UK Online Safety Act: What It Means for Your Privacy
The UK Online Safety Act became law in October 2023, and by 2026 most of its provisions are in full force. Framed as a landmark piece of legislation to protect children and vulnerable users online, the Act has also raised serious concerns among privacy advocates, technology companies, and everyday internet users. If you live in the UK, or you run a website that serves British users, this law affects how your data is handled, how you access services, and even how encrypted communications work.
This guide unpacks the UK Online Safety Act in plain English, explains what it means for your personal privacy, and offers practical steps you can take to stay in control of your data.
What Is the UK Online Safety Act?
The UK Online Safety Act is a British law that requires online platforms to protect users, particularly children, from illegal and harmful content. It gives Ofcom, the UK's communications regulator, sweeping powers to fine, block, or otherwise sanction services that fail to comply.
The Act applies to a very broad range of services, including social media platforms, search engines, messaging apps, online forums, dating sites, adult content platforms, cloud storage providers, and even smaller community websites. If your service is used by people in the UK, chances are you fall within its scope, regardless of where the company is headquartered.
Core objectives of the Act
- Remove illegal content such as terrorism, child sexual abuse material (CSAM), and fraud
- Protect children from age-inappropriate material including pornography and content promoting self-harm
- Give adults more control over what they see on major platforms
- Require transparency from tech companies about how they moderate content
- Enforce compliance through fines of up to £18 million or 10% of global annual revenue, whichever is higher
Why Privacy Advocates Are Concerned
While the goals of the Act are widely supported in principle, the mechanisms it uses to achieve them have provoked significant debate. Several provisions have direct implications for user privacy.
1. The encryption backdoor debate
Section 122 of the Act allows Ofcom to require messaging services to use "accredited technology" to scan private messages for illegal content. Critics argue this effectively mandates client-side scanning, which would undermine end-to-end encryption on services like WhatsApp, Signal, and iMessage.
The UK government has stated it will not require scanning until it is "technically feasible" to do so without weakening encryption, but the legal power remains on the statute books. Signal has publicly stated it would rather leave the UK market than compromise its encryption model.
2. Age verification and identity checks
Platforms hosting adult content, and any service accessible to children, must implement "highly effective" age assurance. In practice, this often means uploading a passport, driver's licence, or facial scan to a third-party verification provider before you can access certain sites.
This creates new pools of sensitive identity data that could be targeted by hackers, subpoenaed by governments, or misused by the verification companies themselves.
3. Content monitoring at scale
To comply with duties around illegal content, platforms must build systems capable of monitoring vast amounts of user-generated content. This inevitably involves automated scanning, AI moderation, and retention of logs, all of which increase the volume of personal data being processed.
How the Act Affects Everyday UK Users
The impact of the Online Safety Act is not abstract. It shows up in the way you use the internet every day.
Changes you may have already noticed
- Age gates on more websites. Adult sites, gambling platforms, and even some social networks now ask for identity verification.
- Some services withdrawing from the UK. Certain smaller forums, niche communities, and privacy-focused apps have geoblocked UK users rather than face compliance costs.
- More prompts and warnings. Platforms display more content warnings, safety notices, and "user empowerment" toggles.
- Data collection expansion. Services collect more information to demonstrate compliance, including behavioural data and identity documents.
- Reduced anonymity. Category 1 services must give users the option to verify their identity and to block interactions with non-verified accounts.
Who is most affected?
Adults who value private, anonymous communication face the biggest changes. Journalists, activists, whistleblowers, LGBTQ+ people in unsupportive environments, and survivors of abuse all have legitimate reasons to communicate without identifying themselves. The Act's identity and scanning provisions can make this more difficult.
The Data Trail You Now Leave Behind
Under the Act, more of your online activity is recorded, processed, or verified than ever before. Here's a look at where new data trails are being created.
| Activity | Data collected before the Act | Data collected under the Act |
|---|---|---|
| Visiting an adult website | IP address, browser fingerprint | IP, fingerprint, plus government ID or facial scan via age verifier |
| Signing up for social media | Email, phone number | Email, phone, optional identity verification, age estimation |
| Sending private messages | Metadata only (with E2EE) | Potential client-side scanning of message content |
| Posting on a forum | Username, IP | Username, IP, moderation logs, risk-assessment records |
| Accessing gambling or dating sites | Account details | Account details plus verified age or identity |
How to Protect Your Privacy Under the Act
You cannot opt out of the Online Safety Act, but you can make informed choices that reduce how much personal data you expose. Here are practical steps British users can take.
1. Choose privacy-first services
Prefer platforms that publish transparency reports, minimise data collection, and use strong end-to-end encryption. Read privacy policies carefully, particularly the sections on data retention and third-party sharing.
2. Use encrypted DNS and privacy-respecting browsers
Switching to encrypted DNS (DNS over HTTPS or DNS over TLS) and browsers like Firefox, Brave, or Mullvad Browser reduces the amount of information your internet provider and third parties can see about your browsing.
3. Be selective with age verification providers
If you must verify your age, choose providers that use "double-blind" architectures, where the verifier does not know which site you are visiting and the site does not receive your identity documents. Look for the age verification certification schemes recognised by Ofcom.
4. Minimise personal data on public profiles
The more you share publicly, the easier it becomes for platforms and third parties to build a profile of you. Review privacy settings, delete old posts, and avoid linking accounts unnecessarily.
5. Use privacy-respecting link tools
When sharing links, tools that avoid excessive tracking help protect both you and the people who click. A privacy-conscious URL shortener like Lunyb gives you clean, trackable links without loading your audience with intrusive trackers. If you're evaluating options, our 2026 buyer's guide to URL shorteners compares the main players on privacy, features, and price.
