Big changes for little surfers: OSA age assurance guidance published and child safety obligations commence entry into force

On 16 January 2025, Ofcom published its statement on highly effective age assurance and children's access assessments under the Online Safety Act (the OSA), confirming its decisions on the implementation of these key provisions of the OSA, following a consultation process. The publication of this statement kickstarts the entry into force of the first child safety obligations under the OSA and is accompanied by the publication of three pieces of regulatory guidance for service providers that are in-scope of the OSA: 

• Guidance on Children's Access Assessments, which helps user-to-user and search services to comply with their OSA obligation to assess whether their service is likely to be accessed by children. 
• Guidance on Highly Effective Age Assurance (Part 3 Services), which helps user-to-user and search services to implement highly effective age assurance for the purpose of meeting their OSA obligations, including in particular the obligation to prevent children from encountering harmful content. 
• Guidance on Highly Effective Age Assurance (Part 5 Services), which helps providers of internet services who display or publish their own pornographic content to comply with their duties under Part 5 of the OSA, including the duty to ensure, through the use of age verification, that children are not normally able to encounter such pornographic content. 

The three sets of guidance are closely connected as the guidance on children's access assessments makes it clear that a service provider can only conclude that it is not possible for children to access its service if it has implemented highly effective age assurance. Online service providers will therefore need to pay close attention to the guidance on highly effective age assurance when completing children's access assessments.

Age assurance is a set of methods used to confirm or estimate the age of users, in particular children. Implementing
effective age assurance is a notoriously complex area that service providers, regulators and lawyers alike have grappled with for many years and particularly since the introduction of the Age Appropriate Design Code (AADC) in the UK and other children’s privacy codes across the globe. Notably, Ofcom’s new guidance emphasises the importance of taking the AADC into account, as well as more generally ‘protecting user privacy’, when implementing an age assurance solution.

Ofcom’s age assurance guidance is consistent for Parts 3 and 5 of the OSA and aims to provide some clarity around what is required for age assurance to be ‘highly effective’. In particular, Ofcom lists types of age assurance that are ‘capable of’ being highly effective, including open-banking, photo-ID matching, facial age-estimation and email-based age estimation. Notably, there are some additions to this list as compared with the consultation draft of this guidance.

Though this list is helpful, there remains some uncertainty over whether age assurance methods may be sufficiently ‘highly effective’ for the purposes of the OSA. Ofcom’s guidance also provides that four criteria - technical accuracy, robustness, reliability and fairness - must be met in order for any method of age assurance to meet the required standard. In practice, meeting all of these criteria may be challenging for service providers and many of them will be reliant on guarantees from providers of age assurance solutions that appropriate testing has been carried out. Further, Ofcom’s guidance does not provide any form of numerical thresholds against which to measure whether the required criteria have been met (though many of the consultation responses requested this), meaning it may be difficult for service providers to be confident that they have met the necessary standard.

Ofcom also lists types of age assurance that are ‘not capable of’ being highly effective, including self-declaration and general contractual restrictions on use of the service by children, which is in line with the approach taken by data protection regulators.

Ofcom’s statement sets a number of tight deadlines for compliance, confirming that:

• All services that allow pornography must implement highly effective age assurance by July 2025 at the latest. However, services that publish their own pornographic content (covered under Part 5 of the OSA) must take steps to introduce these age assurance measures immediately, as these obligations take effect from 17 January 2025 following the Government’s commencement of Part 5.
• All user-to-user and search services must carry out a children’s access assessment by 16 April 2025. 

Following the April 2025 deadline for the completion of children’s access assessments, there will be no let-up for service providers whose services may be accessed by children, as Ofcom will then publish its decisions on the Protection of Children Codes. This will bring into force a requirement for services to conduct a further risk assessment regarding risks to children, again within a three month period. The code's requirements will also set out safety measures that online services can adopt to comply with the protection of children obligations under the OSA, which are expected to enter into force following the three month period to complete children’s risk assessments.

Although the OSA's entry into force is gradual, Ofcom's approach to enforcement will not be. Ofcom has already emphasised that it is ready to launch immediate enforcement action and that the protection of children from harmful content and pornography is a priority area. Service providers should therefore ensure that the relevant assessments are conducted and measures are implemented before the upcoming deadlines.