facebook-pixel

UK Online Safety Act: What It Means for Your Privacy in 2026

L
Lunyb Security Team
··9 min read

The UK Online Safety Act (OSA) is one of the most sweeping pieces of internet legislation ever passed in Britain. Marketed as a law to protect children and clamp down on illegal content, it has also raised significant concerns among privacy advocates, security researchers, and ordinary users. If you live in the UK — or run a service that reaches UK users — the Act now shapes how platforms handle your messages, your identity, and your data.

This guide explains what the Online Safety Act actually does, how it affects your privacy in practice, and what practical steps you can take to stay in control of your personal information.

What Is the UK Online Safety Act?

The UK Online Safety Act 2023 is a law that imposes a legal "duty of care" on online platforms — from social networks and search engines to messaging apps and pornography sites — to protect users, particularly children, from illegal and harmful content. Ofcom is the appointed regulator, with powers to fine companies up to £18 million or 10% of global annual revenue, and even block services in the UK.

The Act came into force in stages, with major enforcement obligations landing throughout 2025 and 2026. It applies to any service with a "significant number of UK users" or that targets the UK market, regardless of where the company is based.

Who Does the Act Cover?

  • User-to-user services: social networks, forums, dating apps, comment sections.
  • Search services: Google, Bing, DuckDuckGo and similar.
  • Pornography publishers: including sites that host adult content.
  • Messaging and communication apps: including end-to-end encrypted platforms.
  • File-sharing, gaming platforms and cloud storage where user content is shared.

The Core Privacy Concerns

On paper, the Act is about safety. In practice, several of its provisions have direct implications for personal privacy. Here are the three biggest flashpoints.

1. Age Verification and Identity Checks

Platforms hosting adult content or content deemed "harmful to children" must implement "highly effective" age assurance. In practice, this often means uploading a government-issued ID, a selfie for facial age estimation, or verifying via a credit card or mobile network.

The privacy implication is significant: sensitive browsing habits are now being linked, however briefly, to real-world identity documents. Even when third-party age-check providers claim not to retain data, users are creating attack surfaces that simply did not exist before. A data breach at an age assurance provider could expose exactly which UK users visited which adult or restricted sites.

2. The Encryption Question

Section 121 of the Act allows Ofcom to require platforms to use "accredited technology" to scan for child sexual abuse material (CSAM) and terrorism content — including in private messages. The government has said this power will only be used when "technically feasible," but no such feasibility currently exists without breaking end-to-end encryption.

Services like Signal, WhatsApp, and iMessage have publicly stated they would rather withdraw from the UK than compromise encryption. The clause remains on the books, creating ongoing legal uncertainty around whether private communications will remain truly private.

3. Increased Data Collection and Retention

To comply with duties around illegal content, risk assessments, and user reporting, platforms must retain more logs about user behaviour, moderation decisions, and content flags. That means more data about you sitting on more servers, for longer periods, subject to more legal disclosure requests.

How Everyday Users Are Affected

The Act is not just a corporate compliance headache — it changes the day-to-day experience of using the internet in the UK.

Browsing Adult and Restricted Content

Since July 2025, most major adult sites operating in the UK have deployed age verification. Users are asked to upload ID, verify via face scan, or use a digital ID wallet. Some smaller sites have simply blocked UK traffic rather than comply.

Social Media and Forums

Platforms like Reddit, X, Discord, and Bluesky have introduced age gates on certain communities and content categories for UK users. This has led to a wave of complaints about over-moderation, with legitimate discussions around sexual health, harm reduction, and political topics being restricted or hidden behind verification walls.

Small Websites and Community Forums

The Act does not exempt small operators. Hobbyist forums, community wikis, and independent blogs with comment sections technically fall within scope. Many have chosen to close comments, geoblock UK visitors, or shut down entirely rather than take on compliance costs.

Comparing the OSA to Other Global Regulations

The UK's approach is not unique, but it is among the most aggressive. Here's how it stacks up against comparable frameworks.

RegulationRegionAge Verification Required?Encryption Scanning Powers?Max Penalty
Online Safety ActUnited KingdomYes, strictYes (Section 121)£18m or 10% global turnover
Digital Services ActEuropean UnionRisk-based, not mandatory IDNo direct scanning mandate6% global turnover
KOSA (proposed)United StatesDuty of care for minorsNoFTC enforcement
Online Safety Act 2021AustraliaEmerging (age assurance trials)LimitedAUD $782,500 per breach

Pros and Cons of the Online Safety Act

Pros

  • Stronger legal accountability for platforms that host illegal content.
  • Clearer processes for reporting harmful material and receiving a response.
  • Better protections for children against grooming, self-harm content, and exposure to pornography.
  • Higher moderation standards across previously under-regulated services.

Cons

  • Age verification creates new privacy risks and breach surfaces.
  • Ambiguous language may push platforms into over-removal of legal speech.
  • Encryption-scanning powers threaten the security of private communications.
  • Small forums and independent sites face disproportionate compliance costs.
  • Increased data retention conflicts with data minimisation principles under UK GDPR.