6. Compartmentalise your identity
Use separate email addresses for different services, avoid reusing usernames across platforms, and consider using aliasing services for sign-ups. This limits how easily your activity can be joined up into a single profile.
What UK Businesses and Website Owners Need to Know
If you run a website, community, or app that UK users can access, you likely have obligations under the Act. Even small platforms are affected.
Key compliance duties
- Illegal content risk assessment. Document the risks your service poses in relation to illegal content and record how you mitigate them.
- Children's access assessment. Determine whether children can access your service, and if so, complete a children's risk assessment.
- Terms of service. Publish clear terms that explain how you handle harmful content and how users can report it.
- Reporting and complaints. Provide accessible tools for users to report content and appeal moderation decisions.
- Record-keeping. Maintain records of your compliance activities for potential Ofcom review.
Balancing compliance with user privacy
Compliance and privacy are not necessarily in conflict. Businesses can meet their obligations while still respecting user data by:
- Collecting only the minimum data required for compliance
- Using privacy-preserving age verification methods
- Being transparent about moderation practices
- Encrypting stored user data and applying strict access controls
- Working with vendors that meet UK GDPR standards
If your business relies heavily on link sharing, tracking, or campaign attribution, review tools with privacy in mind. Our honest review of Lunyb and our Rebrandly review for 2026 compare how different providers handle user data.
The Wider Regulatory Landscape
The Online Safety Act does not exist in isolation. It sits alongside the UK GDPR, the Data Protection Act 2018, the Investigatory Powers Act, and the forthcoming Data Protection and Digital Information reforms. Together, these laws create a complex environment where privacy rights and safety duties are constantly being balanced.
How the UK differs from the EU
The EU's Digital Services Act (DSA) covers similar ground to the Online Safety Act but takes a more risk-based, transparency-led approach. The UK Act places more emphasis on individual platform duties and gives Ofcom stronger direct enforcement powers, including the ability to require technical measures on encrypted services.
What to watch in 2026 and beyond
Ofcom is still publishing codes of practice, and enforcement is ramping up. Key things to monitor include:
- The first major enforcement actions and how large fines are calculated
- Whether the government activates the encryption-scanning powers
- How age assurance technology evolves and whether it becomes less invasive
- Legal challenges from platforms and civil liberties groups
- Any post-implementation review and amendments to the Act
Frequently Asked Questions
Does the UK Online Safety Act break end-to-end encryption?
Not directly, but it grants Ofcom the power to require accredited scanning technology on messaging services. The government has said this power will not be used until scanning can be done without weakening encryption, which most experts consider technically impossible today. For now, mainstream encrypted apps like Signal and WhatsApp continue to operate normally in the UK.
Do I have to verify my age to use social media in the UK?
Not always, but you may be asked to verify your age on services likely to be accessed by children, especially if they contain adult content or age-restricted features. Age assurance can take many forms, from self-declaration to facial age estimation to full identity verification, depending on the risk level of the content.
What happens to my identity documents after age verification?
This depends on the provider. Reputable, Ofcom-recognised age verification services should delete your documents shortly after verification and issue a token that confirms your age without revealing your identity. Always check the privacy policy of the verifier before uploading sensitive documents.
Can I still use anonymous accounts under the Act?
Yes. The Act does not require users to be identified on most platforms. However, Category 1 services (the largest platforms) must offer users the option to verify their identity and to filter out interactions from unverified accounts. Anonymous participation is still permitted.
Does the Act apply to small websites and personal blogs?
It can. The Act applies to any user-to-user service or search service accessible from the UK, regardless of size. However, smaller services with lower risk have proportionately lighter duties. If your site only publishes your own content and does not host user-generated posts or messages, most of the Act's core duties do not apply.
Final Thoughts
The UK Online Safety Act represents one of the most ambitious attempts by any democracy to regulate the online world. Its goals, protecting children and removing illegal content, are broadly shared, but the tools it employs have real consequences for privacy, anonymity, and encrypted communication.
As a UK user, you have more responsibility than ever to understand what data you share and with whom. Choose services that treat your data with care, keep your identity compartmentalised, and stay informed as Ofcom's codes of practice evolve. As a business, invest early in privacy-preserving compliance so you can meet your duties without turning your platform into a surveillance tool.
The next few years will define how the balance between online safety and online privacy plays out in Britain. Being thoughtful now puts you in a stronger position later, whichever way the pendulum swings.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
OAIC Complaints: How to Report a Privacy Breach in Australia
A practical Australian guide to lodging OAIC complaints when your personal information is mishandled. Learn the step-by-step process, evidence you'll need, realistic timelines, and what outcomes to expect from the privacy regulator.
PIPEDA vs GDPR: Canadian Privacy Law Explained (2026 Guide)
PIPEDA and GDPR both protect personal data, but they take very different approaches to consent, rights, and penalties. This guide compares Canada's and Europe's privacy laws and explains what Canadian businesses need to do to stay compliant in 2026.
DPC Ireland: How to File a Privacy Complaint (2026 Guide)
Learn exactly how to file a privacy complaint with Ireland's Data Protection Commission (DPC) in 2026. This step-by-step guide covers evidence gathering, submission, timelines, and what to expect after you file.
Data Protection Act 2018 Ireland: The Complete Guide
Ireland's Data Protection Act 2018 works alongside GDPR to govern how organisations handle personal data. This complete guide covers key provisions, individual rights, business obligations, DPC enforcement, penalties, and a practical compliance checklist for Irish organisations.