UK Online Safety Act: What It Means for Your Privacy in 2026
The UK Online Safety Act (OSA) is one of the most sweeping pieces of internet legislation ever passed in Britain. Marketed as a law to protect children and clamp down on illegal content, it has also raised significant concerns among privacy advocates, security researchers, and ordinary users. If you live in the UK — or run a service that reaches UK users — the Act now shapes how platforms handle your messages, your identity, and your data.
This guide explains what the Online Safety Act actually does, how it affects your privacy in practice, and what practical steps you can take to stay in control of your personal information.
What Is the UK Online Safety Act?
The UK Online Safety Act 2023 is a law that imposes a legal "duty of care" on online platforms — from social networks and search engines to messaging apps and pornography sites — to protect users, particularly children, from illegal and harmful content. Ofcom is the appointed regulator, with powers to fine companies up to £18 million or 10% of global annual revenue, and even block services in the UK.
The Act came into force in stages, with major enforcement obligations landing throughout 2025 and 2026. It applies to any service with a "significant number of UK users" or that targets the UK market, regardless of where the company is based.
Who Does the Act Cover?
- User-to-user services: social networks, forums, dating apps, comment sections.
- Search services: Google, Bing, DuckDuckGo and similar.
- Pornography publishers: including sites that host adult content.
- Messaging and communication apps: including end-to-end encrypted platforms.
- File-sharing, gaming platforms and cloud storage where user content is shared.
The Core Privacy Concerns
On paper, the Act is about safety. In practice, several of its provisions have direct implications for personal privacy. Here are the three biggest flashpoints.
1. Age Verification and Identity Checks
Platforms hosting adult content or content deemed "harmful to children" must implement "highly effective" age assurance. In practice, this often means uploading a government-issued ID, a selfie for facial age estimation, or verifying via a credit card or mobile network.
The privacy implication is significant: sensitive browsing habits are now being linked, however briefly, to real-world identity documents. Even when third-party age-check providers claim not to retain data, users are creating attack surfaces that simply did not exist before. A data breach at an age assurance provider could expose exactly which UK users visited which adult or restricted sites.
2. The Encryption Question
Section 121 of the Act allows Ofcom to require platforms to use "accredited technology" to scan for child sexual abuse material (CSAM) and terrorism content — including in private messages. The government has said this power will only be used when "technically feasible," but no such feasibility currently exists without breaking end-to-end encryption.
Services like Signal, WhatsApp, and iMessage have publicly stated they would rather withdraw from the UK than compromise encryption. The clause remains on the books, creating ongoing legal uncertainty around whether private communications will remain truly private.
3. Increased Data Collection and Retention
To comply with duties around illegal content, risk assessments, and user reporting, platforms must retain more logs about user behaviour, moderation decisions, and content flags. That means more data about you sitting on more servers, for longer periods, subject to more legal disclosure requests.
How Everyday Users Are Affected
The Act is not just a corporate compliance headache — it changes the day-to-day experience of using the internet in the UK.
Browsing Adult and Restricted Content
Since July 2025, most major adult sites operating in the UK have deployed age verification. Users are asked to upload ID, verify via face scan, or use a digital ID wallet. Some smaller sites have simply blocked UK traffic rather than comply.
Social Media and Forums
Platforms like Reddit, X, Discord, and Bluesky have introduced age gates on certain communities and content categories for UK users. This has led to a wave of complaints about over-moderation, with legitimate discussions around sexual health, harm reduction, and political topics being restricted or hidden behind verification walls.
Small Websites and Community Forums
The Act does not exempt small operators. Hobbyist forums, community wikis, and independent blogs with comment sections technically fall within scope. Many have chosen to close comments, geoblock UK visitors, or shut down entirely rather than take on compliance costs.
Comparing the OSA to Other Global Regulations
The UK's approach is not unique, but it is among the most aggressive. Here's how it stacks up against comparable frameworks.
| Regulation | Region | Age Verification Required? | Encryption Scanning Powers? | Max Penalty |
|---|---|---|---|---|
| Online Safety Act | United Kingdom | Yes, strict | Yes (Section 121) | £18m or 10% global turnover |
| Digital Services Act | European Union | Risk-based, not mandatory ID | No direct scanning mandate | 6% global turnover |
| KOSA (proposed) | United States | Duty of care for minors | No | FTC enforcement |
| Online Safety Act 2021 | Australia | Emerging (age assurance trials) | Limited | AUD $782,500 per breach |
Pros and Cons of the Online Safety Act
Pros
- Stronger legal accountability for platforms that host illegal content.
- Clearer processes for reporting harmful material and receiving a response.
- Better protections for children against grooming, self-harm content, and exposure to pornography.
- Higher moderation standards across previously under-regulated services.
Cons
- Age verification creates new privacy risks and breach surfaces.
- Ambiguous language may push platforms into over-removal of legal speech.
- Encryption-scanning powers threaten the security of private communications.
- Small forums and independent sites face disproportionate compliance costs.
- Increased data retention conflicts with data minimisation principles under UK GDPR.
Practical Steps to Protect Your Privacy Under the OSA
You cannot opt out of a national law, but you can make informed choices about how much personal data you expose. Below are practical steps every UK user should consider.
- Choose privacy-respecting age verification providers. Where you have a choice, pick services that use "double-blind" or zero-knowledge age tokens (like those from Yoti or EuroPass) rather than uploading ID directly to the adult site.
- Use encrypted DNS. Services like Cloudflare's 1.1.1.1, NextDNS, or Quad9 encrypt your DNS lookups so your ISP cannot easily log every domain you visit.
