facebook-pixel

UK Online Safety Act: What It Means for Your Privacy

L
Lunyb Security Team
··10 min read

The UK Online Safety Act became law in October 2023, and by 2026 most of its provisions are in full force. Framed as a landmark piece of legislation to protect children and vulnerable users online, the Act has also raised serious concerns among privacy advocates, technology companies, and everyday internet users. If you live in the UK, or you run a website that serves British users, this law affects how your data is handled, how you access services, and even how encrypted communications work.

This guide unpacks the UK Online Safety Act in plain English, explains what it means for your personal privacy, and offers practical steps you can take to stay in control of your data.

What Is the UK Online Safety Act?

The UK Online Safety Act is a British law that requires online platforms to protect users, particularly children, from illegal and harmful content. It gives Ofcom, the UK's communications regulator, sweeping powers to fine, block, or otherwise sanction services that fail to comply.

The Act applies to a very broad range of services, including social media platforms, search engines, messaging apps, online forums, dating sites, adult content platforms, cloud storage providers, and even smaller community websites. If your service is used by people in the UK, chances are you fall within its scope, regardless of where the company is headquartered.

Core objectives of the Act

  • Remove illegal content such as terrorism, child sexual abuse material (CSAM), and fraud
  • Protect children from age-inappropriate material including pornography and content promoting self-harm
  • Give adults more control over what they see on major platforms
  • Require transparency from tech companies about how they moderate content
  • Enforce compliance through fines of up to £18 million or 10% of global annual revenue, whichever is higher

Why Privacy Advocates Are Concerned

While the goals of the Act are widely supported in principle, the mechanisms it uses to achieve them have provoked significant debate. Several provisions have direct implications for user privacy.

1. The encryption backdoor debate

Section 122 of the Act allows Ofcom to require messaging services to use "accredited technology" to scan private messages for illegal content. Critics argue this effectively mandates client-side scanning, which would undermine end-to-end encryption on services like WhatsApp, Signal, and iMessage.

The UK government has stated it will not require scanning until it is "technically feasible" to do so without weakening encryption, but the legal power remains on the statute books. Signal has publicly stated it would rather leave the UK market than compromise its encryption model.

2. Age verification and identity checks

Platforms hosting adult content, and any service accessible to children, must implement "highly effective" age assurance. In practice, this often means uploading a passport, driver's licence, or facial scan to a third-party verification provider before you can access certain sites.

This creates new pools of sensitive identity data that could be targeted by hackers, subpoenaed by governments, or misused by the verification companies themselves.

3. Content monitoring at scale

To comply with duties around illegal content, platforms must build systems capable of monitoring vast amounts of user-generated content. This inevitably involves automated scanning, AI moderation, and retention of logs, all of which increase the volume of personal data being processed.

How the Act Affects Everyday UK Users

The impact of the Online Safety Act is not abstract. It shows up in the way you use the internet every day.

Changes you may have already noticed

  1. Age gates on more websites. Adult sites, gambling platforms, and even some social networks now ask for identity verification.
  2. Some services withdrawing from the UK. Certain smaller forums, niche communities, and privacy-focused apps have geoblocked UK users rather than face compliance costs.
  3. More prompts and warnings. Platforms display more content warnings, safety notices, and "user empowerment" toggles.
  4. Data collection expansion. Services collect more information to demonstrate compliance, including behavioural data and identity documents.
  5. Reduced anonymity. Category 1 services must give users the option to verify their identity and to block interactions with non-verified accounts.

Who is most affected?

Adults who value private, anonymous communication face the biggest changes. Journalists, activists, whistleblowers, LGBTQ+ people in unsupportive environments, and survivors of abuse all have legitimate reasons to communicate without identifying themselves. The Act's identity and scanning provisions can make this more difficult.

The Data Trail You Now Leave Behind

Under the Act, more of your online activity is recorded, processed, or verified than ever before. Here's a look at where new data trails are being created.

ActivityData collected before the ActData collected under the Act
Visiting an adult websiteIP address, browser fingerprintIP, fingerprint, plus government ID or facial scan via age verifier
Signing up for social mediaEmail, phone numberEmail, phone, optional identity verification, age estimation
Sending private messagesMetadata only (with E2EE)Potential client-side scanning of message content
Posting on a forumUsername, IPUsername, IP, moderation logs, risk-assessment records
Accessing gambling or dating sitesAccount detailsAccount details plus verified age or identity

How to Protect Your Privacy Under the Act

You cannot opt out of the Online Safety Act, but you can make informed choices that reduce how much personal data you expose. Here are practical steps British users can take.

1. Choose privacy-first services

Prefer platforms that publish transparency reports, minimise data collection, and use strong end-to-end encryption. Read privacy policies carefully, particularly the sections on data retention and third-party sharing.

2. Use encrypted DNS and privacy-respecting browsers

Switching to encrypted DNS (DNS over HTTPS or DNS over TLS) and browsers like Firefox, Brave, or Mullvad Browser reduces the amount of information your internet provider and third parties can see about your browsing.

