UK Online Safety Act: What It Means for Your Privacy in 2026
The UK Online Safety Act (OSA) is one of the most sweeping pieces of internet legislation ever passed in Britain. Introduced to tackle illegal content, protect children, and hold tech giants accountable, it also raises significant questions about personal privacy, end-to-end encryption, and the future of anonymous browsing. If you use social media, messaging apps, search engines, or even a URL shortener based in the UK, this law affects you.
In this guide, we break down exactly what the Online Safety Act does, how it impacts your day-to-day privacy, what platforms are now required to do with your data, and the practical steps you can take to protect yourself in a post-OSA internet.
What Is the UK Online Safety Act?
The UK Online Safety Act 2023 is a British law that requires online platforms to prevent users from encountering illegal content and to protect children from harmful material. It came into full effect in phases through 2024 and 2025, with Ofcom serving as the primary regulator responsible for enforcement.
The Act applies to any service accessible in the UK — regardless of where the company is headquartered. This includes social networks, search engines, messaging apps, dating platforms, forums, cloud storage providers, and even smaller community sites. Non-compliance carries fines of up to £18 million or 10% of global annual revenue, whichever is greater. In serious cases, senior managers can face criminal liability.
Key Duties Imposed on Platforms
- Risk assessments: Platforms must regularly assess risks their services pose to users, especially children.
- Content moderation: Illegal content (terrorism, child sexual abuse material, fraud, harassment) must be proactively removed.
- Age verification: Sites hosting adult content or content harmful to minors must implement "highly effective" age checks.
- Transparency reporting: Larger platforms must publish annual reports on how they enforce these rules.
- User empowerment tools: Adults must be given tools to filter content they don't wish to see.
How the Online Safety Act Affects Your Privacy
While the Act was designed with safety in mind, many of its requirements pull in a direction opposite to privacy. To meet compliance duties, platforms often need to collect more data about you, verify your identity, and scan your communications more actively than before.
1. Age Verification and Identity Checks
One of the most visible consequences of the OSA is the rollout of age verification. Adult content sites, gambling platforms, and even some social networks now require UK users to prove they are over 18. Acceptable methods include:
- Uploading a photo of a government-issued ID (passport, driving licence)
- Facial age estimation via a live selfie scan
- Credit card verification
- Bank or mobile network open-banking checks
- Third-party "digital identity" wallets
Each of these methods involves sharing sensitive personal data with either the platform itself or a third-party verification provider. Even when providers claim "privacy-preserving" architecture, the data trail expands, and the risk of breaches grows.
2. Pressure on End-to-End Encryption
Perhaps the most controversial provision is Section 121, which grants Ofcom the power to require platforms to use "accredited technology" to scan private messages for illegal content — even in encrypted services like WhatsApp, Signal, and iMessage.
The government has stated that this power will only be used when "technically feasible," and privacy advocates argue that scanning encrypted content is, by definition, incompatible with true end-to-end encryption. Signal has publicly stated it would withdraw from the UK rather than weaken its encryption. Apple, Meta, and others have voiced similar concerns.
For now, the standoff continues. But the legal framework to break encryption exists, and this uncertainty alone changes how privacy-conscious users should think about British digital services.
3. Increased Data Retention
To comply with reporting duties and law enforcement requests, platforms are now retaining more user data for longer periods. This includes:
- IP addresses and login timestamps
- Content moderation logs
- User reports and flagged messages
- Age verification records
More stored data means a larger attack surface. Every additional data point is another potential leak in the event of a breach.
4. Reduced Anonymity Online
The Act encourages — though does not strictly require — platforms to offer "verified user" options and to give users tools to filter out unverified accounts. Over time, this creates a two-tier internet where anonymous participation becomes second-class. Journalists, whistleblowers, abuse survivors, and political dissidents often rely on anonymity for their safety, and this shift affects them disproportionately.
Who Is Most Affected by the Act?
