Guide
Implement age assurance on your platform
Practical guide to implementing age assurance on your online platform. Covers choosing between age verification and estimation, evaluating providers, privacy-preserving approaches, the specific requirements for pornographic content, and ensuring compliance with both the Online Safety Act and UK GDPR.
If children are likely to access your online service, the Online Safety Act requires you to implement effective age assurance as part of your children's safety duties. For services publishing pornographic content, age verification is mandatory. This guide takes you through the practical steps of choosing, implementing, and maintaining an age assurance system.
Age assurance is not just a technical challenge — it sits at the intersection of child safety, privacy law, and user experience. Getting it wrong in any of these dimensions creates risk: inadequate age checks expose children to harm; excessive data collection breaches UK GDPR; and a poor user experience drives users away or encourages circumvention.
Understanding your options
The first step is understanding what types of age assurance are available and which are appropriate for your service.
Pornography-specific requirements
If your service publishes or hosts pornographic content, Part 5 of the Online Safety Act imposes specific, stricter requirements. Age verification (not just estimation) is mandatory, and Ofcom will set detailed standards for what constitutes acceptable verification in this context.
How to implement age assurance
-
1. Define your age assurance requirements
Based on your children's access assessment and risk assessment, determine what level of age assurance you need. Consider: do you need hard verification (confirming exact age) or is estimation (determining likely age range) sufficient? What age thresholds matter — under 13, under 16, under 18? Do you host pornographic content requiring mandatory verification? Document your requirements clearly.
-
2. Evaluate age assurance methods and providers
Research available methods against your requirements. Consider accuracy rates (both false acceptance and false rejection), the user data required and associated privacy impact, accessibility for users with disabilities or without standard identity documents, cost and scalability, and whether the method has been independently audited. Request evidence of accuracy from providers — do not rely on marketing claims alone.
-
3. Conduct a Data Protection Impact Assessment
Under UK GDPR, processing personal data for age assurance requires a DPIA. Assess: what personal data will be collected (biometric, identity documents, financial data), how long it will be retained, who will have access, what is the lawful basis for processing, and how you will handle data subject rights requests. Your DPIA must be completed before you go live.
-
4. Design privacy-preserving implementation
Apply data minimisation principles throughout. Preferred approaches include: using third-party age check services that return only a yes/no age-appropriate result (not raw data), implementing zero-knowledge proof systems where available, avoiding storing identity documents or biometric data beyond the verification moment, and ensuring age check data is not linked to user activity or content consumption data.
-
5. Implement and integrate with your platform
Deploy the chosen solution and integrate it with your platform's access controls. Ensure the age check occurs before any restricted content is accessible — not after. Configure content restriction tiers based on age thresholds if your service has different restriction levels for different ages. Test thoroughly including edge cases: users without ID, international users, users with accessibility needs.
-
6. Build fallback and appeals processes
Not every user will pass age assurance on the first attempt. Design clear fallback processes: what happens if estimation fails, can users escalate to verification, is there a manual review option? Ensure users who are incorrectly blocked can appeal. Document and test these processes.
-
7. Test, audit, and iterate
Before launch, conduct user testing across diverse demographics. After launch, monitor performance metrics: false acceptance rates (children getting through), false rejection rates (adults being blocked), completion rates, and user complaints. Commission independent audits periodically. Update your approach as technology improves and Ofcom's guidance evolves.
Privacy compliance
Age assurance must comply with UK GDPR. This creates specific obligations that run alongside your Online Safety Act duties.
Special considerations for children's data
If your age assurance process involves collecting data from users who turn out to be children, additional protections apply. Under UK GDPR, children's data is given special protection. The ICO Children's Code requires high privacy by default for child users. You should design your system so that minimal data is collected from users before their age is established, and that data collected from identified children during the age check process is deleted promptly.
Common pitfalls
- Relying on self-declaration — asking users to enter their date of birth or tick a box confirming they are over 18 is not effective age assurance. Ofcom has been clear this does not meet the standard.
- Collecting excessive data — requesting passport scans or driving licence copies when a less intrusive method would suffice violates the data minimisation principle under UK GDPR
- Failing to account for international users — age verification methods relying on UK-specific documents (such as a UK driving licence) exclude international users. Consider how your solution handles users from different countries.
- Neglecting accessibility — facial estimation technology may not work equally well across all demographics. Ensure your system does not discriminate and provides alternative pathways.
- Linking age data to browsing activity — storing the fact that a user passed an age check alongside their content consumption history creates a privacy risk. Keep age assurance data separate from activity data.
What to do next
Once your age assurance system is live, ensure it is reflected in your updated children's risk assessment and that your record-keeping covers the technology deployed, its performance, and any incidents. Review your system whenever Ofcom publishes updated guidance on age assurance standards.