\n To print this article, all you need is to be registered or login on Mondaq.com.
\n <\/p>\n
Article Insights<\/p>\n
Lewis Silkin are most popular: <\/p>\n
\n within Cannabis & Hemp topic(s)
\n in United Kingdom
<\/p>\n
The regulatory landscape for age assurance is changing more rapidly than ever. Globally, legislators and regulators are intensifying efforts to protect children online.<\/p>\n
At the very heart of the debate is making sure that age assurance is fit for purpose: it should protect children from harmful content while preserving free expression, privacy and anonymity for users wishing to access lawful content. Age assurance is effectively how services decide if a user is a child and if they should apply enhanced protections.<\/p>\n
Regulators, governments and industry alike have acknowledged age assurance technology is still developing but it\u2019s clear that it\u2019s no longer acceptable for global businesses operating digital products or services that may be accessed by children to simply ask users to declare their own age.<\/p>\n
We look at the key legal and regulatory developments shaping age assurance across the UK and EU and suggest practical steps for businesses to meet their current and forthcoming obligations.<\/p>\n
UK developments: the regulatory bar is rising<\/p>\n
The UK\u2019s regulatory framework centres on the\u00a0ICO\u2019s Age Appropriate Design Code<\/a>\u00a0(Children\u2019s Code) and the\u00a0Online Safety Act 2023<\/a>\u00a0(OSA)\u00a0enforced<\/a>\u00a0by Ofcom. The\u00a0UK GDPR<\/a>\u00a0and the\u00a0Data (Use and Access) Act 2025<\/a>\u00a0further strengthen protections for children online.<\/p>\n Ofcom and the Online Safety Act 2023<\/p>\n The OSA requires service providers to implement age assurance to ensure that children are not normally able to encounter harmful content. The age assurance deployed must be “highly effective” at correctly determining whether a user is a child \u2013 a standard with significant implications for the technologies businesses choose to deploy (see our article\u00a0here<\/a>).<\/p>\n In 2025, Ofcom required services in scope of the OSA to complete children\u2019s access assessments, children\u2019s risk assessments and to have measures in place to ensure that children could not access pornography and harmful material.<\/p>\n Ofcom’s enforcement position has hardened considerably. It has extended its\u00a0age assurance enforcement programme<\/a>\u00a0to all platforms allowing users to share pornographic material and has launched a dedicated monitoring and impact programme for the largest platforms. Ofcom has also issued its first OSA financial penalty \u2013 a\u00a0\u00a31 million fine<\/a>\u00a0for an adult website provider for failing to have robust age checks in place.<\/p>\n Perhaps most significantly, on 12 March 2026,\u00a0Ofcom<\/a>\u00a0wrote to major technology platforms requiring them to enforce their minimum age policies using highly effective age assurance, giving the platforms until 30 April 2026 to report on the specific actions they intend to take.<\/p>\n Businesses should regard this not as a routine piece of regulatory correspondence but as a clear precursor to enforcement action against platforms that fail to act.<\/p>\n On 26 March 2026, Ofcom and the ICO issued a joint statement on the interaction between online safety and data protection as they relate to age assurance\u00a0(see below).<\/a><\/p>\n The regulators are collaborating and clarifying their enforcement approach, reducing any potential wiggle room for businesses. If you are in scope, you need to act now. Beyond monetary penalties, the reputational damage from non-compliance may be significant.<\/p>\n The ICO’s Children’s Code and finally fines!<\/p>\n The ICO’s\u00a0Children’s Code<\/a>\u00a0translates data protection duties into practical design principles and privacy features. Its core requirement is appropriate age assurance.<\/p>\n After the Children\u2019s Code took effect, the ICO initially adopted a collaborative approach, working with platforms to drive compliance. It has some\u00a0success stories<\/a>\u00a0where the ICO\u2019s intervention has driven meaningful behavioural change, as well as international collaboration, e.g. an agreed common international approach to\u00a0age assurance<\/a>\u00a0with ten national data protection regulators. The ICO also issued an updated Opinion on Age Assurance explaining how services and age assurance providers can use the technology in compliance with data protection law in a risk-based and proportionate way.<\/p>\n On 1 December 2025, the ICO published its\u00a0Children’s Code Strategy progress update<\/a>, reporting on its review of age assurance practices across 17 platforms popular with children in the UK. It also announced a targeted monitoring programme focused on platforms relying primarily on self-declaration as their sole age assurance mechanism.