The Online Safety Act touches nearly every UK internet user, but some groups feel the changes more sharply than others.
| User Group | Primary Impact | Privacy Concern Level |
|---|---|---|
| General adult users | Age checks on more sites, filtered content | Medium |
| Children and teens | Stricter default settings, less accessible content | Low (protective) |
| Journalists & sources | Weakened confidential communication | High |
| Small platform owners | Heavy compliance burden | High |
| Adult content creators | Mandatory ID verification of viewers | Very High |
| Whistleblowers | Reduced anonymity, encryption uncertainty | Very High |
Pros and Cons of the Online Safety Act
Pros
- Stronger protections for children against harmful online content
- Clearer legal accountability for major platforms
- Faster removal of illegal material such as fraud and terrorist content
- Requires transparency reporting from large services
- Provides victims of online abuse with more concrete recourse
Cons
- Undermines the technical foundation of end-to-end encryption
- Forces sensitive identity verification on millions of adults
- Increases data retention and breach risk across the ecosystem
- Places disproportionate burden on small platforms and community forums
- Risks driving privacy-focused services out of the UK market
- May create chilling effects on lawful speech through over-moderation
Practical Steps to Protect Your Privacy Under the Act
The good news is that most of your privacy protections remain in your own hands. Here are practical, non-technical measures you can take right now to keep your data safer under the new regime.
- Use encrypted DNS services. Tools like Cloudflare 1.1.1.1, Quad9, or NextDNS prevent your internet provider from logging every domain you visit. Setup takes minutes on modern phones and computers.
- Choose privacy-first browsers. Firefox, Brave, and DuckDuckGo's browser block trackers by default and reduce the amount of personal data leaking to advertisers.
- Minimise identity checks where possible. When a site offers multiple age verification methods, pick the one that shares the least data — facial age estimation without ID upload is often less invasive than uploading a passport.
- Prefer platforms hosted outside the UK for sensitive communications where legal jurisdiction matters, and read their privacy policies carefully.
- Use privacy-respecting URL shorteners. If you share links regularly, avoid trackers embedded in default social media shorteners. Services like Lunyb shorten links without invasive analytics profiling, which is useful for journalists, marketers, and anyone who values a smaller data footprint. You can read our honest Lunyb review for more detail.
- Turn on two-factor authentication everywhere, ideally using an authenticator app rather than SMS.
- Regularly audit your data. Use "Download my data" tools on Google, Facebook, and other major platforms to see what's held about you — and delete what you can.
- Read moderation and appeals policies on platforms you rely on. Under the OSA, over-removal is common. Knowing how to appeal a takedown protects your voice.
How the Act Compares to Other Global Privacy Laws
The Online Safety Act is often discussed alongside the EU's Digital Services Act (DSA), Australia's Online Safety Act 2021, and various US state-level laws. Here's how they compare on the privacy front.
| Law | Region | Encryption Impact | Age Verification | Focus |
|---|---|---|---|---|
| Online Safety Act | UK | High (scanning powers) | Mandatory for adult content | Illegal & harmful content |
| Digital Services Act | EU | Low (protects encryption) | Recommended, not mandatory | Platform accountability |
| Online Safety Act 2021 | Australia | Medium | Being expanded | Cyber abuse, harmful content |
| KOSA (proposed) | United States | Low | Age assurance for minors | Child safety online |
Britain's approach is notably more aggressive on encryption than either the EU or the US, making it an outlier among Western democracies. This is why so many privacy-focused services have publicly questioned whether they can continue operating in the UK long-term.
What Ofcom's Enforcement Looks Like in Practice
Ofcom has been publishing codes of practice progressively. Platforms are given time to comply, but investigations have already opened into several major services. Enforcement follows a general pattern:
- Ofcom issues codes of practice for a specific duty (e.g. child safety, illegal content).
- Platforms conduct risk assessments and update their systems.
- Ofcom monitors compliance through transparency reports and user complaints.
- Where breaches are found, Ofcom can request information, issue fines, or, in extreme cases, apply for court orders to restrict access to the service in the UK.
