If your online service is regulated under the Online Safety Act, you must assess whether children are likely to access it. This is not optional — it is a legal requirement under section 37 of the Act. The outcome determines whether the full suite of children's safety duties applies to your service.

Ofcom takes a broad view of what "likely to be accessed by children" means. Unless you can demonstrate with evidence that children are effectively prevented from accessing your service, you should assume the children's safety duties apply.

The legal test

Section 37 requires you to assess whether it is possible for children to access your service, and if so, whether children actually use or are likely to use it. "Children" means anyone under 18. The test is forward-looking — you must consider whether children are likely to access the service in future, not just whether they currently do.

Children's access assessment requirements

Mandatory assessment under section 37 to determine whether children are likely to access a regulated service.

All regulated user-to-user and search services must complete a children's access assessment under section 37 of the Online Safety Act 2023. This is separate from (and precedes) any children's risk assessment. If your assessment concludes children are likely to access your service, you must then complete a children's risk assessment and comply with children's safety duties.

Important: Until you complete your first children's access assessment, your service is treated as likely to be accessed by children.

Legal basis: Online Safety Act 2023, section 37
Assessment deadline: 16 April 2025 (for services in scope at that date)
Ofcom guidance published: 24 April 2025 (Children's Access Assessments Guidance)
Children's risk assessment deadline (if children likely): 24 July 2025
Default presumption: Until first assessment completed, service treated as likely to be accessed by children
Review frequency: Before making any significant change to the service, or when directed by Ofcom

Factors to consider: User demographics, content type, design features, marketing, age restrictions in terms of service, available evidence of children using similar services
What happens if children likely: Must complete children's risk assessment, implement age assurance, apply children's safety duties
What happens if children not likely: Record the assessment and rationale, review before significant changes
Ofcom enforcement programme: Active monitoring of children's risk assessment duties across regulated services

Ofcom quick guide to children's access assessments

Age assurance in the context of access assessment

A key factor in your assessment is whether you use age assurance measures and how effective they are. Ofcom's guidance distinguishes between age verification (which confirms a user's actual age) and age estimation (which infers an approximate age). Only robust, evidence-based age assurance can support a conclusion that children are not likely to access your service.

Online Safety Act age verification overview

Overview of age verification requirements under the Online Safety Act 2023

The Online Safety Act 2023 requires online services to implement age verification or age assurance to protect children from harmful content. Ofcom is developing detailed guidance on acceptable methods.

Services must take steps to prevent children accessing content that is harmful to them, including pornography and other age-restricted content.

Primary legislation: Online Safety Act 2023
Regulator: Ofcom (online content), ICO (data protection aspects)
Enforcement: Ofcom can fine up to 10% of global annual turnover

Ofcom Online Safety guidance

How to conduct your assessment

1

1. Review your service's nature and target audience

Consider who your service is designed for and how it is marketed. A service aimed at adults only (such as a professional networking platform) is different from a general entertainment platform. However, an adult-targeted service can still be likely accessed by children if no effective barriers exist.
2

2. Analyse available user data

Examine any data you hold about user ages, including registration data, age declarations, analytics data, and research. Be critical of self-declared ages — Ofcom recognises that children frequently misstate their age online. If your data shows any under-18 users, or if age data is unreliable, this weighs towards children being likely to access the service.
3

3. Assess your existing age barriers

Evaluate any age gates, verification systems, or access restrictions currently in place. Simple age declaration ('Enter your date of birth') is not considered effective. Assess whether your measures would realistically prevent a determined child from accessing the service. Document the technology used and its known limitations.
4

4. Consider the nature of your content and features

Assess whether your service's content, features, or community would be attractive to children. Gaming content, entertainment, social features, and educational material are all factors that increase the likelihood of children accessing a service. Consider evidence from similar services about child usage patterns.
5

5. Apply the Ofcom presumption framework

Ofcom's guidance establishes a practical presumption: unless you have robust evidence that children cannot access your service, you should treat children as likely to access it. Review Ofcom's published factors and assess each one against your service. Document your reasoning for each factor.
6

6. Reach and document your conclusion

Based on your assessment, reach a reasoned conclusion. If children are likely to access your service (the most common outcome), document this and proceed to implement children's safety duties. If you conclude children are not likely to access your service, you must retain comprehensive evidence supporting that conclusion. Ofcom may challenge this finding.
7

7. Plan your response to the assessment outcome

If children are likely to access your service, you must conduct a children's risk assessment, implement children's safety measures (including age assurance where appropriate), and comply with Ofcom's children's safety codes of practice. Begin planning these steps immediately.

ICO Children's Code considerations

If children are likely to access your service, you will also need to consider the ICO's Age Appropriate Design Code (Children's Code) under data protection law. The two regimes overlap significantly and should be addressed together.

ICO Children's Code requirements

Age-appropriate design code requirements for children's data

The ICO Children's Code (Age Appropriate Design Code) sets standards for services likely to be accessed by children:

High privacy settings by default for child users
Minimise data collection from children
Switch off geolocation by default for children
Avoid nudge techniques encouraging data sharing
Provide age-appropriate information about data use

Age threshold: Under 18 (but particularly under 13)
Enforcement body: Information Commissioner's Office (ICO)
Applicable to: Information society services likely to be accessed by children
Came into force: 2 September 2021

ICO Age appropriate design code

Common mistakes to avoid

Relying on terms of service alone — stating "this service is for users aged 18+" in your terms does not prevent children from accessing it and does not satisfy the assessment requirement
Treating age self-declaration as evidence — a date of birth field at registration does not reliably prevent under-18 access
Failing to document your reasoning — even if your conclusion is straightforward, you must maintain a written record of the assessment and the evidence supporting it
Treating the assessment as one-off — you must review your assessment when your service changes, when new evidence emerges, or when Ofcom updates its guidance

What to do next

If children are likely to access your service (which applies to most regulated services), you should read our guide on children's safety duties to understand the full range of obligations this triggers, including risk assessment by age group, content restrictions, and age assurance requirements.

Official guidance and resources

Ofcom: Children's safety duties under the Online Safety Act (opens in a new tab) ofcom.org.uk
Online Safety Act 2023 — Section 37 (opens in a new tab) legislation.gov.uk
ICO: Age Appropriate Design Code (opens in a new tab) ico.org.uk
Ofcom: Protecting children online (opens in a new tab) ofcom.org.uk

Conduct a children's access assessment

Children's safety duties under the Online Safety Act

Age verification for online services

Implement age assurance on your platform

Online Safety Act compliance checklist

Tech Sector Compliance Overview

The legal test

Age assurance in the context of access assessment

How to conduct your assessment

1. Review your service's nature and target audience

2. Analyse available user data

3. Assess your existing age barriers

4. Consider the nature of your content and features

5. Apply the Ofcom presumption framework

6. Reach and document your conclusion

7. Plan your response to the assessment outcome

ICO Children's Code considerations

Common mistakes to avoid

What to do next

Official guidance and resources

Related guides in Digital & Technology

Children's safety duties under the Online Safety Act

Age verification for online services

Implement age assurance on your platform

Online Safety Act compliance checklist

Tech Sector Compliance Overview

The legal test

Age assurance in the context of access assessment

How to conduct your assessment

1. Review your service's nature and target audience

2. Analyse available user data

3. Assess your existing age barriers

4. Consider the nature of your content and features

5. Apply the Ofcom presumption framework

6. Reach and document your conclusion

7. Plan your response to the assessment outcome

ICO Children's Code considerations

Common mistakes to avoid

What to do next

Official guidance and resources