Ofcom seeks evidence on age-assurance measures and the potential regulation of app stores

The question

How effective are current age-assurance measures, and should app-store operators face direct legal duties to protect children from harmful content?

The key takeaway

Ofcom has launched a call for evidence on the effectiveness, cost and privacy impact of age-assurance solutions, as well as the role of app stores in children’s access to harmful content. The consultation closed on 1 December 2025. Ofcom will now develop two statutory reports which could shape the next phase of Online Safety Act (OSA) regulation, including whether new duties should apply to app-store operators.

The background

The Online Safety Act 2023 (OSA) came into force on 26 October 2023, introducing a new regulatory framework for online services. Under the OSA, certain “user-to-user” and search services must assess whether children are likely to access their service and, if so, comply with obligations designed to protect them from harmful content.

Ofcom’s statutory codes of practice require services within scope to use “highly effective” age-assurance measures when restricting access to the highest-risk categories of content, including pornography and material relating to suicide or self-harm. These measures sit within more than 40 child-safety obligations set out in Ofcom’s codes. Ofcom has also published detailed Part 3 guidance on age-assurance expectations.

Under the OSA, Ofcom must produce statutory reports on (1) age-assurance technologies and (2) app-store safety. The call for evidence feeds into this obligation.

The development

Ofcom’s call for evidence invites views on:

• the practical deployment of age-verification and age-estimation tools;
• the real-world effectiveness of these techniques; and
• barriers to adoption, including cost, technical constraints and privacy risks.

Concurrently, Ofcom is examining the role of app stores in enabling or mitigating access to harmful content. Areas of interest include:

• the types of age-assurance controls currently used by app stores;
• the exposure risks associated with “regulated apps” (such as social-media, search and pornography services); and
• whether there is a case for stronger regulatory oversight of app-store operators under the OSA.

Ofcom will publish its statutory report on age-assurance technologies by mid-2026, and its separate report on app stores by January 2027. Depending on the evidence received, these reports may recommend extensions to the regulatory framework, including potentially bringing app-store operators within scope of certain OSA duties. However, no such extension has yet been proposed or adopted.

Recent enforcement development: First major OSA fine

In a clear signal that Ofcom is moving from supervision to active enforcement, on 4 December 2025, the regulator imposed a £1 million fine - plus a further £50,000 - on a pornography-site operator, AVS Group Ltd, for failing to apply “robust” age verification across its 18 adult websites. Ofcom determined that AVS’s existing age-checking measures failed to reach the high threshold required under the OSA. The company was given 72 hours to implement “highly effective” age assurance or face further daily penalties. According to Ofcom, this is the largest fine to date under the new OSA regime.

Why is this important?

The consultation signals a potentially significant shift in online-safety regulation. If app-store operators become subject to OSA obligations, regulatory responsibility could move upstream, requiring platform distributors—not just content-hosting services—to adopt age-assurance controls and risk-mitigation measures.

For existing platforms, the renewed focus on age verification underscores the need to evaluate whether current tools are:

• effective in practice;
• proportionate and privacy-preserving; and
• sufficiently documented to satisfy Ofcom’s evidential expectations.

If a service falls within the OSA’s scope and fails to comply with relevant duties, enforcement action can include fines of up to £18 million or 10% of global annual turnover. The consultation therefore provides an opportunity for stakeholders to influence how far such duties - and associated penalties - should extend across the online ecosystem.

In addition, Ofcom's recent OSA fine against AVS signals that non-compliance with age-assurance obligations will attract serious enforcement action. This underlines the need for urgency in adopting age-assurance and child-safety measures by all businesses caught by the Act.

Any practical tips?

Businesses should begin preparing by:

• reviewing the robustness of existing age-assurance measures, including accuracy rates, error margins and user experience;
• conducting a privacy impact assessment for any biometric or inference-based age-estimation technique;
• ensuring child-safety controls are aligned with Ofcom’s Part 3 guidance;
• mapping potential impacts if app stores become subject to OSA duties (particularly relevant for platforms dependent on distribution via Apple, Google and alternative stores); and
• monitoring Ofcom’s timetable for the 2026 and 2027 statutory reports, which will inform the next regulatory phase.

Now is a good time for stakeholders to engage - both to shape Ofcom’s approach and to ensure future compliance strategies are fit for purpose. The recent AVS fine adds some urgency to these considerations.

Winter 2025