<\/p>\n 2026 heralded a new phase, the time for talking is over and the ICO is ready to enforce. The UK Government launched a consultation on whether to\u00a0ban social media for under 16s<\/a>\u00a0and the Prime Minister met senior leaders from major social media companies to demand they “step up and take responsibility” for children\u2019s online safety, signalling if they fail to do so new powers will be used to address parents\u2019 concerns and strengthen protections for children.<\/p>\n The ICO is also actively enforcing with a\u00a0\u00a3247,590<\/a>\u00a0fine for MediaLab\/Imgur for failing to implement any age checks and Reddit fined\u00a0\u00a314.47 million<\/a>\u00a0for failing to implement age assurance measures and processing children’s personal information unlawfully. The Reddit decision is particularly significant as despite maintaining a policy prohibiting users under 13 from using the platform, Reddit failed to implement any age verification measures until July 2025 and even then, relied only on self-declaration.<\/p>\n On 12 March 2026, the ICO issued an\u00a0open letter<\/a>\u00a0to social media and video-sharing platforms, calling on them to strengthen age assurance measures and move beyond self-declaration. On 25 March the ICO and Ofcom published their joint statement on age assurance\u00a0(see below)<\/a>\u00a0and on 7 April the ICO launched the\u00a0Switched on to privacy campaign<\/a>\u00a0to help parents discuss protecting children\u2019s personal information online, including age settings. It is clear the ICO is taking a holistic approach to protecting children online.<\/p>\n Joint statement from Ofcom and the ICO<\/p>\n The Ofcom\/ICO\u00a0joint statement<\/a>\u00a0resolves much of the uncertainty around how service providers should reconcile their OSA duties with data protection obligations. It deserves careful analysis by any business deploying or considering age assurance technology.<\/p>\n Unsurprisingly, the statement confirms, in unequivocal terms, that self-declaration alone is not considered effective for verifying age, nor restricting underage access. This co-ordinated position signals businesses cannot play one regulator off against the other, e.g. by arguing that data protection concerns justify a lighter-touch approach to age assurance.<\/p>\n Both regulators set out a shared flexible, technology-neutral approach, confirming that services may choose the most appropriate age assurance method for their context, as long as it is effective and proportionate to the risks involved. They use four criteria to assess highly effective age assurance (HEAA): technical accuracy, reliability, robustness and fairness, alongside broader considerations of accessibility and interoperability.<\/p>\n Helpfully, the statement says that open banking verification, photo ID matching, facial age estimation, mobile network operator age checks and digital identity wallets can meet the HEAA standard. By contrast, the regulators confirm that self-declaration, debit card verification and general contractual restrictions in terms of service are not acceptable.<\/p>\n Where a service cannot reliably establish a user’s age that is appropriate to the risks that arise from the data processing, the regulators expect the Children’s Code standards to apply to all users as a default baseline. This creates a powerful incentive for businesses to invest in robust age assurance, as the alternative is to apply child-safe defaults to the entire user base.<\/p>\n The statement also emphasises the importance of conducting and reviewing data protection impact assessments (DPIAs) that you must conduct before you process data. If you haven\u2019t looked at your DPIA recently, now would be the time to revisit it and make sure that you\u2019ve addressed the evolving risks and that you comply with the recent regulatory statements.<\/p>\n EU developments: towards a harmonised framework<\/p>\n The EU is building a harmonised framework for age assurance driven by the\u00a0Digital Services Act<\/a>\u00a0(DSA), the\u00a0GDPR<\/a>, the European Data Protection Board\u2019s (EDPB)\u00a0Statement on Age Assurance<\/a>\u00a0and the European Commission’s\u00a0age verification blueprint<\/a>. Its approach differs from the UK in certain respects, most notably in its emphasis on privacy-preserving technical architecture. However, the direction of travel is strikingly consistent, service providers must do more to identify and protect children.<\/p>\n GDPR and the EDPB Statement on Age Assurance<\/p>\n Under\u00a0Article 8<\/a>\u00a0of the GDPR processing personal data of children under 16 (or as low as 13, depending on the Member State) by information society services requires parental consent, implicitly requiring service providers to make reasonable efforts to assess users’ ages.