Online Safety

UK Online Safety Act: Ofcom publishes guidance on age assurance and children's access assessments

Published on 4th Feb 2025

Publication kicks off the child protection part of the regime

Young boy gaming, wearing headset and looking at screen

Amid indications from some tech companies that they will be refining and streamlining their content moderation policies in a bid to avoid accidental censorship, at least in the US, Ofcom published its statement on Age Assurance and Children’s Access Assessments. This comprises three sets of guidance and marks the first step in its implementation of the child protection provisions of the Online Safety Act 2023 (OSA). This follows Ofcom's publication of guidance and codes of practice in relation to illegal content, at the end of last year.

Children's access assessments guidance

The OSA requires all in-scope service providers to undertake a children's access assessment to gauge, on an annual basis, whether their service is likely to be accessed by children.

Now that the guidance has been published in final form, in-scope services have three months in which to complete their assessments, that is, by 16 April 2025. Those services that do conclude that they are likely to be accessed by children will come within scope of the child harms duties under the OSA (and therefore be subject to further risk assessment duties and codes of practice measures).

The guidance sets out a two-stage process that providers should follow to assess whether children are likely to access their services: the first being age assurance, and the second, a "child user condition".

'Highly effective' age assurance

The guidance stipulates that a provider should only decide that it is not possible for children to access their service if they have "highly effective" age assurance in place, as well as effective access controls to prevent users from accessing a service unless they have been identified as adults.

If children can only access part of a service, the provider must carry out a children's access assessment for that part of the service. In addition, if a provider provides more than one in-scope service then it must carry out separate children's access assessments for each service.

Ofcom has also published guidance on what constitutes "highly effective" age assurance, which provides a non-exhaustive list of age assurance methods (systems or technology that underpin an age assurance process) that it considers capable of being "highly effective" at correctly determining whether a user is a child. These include photo-ID matching, facial age estimation, mobile-network operator age checks, email-based age-estimation and the use of digital identity services.

Age assurance methods considered to be not "highly effective" include self-declaration of age, payment methods (such as using a debit card) for which the card holder does not have to be 18 years of age, warnings and disclaimers that users must be over 18, and general contractual restrictions (for example, terms and conditions which say the service is for over-18s but do not provide any additional age assurance).

The guidance also provides four criteria that the age assurance process (the process through which the age assurance method is implemented) must fulfil to be "highly effective". These are:

  • Technical accuracy – the degree to which an age assurance method can correctly determine the age of a user under test lab conditions.
  • Robustness – the degree to which an age assurance method can correctly determine the age of a user in actual deployment contexts.
  • Reliability – the degree to which the age output from an age assurance method is reproducible and derived from trustworthy evidence.
  • Fairness – the extent to which an age assurance method avoids or minimises bias and discriminatory outcomes.

The age assurance process must also be easy to use and work for children of different ages and different needs. 

Moving to the second stage

If these requirements are met and "highly effective" age assurance and effective access controls are in place, the provider can end the child access assessment at this point. However, a provider will need to move on to stage two if:

  • It does not use any kind of age assurance on its service.
  • It uses age assurance to prevent children from accessing the service (or part of the service) but it is not "highly effective".
  • The age assurance used does not actually ensure that children are not normally able to access the service. For example, there are methods of circumvention that are easily accessible to children.
  • It uses "highly effective" age assurance, but still allows children to access the service, or certain parts of the service. For example, the service only limits children's access to certain features, functionalities or content or if access controls are not used alongside the age assurance process.

Child user conditions

At this second stage, a provider must consider whether either one of the "child user conditions" is met, that is:

  • a significant number of children are using the service; and/or
  • the service is of a kind likely to attract a significant number of children.

The OSA does not define "significant number" of children, but the guidance suggests that it is likely to depend on the nature and context of the service. Providers are advised to take a holistic view and consider whether a material proportion of children use the service. This means that even a relatively small number of children using a service could amount to a "significant number" in a certain context. Providers are also advised to err on the side of caution, given the objective of the OSA to ensure a higher standard of protection for children.

The guidance sets out a non-exhaustive list of indicative factors that providers should consider, including: (i) whether the service provides benefits to children; (ii) whether the content or design is appealing to children; and (iii) whether children form part of the provider's commercial strategy.

Providers can also consider other sources of evidence, such as internal evidence on reports and complaints of under-age users and statistics on the removal of under-age accounts, as well as external evidence, such as market research and evidence from third party trackers of child media consumption.

If the child user condition criteria are not met, then the provider's service can be considered not likely to be accessed by children. However, the provider is still required to repeat the access assessment every 12 months.

In addition, if the provider makes any significant change to any aspect of the service’s design or operation to which a child access assessment is relevant or evidence comes to light of reduced effectiveness of age assurance or of a significant increase in the number of children using the service, then the provider is required to carry out a new children's access assessment.

Child safety duty timescales

If a provider finds that its service meets one or both of the child user condition criteria then it will come within the scope of the child safety duties under the OSA and the provider will have to carry out a children's risk assessment and put safety measures in place.

These duties will come into force once Ofcom publishes guidance on carrying out a children's risk assessment and its final code of practice on the protection of children, expected in April 2025. A three month deadline will apply, meaning that services likely to be accessed by children will have to conduct their children's risk assessment by July 2025.

Depending on where the service gets to in its children's risk assessment, the recommended safety measures (to be set out in the code of practice) may include the introduction of age assurance processes, alongside other protective processes.

Pornographic content

With its statement, Ofcom also published guidance for services that publish "regulated provider pornographic content", which includes AI-generated content, and are therefore in scope of the Part 5 duties in the OSA.

This publication marked (from 17 January 2025) the start of the Part 5 duties, which include implementing "highly effective" age assurance processes immediately to ensure that children are not normally able to encounter pornographic content.

Services that host user-generated pornographic content must have fully implemented age checks in place by July 2025 at the latest.

Osborne Clarke comment

With this publication following closely on the heels of the illegal content publications, OSA compliance requirements have really begun to kick in.

Providers only have until mid-March to complete their illegal content risk assessments and mid-April to complete their children's access assessments, which is not long, given that all of this is new.

It is vital, therefore, that in-scope providers keep abreast of the strict deadlines. For services who are seeking to rely on age assurance to fall outside the scope of the child harms part of the OSA regime entirely, it will be vital for them to ensure that their age assurance measures are "highly effective". Ofcom has made it clear that it stands ready to use the full extent of its enforcement powers and is gearing up to take early action against any services that do not comply.

Share
Related articles
Ofcom publishes final illegal content risk assessment guidance and codes of practice under UK Online Safety Act
04/02/2025 7 mins
Online Safety Act 2023: time to prepare as UK's Ofcom confirms start of illegal content duties
29/10/2024 4 mins
The UK Online Safety Act: Top 10 takeaways for online service providers
22/11/2023 9 mins
UK Online Safety Act: Ofcom launches its first consultation on illegal harms
21/11/2023 4 mins
Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up