The Information Commissioner’s Office (ICO) and Ofcom have published a joint statement on the principal areas of interaction between the Online Safety Act 2023 (“OSA”) and data protection law as they relate to age assurance
Protecting children is not only a societal issue but a business imperative for those organisations which target, or whose services are likely to be accessed by, children. The statement reflects updated data protection requirements, for services handling children’s data under the Data (Use and Access) Act 2025, building upon previous ICO-Ofcom joint statements arising from the two regulators’ collaborative work.
User-to-user services and highly effective age assurance
Under the OSA, regulated user-to-user services e.g. social media, messaging platforms, forums) that are likely to be accessed by children are subject to a distinct set of child specific duties of care in addition to the general duties that apply to all services. The user-to-user services must use highly effective age assurance (“HEAA”) to prevent children from encountering harmful content on their platforms. HEAA is a central concept to the OSA – it is the standard service providers must meet when checking users’ ages to protect children.
Ofcom’s criteria: what makes an age check “highly effective”?
Ofcom defines HEAA using four core criteria:
- Technical accuracy
- Robustness
- Reliability
- Fairnss
While having regard to:
- Accessibility
- Interoperability
What methods can meet the HEAA standard and what does not?
Ofcom identifies methods capable of meeting the HEAA standard, including credit card verification, open banking verification, photo I.D checks with facial matching, facial age estimation, mobile network operator age checks, digital identity services (e.g. ID wallets), and email-based age estimation. Ofcom’s guidance gives service providers some flexibility to choose age assurance method(s) that are appropriate to their specific context, including size, user base, and available resources, provided they can demonstrate that the method(s) selected meet the four criteria requirements of the OSA as set out above.
The following methods do not qualify as meeting the HEAA standards according to Ofcom as they are not “highly effective” and cannot be relied on. These include self-declaration of age (e.g., “I am over 18” tick box), simple acceptance of terms and conditions, and other weak methods that are easily bypassed. Service providers should take steps, where possible, to mitigate against circumvention. Ofcom may investigate and take enforcement action where services fail to take appropriate steps to protect children.
How does HEAA fit into the wider regulatory framework?
HEAA is not a standalone obligation – it interacts with other duties:
- It underpins the children’s access assessment.
- It enables compliance with content restrictions.
- It must also comply with data protection law (UK GDPR)
The statement gives detailed emphasis to the data protection position, underlining that all age assurance methods involve the processing of personal data and must therefore be necessary, proportionate, and compliant with UK GDPR principles.
Where a service has set a minimum age, the organisation will generally have no lawful basis for processing the personal data of underage users, making an effective age gate the clearest means of preventing unlawful processing. The ICO also considers that profiling is not currently an effective method of preventing underage access.
Platforms must ensure that any assurance measure complies with core data protection requirements, including:
- A valid lawful basis for processing
- Fairness and transparency
- Purpose limitation and data minimisation
- Accuracy
- Storage limitation
- Security
- Accountability, including ongoing review.
Where a service cannot establish a user’s age with sufficient certainty for the level of risk involved, it must apply the ICOs Children’s code standards to all users.
What is the ICOs Children code standards?
The Children’s code (or the Age-appropriate design code) contains 15 standards that online services need to follow. This ensures they are complying with their obligations under data protection law to protect children’s data online.
Online services covered by the code are wide ranging and include:
- Connected toys and devices; and
- New services.
If children are likely to access your service, even if they are not your target audience or user, then your business need to consider the Children’s code. The code applies to “information society services likely to be accessed by children”.
While the law and guidance in this area have most obvious impact on the large social media companies, other organisations focussed towards children and young people (including those in the charity sector) are likely to be impacted too and should review their processes in light of the ICO/Ofcom joint statement. If you have any questions arising from this article of about data protection more generally, please contact Roanna Landor on [email protected].
