The UK’s Online Safety Act passed in 2023, giving the government power to regulate online content according to what it considers suitable for children. The change was finally implemented in July 2025. Now, websites that have content deemed unsuitable have to verify the age of users based in the UK, either by the user providing verification or using age estimation technology, before displaying the content.
While protecting children is a noble aim, there are a lot of issues with the Act. There are plenty of technical loopholes for getting through age verification, and providing verification data to third-party services can be a safety risk. There are also concerns about censorship and a growing nanny-state - they may start with protecting children, but what could be next?
Background: What is the UK Digital Age Verification?
As the supposed main aim of this act is to protect children from certain types of content, that content needs to be identified and then protected behind an age verification requirement. Types of content that are age-restricted under the act include pornographic images and content that encourages, promotes or provides instructions for eating disorders, self-harm or suicide as primary priority content, while other priority content includes abusive or hateful content, content depicting violence or injury and content promoting use of harmful substances. The idea was first introduced in the Digital Economy Act 2017, but was eventually abandoned after several delays and finally baked into the Online Safety Act instead.
There are a number of methods a website may use to ask the user to verify their age, including:
• Facial age estimation - a photo or video of your face is analysed to estimate your age
• Open banking - giving permission for the age verification service to access information on your age from your bank
• Credit card age check - providing your credit card information; you must be over 18 to obtain a valid credit card
• Email-based age estimation - online services where your email has been used (e.g. banking or utilities) are analysed to estimate your age
• Photo-ID matching - providing a photo of your ID as well as a selfie to prove you are the person on the ID
(source: Ofcom)
Websites that don’t comply with the act may be blocked in the UK. Many smaller sites have opted to close their services to the UK instead, to avoid potential massive fines for not following the law’s vague and complicated new requirements.
The Comedy of Compliance
How many people will this act actually deter from accessing the content they’re looking for? Unsurprisingly, VPNs have been topping App Store charts since the act kicked in, allowing users to disguise their location and use the Internet as if they were in another country (source: BBC). This makes bypassing age verification requirements easy.
The first days of the age verification roll-out resulted in users finding all kinds of comedic bypass methods. On some websites, the video game Death Stranding could be used to pass video selfie age estimation programs, while on others, an AI-generated ID worked. Age verification technology will evolve as these loopholes are discovered and patched up, but so will people’s will to find new ways to bypass verification - and where there’s a will, there’s a way. Internet users have always been finding loopholes and ways to bypass restrictive regulations. Once generations have grown up with infinite amounts of information and content at their fingertips, they won’t give that up easily.
The Real Risks: Sensitive Data in Third-Party Hands
Besides not wanting to give up their freedom, there are other genuine concerns people have regarding the new regulations. Since verification is usually outsourced to third-party providers, users are essentially forced to give sensitive personal data to companies they’ve never heard of. This understandably makes people nervous - who runs these companies? How tight is their security? How are they storing the data and what else is being done with it?
These are a few of the companies currently being used for age verification:
1. AU10TIX - the Israeli firm used for age estimation from selfies on X (formerly Twitter) has ties to Israeli secret service agency Shin Bet, with a privacy policy allowing use of data under the vague umbrella of “legitimate interests”. They had a major data breach in 2024.
2. Kids Web Services - used by Twitter-alternative Bluesky, this company is owned by Epic Games (producers of Fortnite), which suffered significant data breaches in 2016 and 2019. In 2022, they were fined for manipulating users and violating children’s privacy laws - and now they’re in charge of children’s safety?
3. Persona Identities Inc - the company that does age verifications for Reddit is funded by Peter Thiel’s investment company; Thiel’s company Palantir has been widely criticised for its ties with the Trump administration and US surveillance contracts. Persona itself has also faced lawsuits alleging that it retained the biometric data of food delivery drivers and that it used users’ selfies to train AI models.
Source: ByLine Times
While the government has stressed that age verification providers must comply with UK data protection laws and that this will be enough to protect users’ privacy, there is no real requirement for online platforms to choose trusted or certified providers, and no register for approved providers. This means users are generally in the dark about whether a specific website’s age verification provider really meets UK data protection laws. It should raise alarm bells for anyone who cares about data privacy and security that British internet users are now forced to hand over their data with little information about what’s really being done with it.
Collateral Damage: Censorship Beyond Adult Content
One of the biggest problems with regulations like this is that companies will prioritise avoiding large fines - so they overcensor to avoid the risk of being found non-compliant. This leads to anything sensitive from political news to sexual health resources getting flagged for age verification.
Subreddits that have been blocked include r/periods, r/stopsmoking or r/UkraineWarFootage, as well as subreddits related to LGBT topics and sexual health. Users of X have reported similar types of posts being blocked, and Wikipedia pages on “sensitive” topics have been blocked as well. This results in a lot of important information, both for adults and under-18s, becoming inaccessible. After all, just because someone is under 18 doesn’t mean they can’t be sexually assaulted - but under the new law, resources that could help them find support after an event like this are restricted.
One of the most important things the internet has given us is free and equal access to information, as well as access to like-minded communities. Often it is the people that are most vulnerable that need this access the most. For LGBT youth living in conservative environments, acceptance and community found on the internet may act as a lifeline. Young people with substance abuse issues, often from families with similar problems who are unable to support them, benefit from being able to find help on overcoming addiction online. Children who can’t access any information regarding sexual health and safety and topics around consent are more vulnerable to adults who treat them inappropriately. Keeping information away from children is not a way to protect them from harm, and it definitely isn’t something the government should be in control of.
The Democracy of the Internet Is At Stake
Complying with these types of regulations is expensive and resource-intensive. While large companies like Meta and X are able to enact wide-scale content moderation and pay for third-party verification services, many smaller websites simply can’t keep up. Independent forums on topics ranging from fatherhood to green living are shutting down their services to avoid non-compliance and large fines, as they don’t have the resources to monitor their content as thoroughly as the Online Safety Act would require.
So the issue of censorship is even deeper than we realise - it’s not just about types of content, but about providers of content. These laws give preference to large companies and leave the already declining small pockets of independent content and online communities struggling to survive. If we don’t want the whole internet to be under the control of tech billionaires, we need to act fast to stop these types of regulations from spreading even further.
To sum up, while the Online Safety Act promises to have children’s and society’s best intentions in mind, it is really an example of government censorship and a loss of democracy and freedom on the internet. Users are encouraged to give up their personal data to third-party services, leaving them vulnerable to data breaches and whatever these services decide to do with their collected data. As websites are prone to over-censoring in order to protect themselves from large fines resulting from non-compliance, both young people and adults are left unable to access useful information and resources.
At the same time, we can see how futile trying to ban people from accessing “inappropriate” things is. Just like teenagers have never had much trouble getting their hands on alcohol if they really want to, they will also always find ways to bypass internet restrictions. The youngest generations have grown up on the internet, and probably know how to use it better than the often non-tech savvy politicians that enact these laws.
The kids will keep finding new ways to find the information they want, while the government will keep scrambling to keep up and find new ways to block them. Aren’t there more important things for the UK to be spending its resources on? Also, if the UK is planning to really protect children, maybe they should have started in the real world, in Rotherham for example.
More sources:
https://www.bbc.com/news/articles/cj3l0e4vr0ko
