The UK’s Online Safety Act is live; now for the hard part

The UK’s pioneering regulatory effort on internet safety has provided direction and arrived at a significant consensus on desired outcomes, but has arrived at a set of thorny questions around age assurance and online anonymity. A Westminster eForum event on “Next steps for online safety policy and practice in the UK” sought to clarify what those questions are, and begin to answer them.

Ofcom’s first consultation on implementing the Act closes at the end of February.

Ofcom Online Safety Principal Jessica Smith gave an overview of the Online Safety Act implementation and its aims. An implementation timeline she shared showed the categorization of online services being scheduled for parliamentary approval in the second quarter of 2026. The protection of children codes, which is where age assurance comes in, are expected to come into force during the fourth quarter of next year.

The draft guidance issued by Ofcom for pornography providers specifies that digital identity wallets, open banking, photo-ID matching, age estimation based on face biometrics, mobile operator checks and credit cards can all be sources of “highly effective” age assurance, if implemented properly. Methods like self-attestation, debit and other cards and general contractual obligations will not be accepted. Consultation on the guidance closes next month.

The next stage of consultation on the protection of children will focus on the steps services need to take to determine that users are children.

In response to a question from Iain Corby of the AVPA about the speed of enforcement, Smith said that while Ofcom will continue to take an “engagement-first approach,” “we will not hesitate to use our enforcement powers where there are compliance issues.”

Corby also participated in a panel on emerging, future and global threats to online safety later in the event.

A “global online safety regulator’s network” is also being set up, as Ofcom coordinates with authorities in the EU and elsewhere.

In the following panel discussion, Professor Julia Hornle of Queen Mary University of London pointed out that one of the key challenges of implementing the Act will be ensuring that age estimation is effective at distinguishing between the various age groups involved. A distinction between childhood and adulthood is inadequate to many of the services and potential harms in the Act’s scope.

Other emerging threats include the risk that a high degree of amplification could render the measures of the Online Safety Act impotent in some cases.

There are also cases where the Act seems to call for user identity verification or authentication, such as for dating sites. As with age verification, there is a balance to be struck between safety and privacy.

How and when users should be identified, and how that balance will with privacy will be struck, is a topic for future consultations. The complexity of the Act and consultations, however, is already a challenge repeatedly noted by speakers at the event.

Ian Stevenson, chair of the Online Safety Tech Industry Association, points out that the technologies identified in the Ofcom consultation do not push the bounds of innovation. The result of this, he says, is that platforms are “pulling back” from new technologies based on the perception that they are not required by Ofcom. He calls for emerging technologies to be tested, piloted, refined, deployed and scaled.

The current consultation will not drive investment in innovation, or demand for new technologies, he says. That could change with the steps ahead.

Hornle responded that the aims of the Act are decided, but the technology is becoming the elephant in the room.

AVPA flags AI, distrust in government and big tech as hurdles for age verification

Article Topics

age verification  |  AVPA  |  biometrics  |  children  |  data protection  |  Ofcom  |  Online Safety Act  |  OSTIA  |  regulation