Technology

Online Safety Act Age Checks: What Users Notice

Age checks are appearing across more UK websites. Here is what they ask for, how age assurance works, and what to check before sharing ID.

Age checks are starting to feel like part of ordinary internet life in the UK. Some will be quick, some will feel intrusive, and some will appear in places where you used to click straight through. The useful skill is knowing what the check is trying to prove, what data it asks for, and when to pause before handing anything over.

The Short Version

Key Takeaways

  • The Online Safety Act pushes some online services to use stronger age checks where children could encounter harmful or adult content.
  • Age verification tries to confirm your age, while age estimation tries to judge whether you are likely to be above or below a threshold.
  • Self-declaring a date of birth is not treated as a strong age check on its own under Ofcom’s guidance.
  • A good age check should ask for the least data needed, explain what happens to it, and offer a way to challenge mistakes.
  • If a site asks for ID, a face scan or banking confirmation, check who is processing it before you continue.

Why Age Checks Are Appearing

The Online Safety Act 2023 gives Ofcom the job of regulating online safety duties for services used in the UK. The rules are aimed at services, not individual users, but users are the people who will notice the practical changes.

The clearest change is around harmful content and pornography. Ofcom’s Age Assurance and Children’s Access Statement set out how services should approach age assurance. Its protection of children duties for many user-to-user services came into force on 25 July 2025, after earlier duties for services that publish their own pornographic content.

In plain terms, some sites can no longer rely on a box that says “I am over 18”. If a service needs to stop children from seeing certain material, Ofcom expects age assurance that is highly effective. That phrase matters because it means the process should be technically accurate, robust, reliable and fair.

This does not mean every website will demand a passport. The rules depend on the type of service, the content involved, whether children are likely to access it, and what the service says it allows.

Age Verification, Age Estimation And Age Assurance

Age assurance is the umbrella term. It covers ways of working out whether a user is old enough for a service, a feature or a piece of content.

Age verification is the stricter-sounding version. It is designed to verify an exact age, an age range, or a simple result such as “over 18”. That could involve photo ID, a digital identity service, a credit card check, mobile network operator data or another provider that confirms the result to the website.

Age estimation is different. It does not necessarily prove your exact age. It may estimate whether you are likely to be above or below a threshold. Facial age estimation is the obvious example, where software analyses an image of your face and returns an estimate or pass result.

Ofcom’s children’s access assessment guidance lists examples of methods that may be capable of being highly effective, including photo ID matching, facial age estimation and reusable digital identity services. It also makes clear that a date-of-birth box, a debit card check or a line in the terms and conditions is not enough on its own.

What A Check Might Ask You For

Different services will choose different methods. Some checks may happen through a specialist age-check provider rather than the website itself. That can be a good design if the website only receives a pass or fail result instead of storing your underlying document or image.

You might be asked to scan photo ID, take a selfie, confirm a credit card, use open banking, verify through a mobile network account, or use a digital identity wallet. Some sites may ask you to sign in before checking your age. Others may put the check at the point where you try to view a particular part of the service.

The important question is not just “is this annoying?” It is “what information is being collected, who sees it, and what is retained?” A reasonable age check should separate the age result from unnecessary personal detail wherever possible. If the site only needs to know whether you are over 18, it should not need to keep a copy of your date of birth for unrelated marketing.

The Privacy Questions To Ask

The ICO’s age assurance guidance is useful because it focuses on the data side. Services should tell users how their data will be processed, collect only the minimum amount needed, and avoid repurposing age assurance data for other aims.

Before submitting anything sensitive, look for three things. First, who is the age-check provider? Second, what result is sent back to the website? Third, how long is the information retained? A clean process will usually explain whether the website receives only a token, an age band or the underlying identity data.

Be cautious if a site asks for more than the situation seems to require. A one-off check is different from creating a permanent profile that links your identity, browsing behaviour and content choices.

When A Site Gets It Wrong

Age checks can fail in both directions. A child might pass a weak check. An adult might be wrongly blocked. A facial estimation model might be less accurate for some groups than others. A person without a passport, driving licence, credit card or suitable mobile account may find a particular route difficult.

That is why fairness matters. Ofcom treats highly effective age assurance as more than raw accuracy. The process also needs to be robust, reliable and fair in practice. The ICO also expects services to explain how users can challenge an inaccurate age assessment.

If you are blocked incorrectly, look for an appeal route or an alternative verification method. If none exists, that is a weakness in the service design. For a practical privacy comparison, our guide to AI photo editing on phones explains the same basic trade-off: a useful feature can still deserve scrutiny when it handles sensitive personal data.

A Worked Example

Imagine you open a video-sharing site and try to view a restricted section. The site says it needs to check whether you are over 18. It offers three routes: facial age estimation, credit card confirmation or a reusable digital identity app.

The facial check asks you to take a short selfie video. The better version says the image is processed by a named provider, the website receives only an over-18 result, and the image is deleted after the check.

The credit card route may be quick, but it is not the same as a debit card route. Ofcom’s guidance treats debit card checks as weak because many under-18s can hold debit cards. A credit card check can be stronger, but you still need to know whether it creates a charge, a pre-authorisation or a record with a payment provider.

The digital identity app might reduce repeated ID uploads across multiple websites. The trade-off is that you are placing more trust in one identity provider, so its privacy policy and security record matter.

What This Means For You

For ordinary users, the practical rule is simple: do not treat every age gate as either harmless bureaucracy or a privacy disaster. Treat it as a data request.

If the service is well-known, the provider is named, the explanation is clear and the site only receives a pass result, the risk may be modest. If the site is obscure, the wording is vague, or the check asks for ID without saying who stores it, slow down.

The same habits that help with smartphone privacy settings help here too. Read the prompt, check the provider, avoid uploading sensitive documents to sites you do not trust, and use a safer alternative if one is available.

In Plain English

Age checks are becoming more common because some websites now have stronger duties to keep children away from harmful or adult material.

A good check should prove only what the site needs to know. Usually, that means whether you are old enough, not a full copy of who you are.

Before you scan your face, upload ID or connect an account, check who is doing the verification and what they keep.

Related Reads