<\/p>\n On 11 February 2025, the\u00a0EDPB adopted a statement on age assurance<\/a>, setting out high-level principles derived from the GDPR, including lawfulness, data minimisation, risk-based approaches and data protection by design and default. The EDPB’s approach complements the\u00a0ICO’s Opinion on age assurance<\/a>, though the ICO provides more detailed guidance on particular age assurance methods and examples of implementation through published\u00a0case studies<\/a>.<\/p>\n The DSA and the protection of minors<\/p>\n The DSA places binding obligations on online platforms to mitigate risks to children, including exposure to harmful or inappropriate content.\u00a0Article 28<\/a>\u00a0of the DSA requires online platforms to take appropriate and proportionate measures to ensure a high level of safety, privacy and security of minors and prohibits the targeting of minors with personalised advertising.<\/p>\n On 14 July 2025, the EU Commission published its\u00a0DSA guidelines on protecting children online<\/a>, clearly setting out its expectations. The guidelines recommend age verification for adult content platforms and other platforms posing high risks to minors and specify that age assurance methods should be accurate, reliable, robust, non-intrusive and non-discriminatory. The EU Commission also issued a prototype of an age verification app, known as the age verification blueprint\u00a0(see below)<\/a>, work on which is ongoing.<\/p>\n For businesses operating across both the UK and EU, there is significant alignment between the two regimes. A provider complying with Ofcom\u2019s guidance under the OSA is likely to meet most DSA requirements though nuances exist, e.g. EU guidance covers loot boxes, while the OSA does not. For more details see our legislative comparison table\u00a0here<\/a>.<\/p>\n The EU Age Verification Blueprint<\/p>\n The EU Commission\u2019s\u00a0age verification blueprint<\/a>\u00a0outlines a common technical framework for privacy-preserving age checks. Its core principle is that a user’s age status should be verified without disclosing the user’s identity to the service provider. In other words, no underlying identity data is transmitted to websites or platforms and the system is designed in accordance with data minimisation and privacy by default principles.<\/p>\n A\u00a0second version<\/a>\u00a0of the blueprint was published in October 2025, adding onboarding using passports and ID cards and support for the Digital Credentials API. Pilot testing is underway in Denmark, France, Greece, Italy, Spain, Cyprus and Ireland. On 15 April 2026, the EU Commission\u00a0announced<\/a>\u00a0its free age verification app was \u201ctechnically ready\u201d and would be \u201csoon available\u201d to citizens to use, stating \u201cthere are no more excuses\u201d and the EU is ready to enforce and hold accountable online platforms that do not protect children.<\/p>\n The blueprint is also closely linked to the\u00a0EU Digital Identity Wallet<\/a>, which is due to be rolled out by the end of 2026. It could offer a single, interoperable age verification solution, but the timeline for full deployment is uncertain and businesses should not delay compliance action in anticipation of the wallet’s arrival.<\/p>\n National regulatory activity across the EU Member States<\/p>\n Notwithstanding the EU’s push towards harmonisation, several Member States have moved ahead with national age assurance requirements that in some cases go beyond the DSA and GDPR, e.g. in December 2023, the Spanish DPA published\u00a0guidance on age verification and protection of minors from inappropriate content<\/a>\u00a0and Germany issued joint guidance in October 2024\u00a0proposing nine principles for building an age verification system<\/a>.<\/p>\n France has been particularly proactive, with the CNIL publishing an\u00a0analysis<\/a>\u00a0of online age verification in September 2022, and more recently adopting the\u00a0SREN Law<\/a>\u00a0requiring providers of adult content to verify that users are over 18. Arcom\u2019s\u00a0mandatory technical standard<\/a>\u00a0for age verification systems for pornographic sites became applicable in January 2025, with penalties of up to \u20ac150,000 or 2% of worldwide annual turnover, whichever is higher, for non-compliance.<\/p>\n A growing number of EU Member States are pursuing minimum age requirements for social media. The European Parliament’s IMCO Committee has urged an EU-wide “digital minimum age” of 16, without parental consent, for social media, video-sharing platforms and AI companions. Proposed national minimum ages include Austria (14), Denmark (15), France (15), Spain (16) and Greece (15).<\/p>\n