speech
How to Protect Your Privacy Under the Online Safety Act
You cannot opt out of the Act, but you can make informed choices about what data you share and which services you use. Here is a practical, lawful checklist.
1. Choose Age Verification Methods Carefully
If a site requires age assurance, prefer methods that minimise data exposure:
- Facial age estimation that explicitly deletes the image after processing is usually less invasive than uploading ID.
- Mobile-network age checks rely on data your carrier already holds and avoid sharing new documents.
- Avoid providers that retain ID copies for longer than required. Read the privacy notice before you upload anything.
- Check whether the provider is certified under a recognised scheme such as the Age Check Certification Scheme (ACCS).
2. Use Encrypted DNS and Privacy-Focused Browsers
Encrypted DNS (DNS over HTTPS or DNS over TLS) prevents your internet provider from logging every domain you visit. Combined with a hardened browser such as Firefox, Brave, or LibreWolf, this dramatically reduces passive tracking. Most modern browsers can enable encrypted DNS in a single setting.
3. Minimise the Data You Share When Sharing Links
Every long URL you copy from a website typically contains tracking parameters (utm_source, fbclid, gclid, and similar) that identify you to the recipient's analytics stack. Strip these before sharing, or use a privacy-respecting link shortener that does not bolt on additional trackers.
Services such as Lunyb let you create clean, short links without requiring account registration for basic use, and without enriching shared URLs with third-party tracking. If you want to verify Lunyb's track record before using it, our honest review of Lunyb goes into detail, and our 2026 buyer's guide to URL shorteners compares it with other major options.
4. Compartmentalise Your Online Identity
Use separate email addresses (or email aliases) for different categories of service: one for shopping, one for social media, one for newsletters. Aliasing services such as SimpleLogin, Firefox Relay, or Apple's Hide My Email make this trivial. If one provider is breached, the damage is contained.
5. Review App Permissions Regularly
Every quarter, audit which apps have access to your contacts, location, photos, and microphone on iOS and Android. Revoke anything you do not actively need. The Online Safety Act increases the regulatory incentive for platforms to harvest metadata, so the principle of least privilege matters more than ever.
6. Read Updated Privacy Notices
Many UK services updated their privacy notices in 2025 to reflect new Ofcom duties. Skim the sections on "safety processing" or "illegal content detection" to understand what is now being scanned and retained. Under UK GDPR, you still have rights to access, rectification, and (in many cases) erasure of your personal data.
The Bigger Picture: Privacy, Safety, and Regulation
The Online Safety Act is part of a global trend. The EU's Digital Services Act, Australia's Online Safety Act, and Canada's Online Harms Bill all impose similar duties of care. Together they signal a permanent shift from a self-regulated internet to a tightly governed one.
For UK users, the practical reality is this: the days of frictionless, anonymous browsing across mainstream platforms are largely over. But strong privacy is still achievable through good tooling, careful data hygiene, and an awareness of which services genuinely respect their users.
For businesses — particularly creators, marketers, and small publishers — the Act also means rethinking how you collect data, share links, and moderate user-generated content. Tools that minimise data collection by design, from privacy-respecting analytics to clean link shorteners, are no longer a nice-to-have. They are part of responsible compliance.
Frequently Asked Questions
Does the UK Online Safety Act mean the government can read my WhatsApp messages?
Not currently. The Act contains a power (Section 121) that could in principle require scanning of encrypted messages, but the government has confirmed it will only be used when technically possible without breaking encryption — a capability that does not exist today. WhatsApp, Signal, and similar services remain end-to-end encrypted, though the legal threat remains a concern.
Do I have to upload my passport to access adult websites in the UK?
You have to pass an age check, but not necessarily by uploading a passport. Many sites offer alternatives such as facial age estimation, credit card verification, mobile-operator checks, or digital identity wallets. Choose the option that exposes the least personal data, and check that the provider is certified.
Can I be fined for breaking the Online Safety Act as an individual user?
The Act's enforcement is aimed at platforms, not ordinary users. However, the Act did create new criminal offences (such as sending threatening communications, cyberflashing, and sharing intimate images without consent) that apply to individuals. Posting illegal content can lead to prosecution as it always has.
Does the Act apply to small websites and personal blogs?
Most very small services have limited obligations, but any platform that allows user-generated content or search functionality and has a UK link must conduct at least a basic risk assessment. Ofcom has published proportionate guidance for small services, but "too small to comply" is not a defence.
What can I do if a platform wrongly removes my content?
Categorised platforms must offer a clear, accessible complaints process and an internal appeal route. If that fails, you can complain to Ofcom about systemic failures, or seek legal advice if your rights under UK GDPR or the Human Rights Act have been infringed. Keep screenshots and reference numbers.
Final Thoughts
The UK Online Safety Act is one of the most ambitious internet regulations in the world, and its privacy implications are still being worked out in practice. The best response for most users is not panic but proactive hygiene: use privacy-respecting tools, share less data than you are asked for, and stay aware of how Ofcom's codes evolve over the next few years.
Strong privacy and online safety are not opposites. With the right habits and the right tools — from encrypted DNS to clean, tracker-free link sharing — you can comply with UK law while still keeping control of your personal data.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a layered privacy framework including PIPEDA, Quebec's Law 25, and provincial regimes. This guide breaks down the laws, the 10 fair information principles, and a practical roadmap to compliance, breach readiness, and customer trust in 2026.
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore's Online Safety Act 2026 reshapes how platforms, marketers, and users handle harmful online content. This complete guide explains the scope, obligations, penalties, and practical compliance steps every Singapore-facing business should take this year.
DPC Ireland: How to File a Privacy Complaint (2026 Guide)
A complete 2026 guide to filing a privacy complaint with Ireland's Data Protection Commission (DPC). Learn the step-by-step process, what evidence to include, realistic timelines, and what outcomes you can expect under GDPR.
Data Protection Act 2018 Ireland: The Complete Guide for Businesses
A complete plain-English guide to Ireland's Data Protection Act 2018: how it works with the GDPR, the rights it gives individuals, the obligations it places on businesses, and how to stay compliant in 2026.