Online Safety Act: Protecting Children from Harmful Content Online – Ofcom’s Guidance on Age Assurance for Part 3 Services

On 16 January 2025, in further phased implementation of the Online Safety Act 2023 (OSA), Ofcom published guidance on how Part 3 service providers can implement “highly effective” age assurance methods and processes to prevent children from accessing harmful content online.

As a reminder, Part 3 services are:

(i) U2U services, that are internet services that permit users to create, upload and/or share content on the service that can be encountered by other users of the service, and may include (but are not limited to):

• social media services;
• video-sharing services;
• online marketplaces; 
• discussion forums; 
• messaging services (other than SMS and email); 
• reviewing services (but not sites that only allow users to post comments or reviews on the service provider’s content); and 
• gaming services.

(ii) Search services, that allow users to search content from across the internet (search services that permit a search of only one website or database are not covered).

The guidelines are titled Guidance on highly effective age assurance – For Part 3 services”, and can be found here (the Guidelines).

The Guidelines come in tandem with Ofcom announcing that services that were operating as Part 3 services on or before 16 January 2025 have three months i.e. until 16 April 2025 to complete their first children’s access assessment to establish whether their services or a part of their services are likely to be accessed by children.  Note that if the service provider provides more than one Part 3 service, it is required to carry out children’s access assessments in respect of each Part 3 service. 

Ofcom has made clear that it will only be possible to conclude that children will not access a service if the service provider uses highly effective age assurance methods and processes to ascertain that children will not access the service. 

The Guidelines come in the wake of the investigation into the Southport murders, with questions being asked on whether a safer internet may have avoided this tragedy. There is understandably a spotlight on protecting children from harmful content online and we can expect that Ofcom will crackdown in this regard under the auspices of the OSA.

Insofar as a Part 3 service provider allows user-generated pornographic content, it must implement age assurance methods and processes to prevent children from accessing such content by July 2025 at the latest.

For Part 3 service providers that ban pornography on their platforms, the implementation of highly effective age assurance methods and processes may not be mandatory.  Ofcom’s draft Children’s Safety Codes and guidance suggest that whether services must use highly effective age assurance depend on whether they prohibit certain types of harmful content and the risk of it appearing on their platform.

Even where not required, implementation of age assurance measures has the following potential benefits in that the Part 3 service provider: 

• Does not need to undertake a stage 2 children’s access assessment (if stage 1 concludes that children can access the service, a stage 2 assessment is required to establish whether the child user condition is met i.e. if there is a significant number of children who are users of the service and/or the service is of a kind likely to attract a significant number of users who are children.  Note however that unless there is a significant change to the service, a children’s access assessment will need to be carried out again within a year); and
• Does not need to undertake a children’s risk assessment and implement any other mitigation steps required under the OSA. We note in this regard that Ofcom intends to publish its final Protection of Children Codes and children’s risk assessment guidance in April 2025 – Ofcom has indicated that there will be a three-month window that begins ticking from then for Part 3 service providers to complete the children’s risk assessment.

It is therefore crucial for Part 3 service providers to understand the Guidelines, the compliance requirements of them, and make a considered decision regarding implementation of age assurance measures now.

What do the Guidelines say?

Implement age assurance methods and processes

The Guidelines make clear that putting in place age assurance methods and processes is not enough on its own – as the title of the Guidelines indicate, those methods and processes must be highly effective in determining whether a user is a child. 

Ofcom provides the following guidance:

1. Effective age assurance methods include but are not limited to: open banking (i.e. a bank confirming that the user is over 18), photo ID matching (i.e. the user’s face on screen matched against a verified photo ID document), facial age estimation, mobile network operator (MNO) age checks (MNOs have content restriction filters that can only be removed if their customer proves they are over 18), credit card checks (as users must be over 18 in UK to be issued a credit card), email based age estimation (through a solution provider analysing the types of services the user is accessing), and digital identity service checks.
2. Age assurance methods that are not capable of being highly effective include but are not limited to: self-declaration of age, reliance on payment methods that do not require a person to be over 18, and general contractual restrictions and disclaimers.
3. Service providers must implement measures to avoid circumvention of age assurance methods and processes.
4. Service providers should ensure that the age assurance methods selected comply with each of the following criteria: technically accuracy, robustness, reliability, and fairness, and that the process selected as a whole complies with all of the four criteria.
5. Alongside satisfying the criteria, service providers must also apply principles of accessibility (ensuring that the age assurance methods are easy to use and work for all users) and interoperability (service providers must stay up-to-date with technological developments and the capability for these systems to communicate with one another, in order to reduce the burden on users).

The Guidelines provide further guidance on the meaning of the above methods, criteria and principles, but, notably, the Guidelines are not prescriptive; nor do they set a numerical threshold for what counts as “compliant”.

Part 3 service providers must self-assess and be ready to justify and provide evidence for their reasons for selecting and implementing certain age assurance processes, which will need to be recorded as part of stage 1 of the children’s access assessment.  Care and thoughtful consideration of the Guidelines, and the potential for harm to children, will be key to compliance.

Keep a written record

The Guidelines provide that the written record must be dated, durable, accessible, easy to understand and in English (or in Welsh for service providers based in Wales).

The written record must also record how the Part 3 service provider has had regard to protecting UK users from a breach of privacy and data protection laws (see section titled “Navigate privacy and data protection laws” below).

Careful documentation will be key to evidencing compliance; and care should be taken in preparing the record which may be scrutinised by Ofcom.

Navigate privacy and data protection laws

It is clear that these age assurance methods require accessing or collecting more personal data about users.  So, Part 3 service providers are required to have regard to and are required to record details in their written record of how they have complied with, privacy and data protection laws in implementing age assurance methods and processes.

Service providers should refer further to the UK data regulator, the Information Commissioner’s Children’s Code (see here) and Opinion on Age Assurance for the Children’s Code (see here) in this regard.  Implementing these methods will certainly require a data protection impact assessment to be undertaken and privacy diligence of the service provider’s solution.

Note that any perceived non-compliance with privacy and data protection principles may be referred by Ofcom to the Information Commissioner’s Office, with potential for exposure to penalties for non-compliance with privacy laws and UK GDPR.

Ofcom assessment and penalties for non-compliance

Ofcom can take enforcement action against regulated service providers that have failed to comply with their obligations under the OSA, which includes imposing financial penalties of up to £18 million or 10% of qualifying worldwide revenue, whichever is greater. 

We have noted above that the Guidance provided is descriptive and not prescriptive, with the need to be pragmatic in the approach to compliance.  It remains to be seen how Ofcom will investigate and enforce non-compliance and whether the recent spotlight on harm to children online, will make any perceived breach of the relevant duties even more egregious.  Ofcom has noted the need for a higher level of protection for children than for adults and has stated that it will consider the potential of the relevant conduct to harm children when considering whether or not to take enforcement action.

Ofcom gave an early indication of its willingness to take action by fining MintStars Ltd (MintStars) £7,000 for failing to adequately protect children from accessing online pornography.  MintStars is a platform which allows creators to share content, including adult content, with subscribers.  The fine was imposed under the vide-sharing platform (VSP) regime implemented in the Communication Act 2003.  The VSP regime will be repealed after Ofcom’s codes for the protection of children come into force (i.e. no earlier than April 2025).

In a statement from Dame Melanie Dawes, Ofcom’s Chief Executive, she said “We’ll be monitoring the response from industry closely. Those companies that fail to meet these new requirements can expect to face enforcement action from Ofcom.”