This last power — service restriction orders — is particularly striking. It gives Ofcom the ability to effectively block non-compliant platforms from UK users, similar to how regulators in some other countries handle unauthorised services.
The Future of the Online Safety Act
The Act is not static. Parliament continues to debate amendments, and Ofcom's codes evolve annually. Areas to watch over the next few years include:
- Encryption scanning: Whether Ofcom actually invokes Section 121 powers, and how courts respond.
- AI-generated content: New duties around deepfakes and synthetic media are already being drafted.
- Small platform exemptions: Community forums and hobby sites are lobbying for lighter compliance burdens.
- Interoperability with EU rules: Companies operating in both UK and EU face overlapping but not identical duties.
For everyday users, the most important thing is to stay informed. Privacy tooling that made sense in 2022 may not be enough in 2026. If you're evaluating tools for sharing links, tracking campaigns, or managing your online presence, our 2026 URL shortener buyer's guide and Rebrandly review compare features with privacy in mind.
Frequently Asked Questions
Does the UK Online Safety Act ban end-to-end encryption?
No, the Act does not outright ban end-to-end encryption. However, Section 121 gives Ofcom powers to require platforms to deploy "accredited technology" that scans messages for illegal content. Privacy experts argue this is technically incompatible with genuine end-to-end encryption, though the government has said the power will only be used when technically feasible. As of 2026, it has not been formally invoked.
Do I have to give my ID to use social media in the UK?
Not for general social media use. Age verification is currently mandatory only for platforms hosting adult content or content classed as harmful to minors. However, many mainstream platforms are voluntarily rolling out age assurance features, and this scope may expand over time.
What happens if a platform ignores the Online Safety Act?
Ofcom can issue fines of up to £18 million or 10% of the platform's global annual turnover — whichever is higher. In serious cases, senior managers may face criminal charges, and Ofcom can seek court orders to restrict UK access to the service entirely.
Does the Act apply to companies outside the UK?
Yes. Any online service accessible to UK users falls under the Act's scope, regardless of where the company is based. This extraterritorial reach is one of the reasons some privacy-focused services have considered withdrawing from the UK market rather than comply.
How can I minimise the data I share for age verification?
Where a platform offers multiple methods, choose the one that shares the least sensitive data. Facial age estimation (a live selfie without ID) generally reveals less than uploading a passport. Also check whether the verification is handled by a reputable third party that deletes data after the check, rather than the platform itself storing your documents.
Final Thoughts
The UK Online Safety Act is a landmark law with genuine safety benefits — particularly for children and victims of online abuse. But it also introduces real, ongoing risks to personal privacy, encrypted communication, and anonymous participation online. Understanding the Act is the first step toward navigating it wisely.
Whether you're an individual concerned about your digital footprint, a small business worried about compliance, or a professional whose work depends on confidential communication, the key is proactive privacy hygiene: minimise the data you share, choose tools built with privacy in mind, and stay informed as the regulatory landscape evolves. The internet is changing in Britain — and being aware of how is your best protection.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
DPC Ireland: How to File a Privacy Complaint (2026 Guide)
A complete step-by-step guide to filing a privacy complaint with Ireland's Data Protection Commission (DPC). Learn what evidence you need, how the process works, and what to expect at each stage of a GDPR complaint.
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore's Online Safety Act 2026 significantly expands digital regulation for platforms, businesses, and users. This complete guide covers scope, obligations, penalties, and a practical 90-day compliance roadmap.
Data Protection Act 2018 Ireland: Complete Guide
The Data Protection Act 2018 is Ireland's implementation of the GDPR, setting out rights, obligations, and penalties for anyone processing personal data. This complete guide covers key definitions, lawful bases, data subject rights, breach notification, and a practical compliance checklist for Irish businesses in 2026.
OAIC Complaints: How to Report a Privacy Breach in Australia
A step-by-step guide for Australians on how to lodge a privacy complaint with the OAIC after a data breach or mishandling of personal information. Covers evidence, timelines, outcomes and your rights under the Privacy Act 1988.