3. Be selective with age verification providers

If you must verify your age, choose providers that use "double-blind" architectures, where the verifier does not know which site you are visiting and the site does not receive your identity documents. Look for the age verification certification schemes recognised by Ofcom.

4. Minimise personal data on public profiles

The more you share publicly, the easier it becomes for platforms and third parties to build a profile of you. Review privacy settings, delete old posts, and avoid linking accounts unnecessarily.

5. Use privacy-respecting link tools

When sharing links, tools that avoid excessive tracking help protect both you and the people who click. A privacy-conscious URL shortener like Lunyb gives you clean, trackable links without loading your audience with intrusive trackers. If you're evaluating options, our 2026 buyer's guide to URL shorteners compares the main players on privacy, features, and price.

6. Compartmentalise your identity

Use separate email addresses for different services, avoid reusing usernames across platforms, and consider using aliasing services for sign-ups. This limits how easily your activity can be joined up into a single profile.

What UK Businesses and Website Owners Need to Know

If you run a website, community, or app that UK users can access, you likely have obligations under the Act. Even small platforms are affected.

Key compliance duties

  • Illegal content risk assessment. Document the risks your service poses in relation to illegal content and record how you mitigate them.
  • Children's access assessment. Determine whether children can access your service, and if so, complete a children's risk assessment.
  • Terms of service. Publish clear terms that explain how you handle harmful content and how users can report it.
  • Reporting and complaints. Provide accessible tools for users to report content and appeal moderation decisions.
  • Record-keeping. Maintain records of your compliance activities for potential Ofcom review.

Balancing compliance with user privacy

Compliance and privacy are not necessarily in conflict. Businesses can meet their obligations while still respecting user data by:

  1. Collecting only the minimum data required for compliance
  2. Using privacy-preserving age verification methods
  3. Being transparent about moderation practices
  4. Encrypting stored user data and applying strict access controls
  5. Working with vendors that meet UK GDPR standards

If your business relies heavily on link sharing, tracking, or campaign attribution, review tools with privacy in mind. Our honest review of Lunyb and our Rebrandly review for 2026 compare how different providers handle user data.

The Wider Regulatory Landscape

The Online Safety Act does not exist in isolation. It sits alongside the UK GDPR, the Data Protection Act 2018, the Investigatory Powers Act, and the forthcoming Data Protection and Digital Information reforms. Together, these laws create a complex environment where privacy rights and safety duties are constantly being balanced.

How the UK differs from the EU

The EU's Digital Services Act (DSA) covers similar ground to the Online Safety Act but takes a more risk-based, transparency-led approach. The UK Act places more emphasis on individual platform duties and gives Ofcom stronger direct enforcement powers, including the ability to require technical measures on encrypted services.

What to watch in 2026 and beyond

Ofcom is still publishing codes of practice, and enforcement is ramping up. Key things to monitor include:

  • The first major enforcement actions and how large fines are calculated
  • Whether the government activates the encryption-scanning powers
  • How age assurance technology evolves and whether it becomes less invasive
  • Legal challenges from platforms and civil liberties groups
  • Any post-implementation review and amendments to the Act

Frequently Asked Questions

Does the UK Online Safety Act break end-to-end encryption?

Not directly, but it grants Ofcom the power to require accredited scanning technology on messaging services. The government has said this power will not be used until scanning can be done without weakening encryption, which most experts consider technically impossible today. For now, mainstream encrypted apps like Signal and WhatsApp continue to operate normally in the UK.

Do I have to verify my age to use social media in the UK?

Not always, but you may be asked to verify your age on services likely to be accessed by children, especially if they contain adult content or age-restricted features. Age assurance can take many forms, from self-declaration to facial age estimation to full identity verification, depending on the risk level of the content.

What happens to my identity documents after age verification?

This depends on the provider. Reputable, Ofcom-recognised age verification services should delete your documents shortly after verification and issue a token that confirms your age without revealing your identity. Always check the privacy policy of the verifier before uploading sensitive documents.

Can I still use anonymous accounts under the Act?

Yes. The Act does not require users to be identified on most platforms. However, Category 1 services (the largest platforms) must offer users the option to verify their identity and to filter out interactions from unverified accounts. Anonymous participation is still permitted.

Does the Act apply to small websites and personal blogs?

It can. The Act applies to any user-to-user service or search service accessible from the UK, regardless of size. However, smaller services with lower risk have proportionately lighter duties. If your site only publishes your own content and does not host user-generated posts or messages, most of the Act's core duties do not apply.

Final Thoughts

The UK Online Safety Act represents one of the most ambitious attempts by any democracy to regulate the online world. Its goals, protecting children and removing illegal content, are broadly shared, but the tools it employs have real consequences for privacy, anonymity, and encrypted communication.

As a UK user, you have more responsibility than ever to understand what data you share and with whom. Choose services that treat your data with care, keep your identity compartmentalised, and stay informed as Ofcom's codes of practice evolve. As a business, invest early in privacy-preserving compliance so you can meet your duties without turning your platform into a surveillance tool.

The next few years will define how the balance between online safety and online privacy plays out in Britain. Being thoughtful now puts you in a stronger position later, whichever way the pendulum swings.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles