facebook-pixel

UK Online Safety Act: What It Means for Your Privacy in 2026

L
Lunyb Security Team
··10 min read

The UK Online Safety Act (OSA) is one of the most sweeping pieces of internet legislation ever passed in Britain. Introduced to tackle illegal content, protect children, and hold tech giants accountable, it also raises significant questions about personal privacy, end-to-end encryption, and the future of anonymous browsing. If you use social media, messaging apps, search engines, or even a URL shortener based in the UK, this law affects you.

In this guide, we break down exactly what the Online Safety Act does, how it impacts your day-to-day privacy, what platforms are now required to do with your data, and the practical steps you can take to protect yourself in a post-OSA internet.

What Is the UK Online Safety Act?

The UK Online Safety Act 2023 is a British law that requires online platforms to prevent users from encountering illegal content and to protect children from harmful material. It came into full effect in phases through 2024 and 2025, with Ofcom serving as the primary regulator responsible for enforcement.

The Act applies to any service accessible in the UK — regardless of where the company is headquartered. This includes social networks, search engines, messaging apps, dating platforms, forums, cloud storage providers, and even smaller community sites. Non-compliance carries fines of up to £18 million or 10% of global annual revenue, whichever is greater. In serious cases, senior managers can face criminal liability.

Key Duties Imposed on Platforms

  1. Risk assessments: Platforms must regularly assess risks their services pose to users, especially children.
  2. Content moderation: Illegal content (terrorism, child sexual abuse material, fraud, harassment) must be proactively removed.
  3. Age verification: Sites hosting adult content or content harmful to minors must implement "highly effective" age checks.
  4. Transparency reporting: Larger platforms must publish annual reports on how they enforce these rules.
  5. User empowerment tools: Adults must be given tools to filter content they don't wish to see.

How the Online Safety Act Affects Your Privacy

While the Act was designed with safety in mind, many of its requirements pull in a direction opposite to privacy. To meet compliance duties, platforms often need to collect more data about you, verify your identity, and scan your communications more actively than before.

1. Age Verification and Identity Checks

One of the most visible consequences of the OSA is the rollout of age verification. Adult content sites, gambling platforms, and even some social networks now require UK users to prove they are over 18. Acceptable methods include:

  • Uploading a photo of a government-issued ID (passport, driving licence)
  • Facial age estimation via a live selfie scan
  • Credit card verification
  • Bank or mobile network open-banking checks
  • Third-party "digital identity" wallets

Each of these methods involves sharing sensitive personal data with either the platform itself or a third-party verification provider. Even when providers claim "privacy-preserving" architecture, the data trail expands, and the risk of breaches grows.

2. Pressure on End-to-End Encryption

Perhaps the most controversial provision is Section 121, which grants Ofcom the power to require platforms to use "accredited technology" to scan private messages for illegal content — even in encrypted services like WhatsApp, Signal, and iMessage.

The government has stated that this power will only be used when "technically feasible," and privacy advocates argue that scanning encrypted content is, by definition, incompatible with true end-to-end encryption. Signal has publicly stated it would withdraw from the UK rather than weaken its encryption. Apple, Meta, and others have voiced similar concerns.

For now, the standoff continues. But the legal framework to break encryption exists, and this uncertainty alone changes how privacy-conscious users should think about British digital services.

3. Increased Data Retention

To comply with reporting duties and law enforcement requests, platforms are now retaining more user data for longer periods. This includes:

  • IP addresses and login timestamps
  • Content moderation logs
  • User reports and flagged messages
  • Age verification records

More stored data means a larger attack surface. Every additional data point is another potential leak in the event of a breach.

4. Reduced Anonymity Online

The Act encourages — though does not strictly require — platforms to offer "verified user" options and to give users tools to filter out unverified accounts. Over time, this creates a two-tier internet where anonymous participation becomes second-class. Journalists, whistleblowers, abuse survivors, and political dissidents often rely on anonymity for their safety, and this shift affects them disproportionately.

Who Is Most Affected by the Act?

The Online Safety Act touches nearly every UK internet user, but some groups feel the changes more sharply than others.

User GroupPrimary ImpactPrivacy Concern Level
General adult usersAge checks on more sites, filtered contentMedium
Children and teensStricter default settings, less accessible contentLow (protective)
Journalists & sourcesWeakened confidential communicationHigh
Small platform ownersHeavy compliance burdenHigh
Adult content creatorsMandatory ID verification of viewersVery High
WhistleblowersReduced anonymity, encryption uncertaintyVery High

Pros and Cons of the Online Safety Act

Pros

  • Stronger protections for children against harmful online content
  • Clearer legal accountability for major platforms
  • Faster removal of illegal material such as fraud and terrorist content
  • Requires transparency reporting from large services
  • Provides victims of online abuse with more concrete recourse

Cons

  • Undermines the technical foundation of end-to-end encryption
  • Forces sensitive identity verification on millions of adults
  • Increases data retention and breach risk across the ecosystem
  • Places disproportionate burden on small platforms and community forums
  • Risks driving privacy-focused services out of the UK market
  • May create chilling effects on lawful speech through over-moderation

Practical Steps to Protect Your Privacy Under the Act

The good news is that most of your privacy protections remain in your own hands. Here are practical, non-technical measures you can take right now to keep your data safer under the new regime.

  1. Use encrypted DNS services. Tools like Cloudflare 1.1.1.1, Quad9, or NextDNS prevent your internet provider from logging every domain you visit. Setup takes minutes on modern phones and computers.
  2. Choose privacy-first browsers. Firefox, Brave, and DuckDuckGo's browser block trackers by default and reduce the amount of personal data leaking to advertisers.
  3. Minimise identity checks where possible. When a site offers multiple age verification methods, pick the one that shares the least data — facial age estimation without ID upload is often less invasive than uploading a passport.
  4. Prefer platforms hosted outside the UK for sensitive communications where legal jurisdiction matters, and read their privacy policies carefully.
  5. Use privacy-respecting URL shorteners. If you share links regularly, avoid trackers embedded in default social media shorteners. Services like Lunyb shorten links without invasive analytics profiling, which is useful for journalists, marketers, and anyone who values a smaller data footprint. You can read our honest Lunyb review for more detail.
  6. Turn on two-factor authentication everywhere, ideally using an authenticator app rather than SMS.
  7. Regularly audit your data. Use "Download my data" tools on Google, Facebook, and other major platforms to see what's held about you — and delete what you can.
  8. Read moderation and appeals policies on platforms you rely on. Under the OSA, over-removal is common. Knowing how to appeal a takedown protects your voice.

How the Act Compares to Other Global Privacy Laws

The Online Safety Act is often discussed alongside the EU's Digital Services Act (DSA), Australia's Online Safety Act 2021, and various US state-level laws. Here's how they compare on the privacy front.

LawRegionEncryption ImpactAge VerificationFocus
Online Safety ActUKHigh (scanning powers)Mandatory for adult contentIllegal & harmful content
Digital Services ActEULow (protects encryption)Recommended, not mandatoryPlatform accountability
Online Safety Act 2021AustraliaMediumBeing expandedCyber abuse, harmful content
KOSA (proposed)United StatesLowAge assurance for minorsChild safety online

Britain's approach is notably more aggressive on encryption than either the EU or the US, making it an outlier among Western democracies. This is why so many privacy-focused services have publicly questioned whether they can continue operating in the UK long-term.

What Ofcom's Enforcement Looks Like in Practice

Ofcom has been publishing codes of practice progressively. Platforms are given time to comply, but investigations have already opened into several major services. Enforcement follows a general pattern:

  1. Ofcom issues codes of practice for a specific duty (e.g. child safety, illegal content).
  2. Platforms conduct risk assessments and update their systems.
  3. Ofcom monitors compliance through transparency reports and user complaints.
  4. Where breaches are found, Ofcom can request information, issue fines, or, in extreme cases, apply for court orders to restrict access to the service in the UK.

This last power — service restriction orders — is particularly striking. It gives Ofcom the ability to effectively block non-compliant platforms from UK users, similar to how regulators in some other countries handle unauthorised services.

The Future of the Online Safety Act

The Act is not static. Parliament continues to debate amendments, and Ofcom's codes evolve annually. Areas to watch over the next few years include:

  • Encryption scanning: Whether Ofcom actually invokes Section 121 powers, and how courts respond.
  • AI-generated content: New duties around deepfakes and synthetic media are already being drafted.
  • Small platform exemptions: Community forums and hobby sites are lobbying for lighter compliance burdens.
  • Interoperability with EU rules: Companies operating in both UK and EU face overlapping but not identical duties.

For everyday users, the most important thing is to stay informed. Privacy tooling that made sense in 2022 may not be enough in 2026. If you're evaluating tools for sharing links, tracking campaigns, or managing your online presence, our 2026 URL shortener buyer's guide and Rebrandly review compare features with privacy in mind.

Frequently Asked Questions

Does the UK Online Safety Act ban end-to-end encryption?

No, the Act does not outright ban end-to-end encryption. However, Section 121 gives Ofcom powers to require platforms to deploy "accredited technology" that scans messages for illegal content. Privacy experts argue this is technically incompatible with genuine end-to-end encryption, though the government has said the power will only be used when technically feasible. As of 2026, it has not been formally invoked.

Do I have to give my ID to use social media in the UK?

Not for general social media use. Age verification is currently mandatory only for platforms hosting adult content or content classed as harmful to minors. However, many mainstream platforms are voluntarily rolling out age assurance features, and this scope may expand over time.

What happens if a platform ignores the Online Safety Act?

Ofcom can issue fines of up to £18 million or 10% of the platform's global annual turnover — whichever is higher. In serious cases, senior managers may face criminal charges, and Ofcom can seek court orders to restrict UK access to the service entirely.

Does the Act apply to companies outside the UK?

Yes. Any online service accessible to UK users falls under the Act's scope, regardless of where the company is based. This extraterritorial reach is one of the reasons some privacy-focused services have considered withdrawing from the UK market rather than comply.

How can I minimise the data I share for age verification?

Where a platform offers multiple methods, choose the one that shares the least sensitive data. Facial age estimation (a live selfie without ID) generally reveals less than uploading a passport. Also check whether the verification is handled by a reputable third party that deletes data after the check, rather than the platform itself storing your documents.

Final Thoughts

The UK Online Safety Act is a landmark law with genuine safety benefits — particularly for children and victims of online abuse. But it also introduces real, ongoing risks to personal privacy, encrypted communication, and anonymous participation online. Understanding the Act is the first step toward navigating it wisely.

Whether you're an individual concerned about your digital footprint, a small business worried about compliance, or a professional whose work depends on confidential communication, the key is proactive privacy hygiene: minimise the data you share, choose tools built with privacy in mind, and stay informed as the regulatory landscape evolves. The internet is changing in Britain — and being aware of how is your best protection.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles