United Kingdom

National jurisdiction · as of 2026-07-15

The Online Safety Act 2023 imposes two overlapping age assurance regimes enforced by Ofcom: Part 3 requires user-to-user and search services likely to be accessed by children to complete children's risk assessments and adopt safety measures, including highly effective age assurance for pornography and other primary priority content, under Ofcom's Protection of Children Codes of Practice in force since 25 July 2025, while Part 5 separately requires dedicated, non-user-generated pornography providers to use highly effective age verification or estimation since 17 January 2025. Ofcom opened dozens of Part 5 and Part 3 age assurance investigations through 2025 and issued its first age assurance fines, including GBP 1,000,000 against AVS Group Ltd in December 2025 and GBP 50,000 against the Undress.cc nudification site in November 2025. The Information Commissioner's Office's Age Appropriate Design Code (Children's Code), a statutory code under the Data Protection Act 2018 in force since 2 September 2020, sets 15 standards for privacy protective design of services likely to be accessed by children. There is no dedicated UK app store or device level age verification statute, only a duty on Ofcom under the Online Safety Act to report on app stores' role in children's online safety.

01

Instruments on record

Ofcom Guidance on Highly Effective Age Assurance and Other Part 5 Duties

In force

Statement: Age Assurance and Children's Access, Ofcom, published 16 January 2025

Effective 2025-01-17 · Applies to private

Ofcom's statutory guidance under section 82 of the Online Safety Act 2023 sets out what counts as highly effective age assurance for Part 5 pornography providers, naming photo ID matching, facial age estimation, credit card checks, open banking checks, and mobile network operator checks as capable methods, and stating that self declaration or a basic checkbox is not sufficient.

Verification methodsgov id, facial estimation, transactional data, third party service, device signal
Enforcement bodyOfcom

Source: Statement: Age Assurance and Children's Access, Ofcom, published 16 January 2025

Online Safety Act 2023, Part 5 (duties of providers of regulated provider pornographic content)

In force

Online Safety Act 2023, c. 50, ss. 79-82 (Part 5)

Effective 2025-01-17 · Applies to private

Requires providers that publish or display their own, non-user-generated pornographic content to ensure, using age verification or age estimation or both, that children cannot normally encounter that content. The method used must be highly effective at correctly determining whether a user is a child, and providers must keep written records and publish a public statement on the methods used. The duty in section 81 came into force on 17 January 2025.

Age threshold18
Verification methodsgov id, facial estimation, digital id, third party service, transactional data
PenaltiesFines up to the greater of GBP 18,000,000 or 10 percent of qualifying worldwide revenue, plus daily penalties for continuing non-compliance and potential business disruption measures.
Enforcement bodyOfcom
Private suitsno

Litigation: Ofcom investigation into Itai Tech Ltd (Undress.cc nudification site). Ofcom found the provider failed to use highly effective age assurance to prevent children encountering pornographic content and imposed a GBP 50,000 fine, plus a GBP 5,000 fine for failing to respond to a statutory information request, decision published 20 November 2025.

Source: Online Safety Act 2023, c. 50, ss. 79-82 (Part 5)

Age Appropriate Design Code (Children's Code)

In force

Data Protection Act 2018, ss. 123-125; Age Appropriate Design Code of Practice, Information Commissioner's Office

Effective 2020-09-02 · Applies to private

Requires providers of information society services likely to be accessed by children in the UK to apply 15 standards of age appropriate design, such as privacy by default, data minimisation, and not using nudge techniques that weaken children's privacy protections, under a statutory code of practice issued by the Information Commissioner under the Data Protection Act 2018. The code came into force on 2 September 2020 with a 12 month transition period ending 2 September 2021, after which the Commissioner and courts must take it into account when assessing UK GDPR compliance.

Age threshold18
Verification methodsself declaration, facial estimation, gov id
PenaltiesEnforcement under UK GDPR: fines up to the greater of GBP 17,500,000 or 4 percent of global annual turnover for the most serious infringements.
Enforcement bodyInformation Commissioner's Office
Private suitsno

Source: Data Protection Act 2018, ss. 123-125; Age Appropriate Design Code of Practice, Information Commissioner's Office

Online Safety Act 2023, Part 3 (children's risk assessment and safety duties)

In force

Online Safety Act 2023, c. 50, ss. 11-12 (Part 3)

Effective 2024-01-10 · Applies to private

Requires providers of user-to-user services and search services likely to be accessed by children in the UK to carry out children's risk assessments and to use proportionate measures, including age verification or age estimation where appropriate, to prevent children encountering primary priority content harmful to children such as pornography, self harm, suicide, and eating disorder content. Sections 11 and 12 came into force on 10 January 2024.

Age threshold18
Verification methodsfacial estimation, gov id, third party service, self declaration
PenaltiesFines up to the greater of GBP 18,000,000 or 10 percent of qualifying worldwide revenue.
Enforcement bodyOfcom

Litigation: Ofcom confirmation decision against AVS Group Ltd. Ofcom found AVS Group's photo upload age check lacked liveness detection and could be circumvented by children, in breach of section 12, and imposed a GBP 1,000,000 fine plus a GBP 50,000 fine for failing to respond to a statutory information request, with a running penalty of GBP 1,000 per day for continuing non-compliance. Confirmation decision dated 3 December 2025.

Source: Online Safety Act 2023, c. 50, ss. 11-12 (Part 3)

Ofcom Protection of Children Codes of Practice

In force

Protection of Children Codes of Practice (illegal content and user-to-user/search services), Ofcom, April to July 2025

Effective 2025-07-25 · Applies to private

Sets out the measures Ofcom expects user-to-user and search services likely to be accessed by children to adopt to comply with the Online Safety Act's children's safety duties, including age assurance, safer default settings and algorithms, and content moderation; providers that follow the Codes are treated as compliant. Ofcom published the final Codes on 24 April 2025; providers had to complete children's risk assessments by 24 July 2025 and have risk mitigation measures in place from 25 July 2025, after the Codes completed the required Parliamentary process.

Verification methodsfacial estimation, gov id, third party service, device signal, self declaration
PenaltiesFines up to the greater of GBP 18,000,000 or 10 percent of qualifying worldwide revenue; business disruption measures for serious or repeated breaches.
Enforcement bodyOfcom

Source: Protection of Children Codes of Practice (illegal content and user-to-user/search services), Ofcom, April to July 2025