Practical Steps to Protect Your Privacy Under the OSA

You cannot opt out of a national law, but you can make informed choices about how much personal data you expose. Below are practical steps every UK user should consider.

  1. Choose privacy-respecting age verification providers. Where you have a choice, pick services that use "double-blind" or zero-knowledge age tokens (like those from Yoti or EuroPass) rather than uploading ID directly to the adult site.
  2. Use encrypted DNS. Services like Cloudflare's 1.1.1.1, NextDNS, or Quad9 encrypt your DNS lookups so your ISP cannot easily log every domain you visit.
  3. Switch to a privacy-focused browser. Firefox with strict tracking protection, Brave, or Mullvad Browser reduce fingerprinting and third-party tracking.
  4. Compartmentalise accounts. Use different email addresses for sensitive services, and consider email aliasing tools like SimpleLogin or Firefox Relay.
  5. Reduce your data footprint. Delete old accounts you no longer use. Every dormant account is a potential breach waiting to happen.
  6. Prefer end-to-end encrypted messengers. Signal remains the gold standard; iMessage and WhatsApp also provide E2EE for messages by default.
  7. Be cautious with link shorteners. Some free shorteners log click data extensively. Privacy-focused options like Lunyb avoid unnecessary tracking and let you share links without exposing your audience to invasive analytics. You can read more in our honest Lunyb review.

What About Businesses and Content Creators?

If you run a UK-facing website, newsletter, or online community, the Act may impose specific obligations. You need to conduct risk assessments if you host user-generated content, implement reporting mechanisms, and document how you handle illegal content.

Marketing and Link Sharing

Marketers should be especially careful about how they collect and use data from UK audiences. Tracking pixels, redirect chains, and analytics tools all fall under UK GDPR — and now sit alongside OSA obligations for platforms that host your content. Using a clean, minimal link shortener helps reduce compliance friction. Our 2026 URL shortener buyer's guide compares the major options for privacy-conscious teams.

Choosing Tools That Respect Privacy

Not every tool marketed as "privacy-friendly" actually is. Read the fine print on data retention, third-party sharing, and jurisdiction. For example, our Rebrandly review looks at how one popular shortener handles enterprise data — useful reading if you're evaluating vendors.

The Road Ahead: What to Watch in 2026 and Beyond

The Online Safety Act is not static. Ofcom continues to publish codes of practice, and Parliament has signalled interest in expanding the framework to cover generative AI outputs, deepfakes, and additional "legal but harmful" categories.

Key Developments to Monitor

  • Codes of practice for age assurance: Ofcom is expected to refine which technologies count as "highly effective."
  • Legal challenges: Civil liberties groups including the Open Rights Group and Big Brother Watch have signalled potential judicial reviews.
  • International friction: Ongoing questions about whether US-based platforms will maintain full UK service under encryption-scanning demands.
  • Data breaches at age verification providers: The first major breach will be a watershed moment for public trust.

Frequently Asked Questions

Does the UK Online Safety Act require me to verify my age to use social media?

Not for all social media, but yes for content categories deemed harmful to children — including pornography, self-harm content, and some age-restricted communities. Major platforms have introduced age assurance measures for UK users in 2025 and 2026, particularly for adult-oriented subreddits, X communities, and Discord servers.

Will the Act break end-to-end encryption?

Not immediately. Section 121 gives Ofcom the power to require content scanning "where technically feasible," and the government has confirmed it will not use this power until the technology exists to do so without undermining encryption. Most experts argue that is technically impossible, so the clause sits in legal limbo — but it remains a serious concern for privacy advocates.

Are small websites and blogs affected?

Yes, in principle. Any UK-facing service that hosts user-generated content — including comment sections, forums, and community wikis — falls within scope. However, Ofcom has indicated a proportionate approach: small, low-risk services face lighter compliance burdens than major platforms.

What data do age verification providers keep?

It varies. Reputable providers like Yoti use "zero-knowledge" proofs that confirm you are over 18 without storing your ID document or linking the check to a specific site. Less scrupulous providers may retain scans of your ID, selfies, or logs of which sites you verified against. Always check the provider's privacy policy before uploading identity documents.

Can I use privacy tools to bypass age checks?

Technically, changing your apparent location or using anonymising browsers may allow you to access services without going through UK age gates. However, this may breach the terms of service of individual platforms, and it does not exempt you from any UK laws that apply to your conduct. For most users, the more practical response is choosing services that use privacy-respecting verification and minimising the data you upload.

Final Thoughts

The UK Online Safety Act reflects a genuine tension in modern policy: how do you protect users — especially children — from real harms online, without creating surveillance infrastructure that undermines everyone's privacy? The current answer, embedded in the Act, tilts firmly toward regulation, verification, and platform accountability, sometimes at the cost of individual anonymity.

As a user, your best defence is informed choice: understand what data you are being asked to share, favour services and tools that minimise collection, and stay engaged with how the law evolves. Privacy is not a single setting you toggle — it is a set of habits, and the Online Safety Act makes those habits more important than ever.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles