Age verification for online services | Guvnor

The Online Safety Act 2023 requires online services to implement age verification or age assurance to protect children from harmful content. Ofcom regulates online content while the ICO oversees data protection aspects.

This guide covers when age verification is required and how to implement it compliantly.

Online Safety Act requirements

Online Safety Act age verification overview

Overview of age verification requirements under the Online Safety Act 2023

The Online Safety Act 2023 requires online services to implement age verification or age assurance to protect children from harmful content. Ofcom is developing detailed guidance on acceptable methods.

Services must take steps to prevent children accessing content that is harmful to them, including pornography and other age-restricted content.

Primary legislation: Online Safety Act 2023
Regulator: Ofcom (online content), ICO (data protection aspects)
Enforcement: Ofcom can fine up to 10% of global annual turnover

Ofcom Online Safety guidance

When do you need age verification?

Definitely required for:

Pornography websites and platforms
Services with content harmful to children
Age-restricted products (alcohol, gambling, etc.)

May be required depending on:

Type and volume of user-generated content
Risk assessment findings
Whether service is likely to be accessed by children

Age verification methods

Age verification methods

Acceptable methods for verifying or estimating user age

Age assurance methods range from hard verification to estimation:

Hard verification: Government ID document checks, credit card verification
Open banking: Verification through bank account data
Facial age estimation: AI-based age estimation from photos
Digital ID services: Third-party identity verification providers
Self-declaration: User confirms age (weakest form)

The chosen method should be proportionate to the risk and type of content.

Most robust methods: Government ID, open banking, credit card verification
Less robust: Self-declaration (may not meet regulatory requirements)
Privacy consideration: Methods must comply with UK GDPR and Data Protection Act 2018

Choosing the right method

Consider these factors:

Risk level: Higher-risk content needs more robust verification
User experience: Balance security with usability
Privacy: Minimise data collection
Cost: Different methods have different costs
Accessibility: Methods must work for users with disabilities

Pornography-specific requirements

Age verification for pornography sites

Specific requirements for adult content providers

Providers of online pornography must implement robust age verification preventing access by children. Requirements apply to:

Dedicated pornography websites
Social media platforms hosting pornographic content
Any online service making pornography available to UK users

Self-declaration (clicking 'I am 18') is NOT sufficient for pornography sites.

Age threshold: 18 years old
Self-declaration acceptability: Not acceptable for pornography sites
Maximum penalty: Up to 10% of qualifying worldwide revenue
Service blocking: Ofcom can require ISPs to block non-compliant sites

What pornography sites must do

Self-declaration is NOT acceptable. You must implement robust verification such as:

Government ID document verification
Credit card verification
Open banking verification
Third-party age verification services

Penalty: Up to 10% of qualifying worldwide revenue, plus possible ISP blocking.

ICO Children's Code

ICO Children's Code requirements

Age-appropriate design code requirements for children's data

The ICO Children's Code (Age Appropriate Design Code) sets standards for services likely to be accessed by children:

High privacy settings by default for child users
Minimise data collection from children
Switch off geolocation by default for children
Avoid nudge techniques encouraging data sharing
Provide age-appropriate information about data use

Age threshold: Under 18 (but particularly under 13)
Enforcement body: Information Commissioner's Office (ICO)
Applicable to: Information society services likely to be accessed by children
Came into force: 2 September 2021

ICO Age appropriate design code

Implementing age-appropriate design

If your service is likely to be accessed by children:

Set privacy settings to high by default for children
Minimise data collection from children
Switch off geolocation by default
Don't use nudge techniques encouraging data sharing
Provide clear, age-appropriate privacy information

Best practice: Assume children may access your service and design accordingly.

Privacy and data protection

Age verification privacy requirements

Data protection requirements for age verification systems

Age verification systems must comply with UK GDPR and minimise data collection:

Data minimisation: Only collect data necessary for age verification
No tracking: Age verification data should not be used to track users across sites
Secure processing: Appropriate security measures for verification data
Limited retention: Don't retain ID documents longer than necessary

Many acceptable methods verify age without requiring the service to know the user's actual identity.

Legal basis: Legitimate interests (most common for AV)
Special category data: Biometric data requires additional safeguards
DPIA requirement: Data Protection Impact Assessment may be required

Privacy-preserving verification

Age verification doesn't need to identify users. Consider:

Zero-knowledge proofs: Verify age without revealing identity
Attribute-based credentials: Prove "over 18" without sharing birthdate
Facial age estimation: Estimates age without storing images
One-time verification tokens: Verify once, use token for future access

Key principle: Verify only what you need to know.

Gaming and gambling

Age verification for gaming and gambling

Age verification requirements for gambling and gaming with loot boxes

Gambling operators must verify customer age before allowing gambling:

Remote gambling: Age verification required before first deposit or free-to-play gambling
In-person gambling: Challenge 21/25 policies for age-restricted premises
Games with paid loot boxes: Subject to ongoing regulatory consideration

Gambling age threshold: 18 years old (16 for National Lottery)
Remote gambling deadline: Before first deposit or free-to-play gambling
Regulator: Gambling Commission

Gambling Commission age verification guidance

Gambling operator obligations

Remote gambling:

Verify age before first deposit
Verify age before free-to-play gambling
Use reliable verification methods

In-person gambling:

Implement Challenge 21 or Challenge 25 policies
Train staff on age verification
Maintain refusal records

Implementation checklist

Risk assessment: Identify what harmful content your service may host
Method selection: Choose verification method appropriate to risk
Privacy compliance: Ensure UK GDPR compliance, conduct DPIA if needed
User journey: Design clear verification process
Testing: Test verification effectiveness and accessibility
Documentation: Document your approach for regulators
Monitoring: Review effectiveness and update as needed

Primary legislation