Ofcom Guidance on Highly Effective Age Assurance and Other Part 5 Duties
In force
Statement: Age Assurance and Children's Access, Ofcom, published 16 January 2025
Effective 2025-01-17 · Applies to private
Ofcom's statutory guidance under section 82 of the Online Safety Act 2023 sets out what counts as highly effective age assurance for Part 5 pornography providers, naming photo ID matching, facial age estimation, credit card checks, open banking checks, and mobile network operator checks as capable methods, and stating that self declaration or a basic checkbox is not sufficient.
| Verification methods | gov id, facial estimation, transactional data, third party service, device signal |
| Enforcement body | Ofcom |
Source: Statement: Age Assurance and Children's Access, Ofcom, published 16 January 2025
Online Safety Act 2023, Part 5 (duties of providers of regulated provider pornographic content)
In force
Online Safety Act 2023, c. 50, ss. 79-82 (Part 5)
Effective 2025-01-17 · Applies to private
Requires providers that publish or display their own, non-user-generated pornographic content to ensure, using age verification or age estimation or both, that children cannot normally encounter that content. The method used must be highly effective at correctly determining whether a user is a child, and providers must keep written records and publish a public statement on the methods used. The duty in section 81 came into force on 17 January 2025.
| Age threshold | 18 |
| Verification methods | gov id, facial estimation, digital id, third party service, transactional data |
| Penalties | Fines up to the greater of GBP 18,000,000 or 10 percent of qualifying worldwide revenue, plus daily penalties for continuing non-compliance and potential business disruption measures. |
| Enforcement body | Ofcom |
| Private suits | no |
Litigation: Ofcom investigation into Itai Tech Ltd (Undress.cc nudification site). Ofcom found the provider failed to use highly effective age assurance to prevent children encountering pornographic content and imposed a GBP 50,000 fine, plus a GBP 5,000 fine for failing to respond to a statutory information request, decision published 20 November 2025.
Source: Online Safety Act 2023, c. 50, ss. 79-82 (Part 5)
Age Appropriate Design Code (Children's Code)
In force
Data Protection Act 2018, ss. 123-125; Age Appropriate Design Code of Practice, Information Commissioner's Office
Effective 2020-09-02 · Applies to private
Requires providers of information society services likely to be accessed by children in the UK to apply 15 standards of age appropriate design, such as privacy by default, data minimisation, and not using nudge techniques that weaken children's privacy protections, under a statutory code of practice issued by the Information Commissioner under the Data Protection Act 2018. The code came into force on 2 September 2020 with a 12 month transition period ending 2 September 2021, after which the Commissioner and courts must take it into account when assessing UK GDPR compliance.
| Age threshold | 18 |
| Verification methods | self declaration, facial estimation, gov id |
| Penalties | Enforcement under UK GDPR: fines up to the greater of GBP 17,500,000 or 4 percent of global annual turnover for the most serious infringements. |
| Enforcement body | Information Commissioner's Office |
| Private suits | no |
Source: Data Protection Act 2018, ss. 123-125; Age Appropriate Design Code of Practice, Information Commissioner's Office
Online Safety Act 2023, Part 3 (children's risk assessment and safety duties)
In force
Online Safety Act 2023, c. 50, ss. 11-12 (Part 3)
Effective 2024-01-10 · Applies to private
Requires providers of user-to-user services and search services likely to be accessed by children in the UK to carry out children's risk assessments and to use proportionate measures, including age verification or age estimation where appropriate, to prevent children encountering primary priority content harmful to children such as pornography, self harm, suicide, and eating disorder content. Sections 11 and 12 came into force on 10 January 2024.
| Age threshold | 18 |
| Verification methods | facial estimation, gov id, third party service, self declaration |
| Penalties | Fines up to the greater of GBP 18,000,000 or 10 percent of qualifying worldwide revenue. |
| Enforcement body | Ofcom |
Litigation: Ofcom confirmation decision against AVS Group Ltd. Ofcom found AVS Group's photo upload age check lacked liveness detection and could be circumvented by children, in breach of section 12, and imposed a GBP 1,000,000 fine plus a GBP 50,000 fine for failing to respond to a statutory information request, with a running penalty of GBP 1,000 per day for continuing non-compliance. Confirmation decision dated 3 December 2025.
Source: Online Safety Act 2023, c. 50, ss. 11-12 (Part 3)
Ofcom Protection of Children Codes of Practice
In force
Protection of Children Codes of Practice (illegal content and user-to-user/search services), Ofcom, April to July 2025
Effective 2025-07-25 · Applies to private
Sets out the measures Ofcom expects user-to-user and search services likely to be accessed by children to adopt to comply with the Online Safety Act's children's safety duties, including age assurance, safer default settings and algorithms, and content moderation; providers that follow the Codes are treated as compliant. Ofcom published the final Codes on 24 April 2025; providers had to complete children's risk assessments by 24 July 2025 and have risk mitigation measures in place from 25 July 2025, after the Codes completed the required Parliamentary process.
| Verification methods | facial estimation, gov id, third party service, device signal, self declaration |
| Penalties | Fines up to the greater of GBP 18,000,000 or 10 percent of qualifying worldwide revenue; business disruption measures for serious or repeated breaches. |
| Enforcement body | Ofcom |
Source: Protection of Children Codes of Practice (illegal content and user-to-user/search services), Ofcom, April to July 2025