- Switch to a privacy-focused browser. Firefox with strict tracking protection, Brave, or Mullvad Browser reduce fingerprinting and third-party tracking.
- Compartmentalise accounts. Use different email addresses for sensitive services, and consider email aliasing tools like SimpleLogin or Firefox Relay.
- Reduce your data footprint. Delete old accounts you no longer use. Every dormant account is a potential breach waiting to happen.
- Prefer end-to-end encrypted messengers. Signal remains the gold standard; iMessage and WhatsApp also provide E2EE for messages by default.
- Be cautious with link shorteners. Some free shorteners log click data extensively. Privacy-focused options like Lunyb avoid unnecessary tracking and let you share links without exposing your audience to invasive analytics. You can read more in our honest Lunyb review.
What About Businesses and Content Creators?
If you run a UK-facing website, newsletter, or online community, the Act may impose specific obligations. You need to conduct risk assessments if you host user-generated content, implement reporting mechanisms, and document how you handle illegal content.
Marketing and Link Sharing
Marketers should be especially careful about how they collect and use data from UK audiences. Tracking pixels, redirect chains, and analytics tools all fall under UK GDPR — and now sit alongside OSA obligations for platforms that host your content. Using a clean, minimal link shortener helps reduce compliance friction. Our 2026 URL shortener buyer's guide compares the major options for privacy-conscious teams.
Choosing Tools That Respect Privacy
Not every tool marketed as "privacy-friendly" actually is. Read the fine print on data retention, third-party sharing, and jurisdiction. For example, our Rebrandly review looks at how one popular shortener handles enterprise data — useful reading if you're evaluating vendors.
The Road Ahead: What to Watch in 2026 and Beyond
The Online Safety Act is not static. Ofcom continues to publish codes of practice, and Parliament has signalled interest in expanding the framework to cover generative AI outputs, deepfakes, and additional "legal but harmful" categories.
Key Developments to Monitor
- Codes of practice for age assurance: Ofcom is expected to refine which technologies count as "highly effective."
- Legal challenges: Civil liberties groups including the Open Rights Group and Big Brother Watch have signalled potential judicial reviews.
- International friction: Ongoing questions about whether US-based platforms will maintain full UK service under encryption-scanning demands.
- Data breaches at age verification providers: The first major breach will be a watershed moment for public trust.
Frequently Asked Questions
Does the UK Online Safety Act require me to verify my age to use social media?
Not for all social media, but yes for content categories deemed harmful to children — including pornography, self-harm content, and some age-restricted communities. Major platforms have introduced age assurance measures for UK users in 2025 and 2026, particularly for adult-oriented subreddits, X communities, and Discord servers.
Will the Act break end-to-end encryption?
Not immediately. Section 121 gives Ofcom the power to require content scanning "where technically feasible," and the government has confirmed it will not use this power until the technology exists to do so without undermining encryption. Most experts argue that is technically impossible, so the clause sits in legal limbo — but it remains a serious concern for privacy advocates.
Are small websites and blogs affected?
Yes, in principle. Any UK-facing service that hosts user-generated content — including comment sections, forums, and community wikis — falls within scope. However, Ofcom has indicated a proportionate approach: small, low-risk services face lighter compliance burdens than major platforms.
What data do age verification providers keep?
It varies. Reputable providers like Yoti use "zero-knowledge" proofs that confirm you are over 18 without storing your ID document or linking the check to a specific site. Less scrupulous providers may retain scans of your ID, selfies, or logs of which sites you verified against. Always check the provider's privacy policy before uploading identity documents.
Can I use privacy tools to bypass age checks?
Technically, changing your apparent location or using anonymising browsers may allow you to access services without going through UK age gates. However, this may breach the terms of service of individual platforms, and it does not exempt you from any UK laws that apply to your conduct. For most users, the more practical response is choosing services that use privacy-respecting verification and minimising the data you upload.
Final Thoughts
The UK Online Safety Act reflects a genuine tension in modern policy: how do you protect users — especially children — from real harms online, without creating surveillance infrastructure that undermines everyone's privacy? The current answer, embedded in the Act, tilts firmly toward regulation, verification, and platform accountability, sometimes at the cost of individual anonymity.
As a user, your best defence is informed choice: understand what data you are being asked to share, favour services and tools that minimise collection, and stay engaged with how the law evolves. Privacy is not a single setting you toggle — it is a set of habits, and the Online Safety Act makes those habits more important than ever.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
DPC Ireland: How to File a Privacy Complaint (2026 Guide)
Learn exactly how to file a privacy complaint with Ireland's Data Protection Commission (DPC). This step-by-step guide covers your GDPR rights, required evidence, realistic timelines, and what to expect at every stage of the investigation.
Data Protection Act 2018 Ireland: The Complete Guide for 2026
The Data Protection Act 2018 is Ireland's national data protection law, working alongside the GDPR to protect personal data. This complete guide explains scope, rights, penalties, and practical steps Irish businesses must take to stay compliant in 2026.
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
The Singapore Online Safety Act 2026 introduces strict content takedown deadlines, expanded platform accountability, and new user rights. This complete guide explains who must comply, what harmful content is covered, penalties for breaches, and practical steps for businesses and individuals.
OAIC Complaints: How to Report a Privacy Breach in Australia
A complete Australian guide to lodging privacy complaints with the OAIC. Learn the step-by-step process, evidence requirements, realistic timeframes, and what compensation and outcomes to expect when your personal information has been mishandled.