Guide
Conduct a children's access assessment
Step-by-step guide to assessing whether children are likely to access your online service under the Online Safety Act 2023. Covers the legal test, Ofcom's April 2025 guidance, factors to consider, and what additional duties are triggered if children can access your service.
If your online service is regulated under the Online Safety Act, you must assess whether children are likely to access it. This is not optional — it is a legal requirement under section 37 of the Act. The outcome determines whether the full suite of children's safety duties applies to your service.
Ofcom takes a broad view of what "likely to be accessed by children" means. Unless you can demonstrate with evidence that children are effectively prevented from accessing your service, you should assume the children's safety duties apply.
The legal test
Section 37 requires you to assess whether it is possible for children to access your service, and if so, whether children actually use or are likely to use it. "Children" means anyone under 18. The test is forward-looking — you must consider whether children are likely to access the service in future, not just whether they currently do.
Age assurance in the context of access assessment
A key factor in your assessment is whether you use age assurance measures and how effective they are. Ofcom's guidance distinguishes between age verification (which confirms a user's actual age) and age estimation (which infers an approximate age). Only robust, evidence-based age assurance can support a conclusion that children are not likely to access your service.
How to conduct your assessment
-
1. Review your service's nature and target audience
Consider who your service is designed for and how it is marketed. A service aimed at adults only (such as a professional networking platform) is different from a general entertainment platform. However, an adult-targeted service can still be likely accessed by children if no effective barriers exist.
-
2. Analyse available user data
Examine any data you hold about user ages, including registration data, age declarations, analytics data, and research. Be critical of self-declared ages — Ofcom recognises that children frequently misstate their age online. If your data shows any under-18 users, or if age data is unreliable, this weighs towards children being likely to access the service.
-
3. Assess your existing age barriers
Evaluate any age gates, verification systems, or access restrictions currently in place. Simple age declaration ('Enter your date of birth') is not considered effective. Assess whether your measures would realistically prevent a determined child from accessing the service. Document the technology used and its known limitations.
-
4. Consider the nature of your content and features
Assess whether your service's content, features, or community would be attractive to children. Gaming content, entertainment, social features, and educational material are all factors that increase the likelihood of children accessing a service. Consider evidence from similar services about child usage patterns.
-
5. Apply the Ofcom presumption framework
Ofcom's guidance establishes a practical presumption: unless you have robust evidence that children cannot access your service, you should treat children as likely to access it. Review Ofcom's published factors and assess each one against your service. Document your reasoning for each factor.
-
6. Reach and document your conclusion
Based on your assessment, reach a reasoned conclusion. If children are likely to access your service (the most common outcome), document this and proceed to implement children's safety duties. If you conclude children are not likely to access your service, you must retain comprehensive evidence supporting that conclusion. Ofcom may challenge this finding.
-
7. Plan your response to the assessment outcome
If children are likely to access your service, you must conduct a children's risk assessment, implement children's safety measures (including age assurance where appropriate), and comply with Ofcom's children's safety codes of practice. Begin planning these steps immediately.
ICO Children's Code considerations
If children are likely to access your service, you will also need to consider the ICO's Age Appropriate Design Code (Children's Code) under data protection law. The two regimes overlap significantly and should be addressed together.
Common mistakes to avoid
- Relying on terms of service alone — stating "this service is for users aged 18+" in your terms does not prevent children from accessing it and does not satisfy the assessment requirement
- Treating age self-declaration as evidence — a date of birth field at registration does not reliably prevent under-18 access
- Failing to document your reasoning — even if your conclusion is straightforward, you must maintain a written record of the assessment and the evidence supporting it
- Treating the assessment as one-off — you must review your assessment when your service changes, when new evidence emerges, or when Ofcom updates its guidance
What to do next
If children are likely to access your service (which applies to most regulated services), you should read our guide on children's safety duties to understand the full range of obligations this triggers, including risk assessment by age group, content restrictions, and age assurance requirements.