Ofcom and ICO joint statement on age assurance: aligning online safety and data protection obligations

The question

How should businesses implement age assurance technologies in a way that simultaneously satisfies both the Online Safety Act (OSA) and UK data protection legislation?

The key takeaway

The UK's communications regulator, Ofcom, and the Information Commissioner's Office (ICO) have jointly confirmed their shared, flexible approach to age assurance, while making clear that self-declaration alone is insufficient to comply with legislation on this point. The regulators have stated that services must use robust, proportionate methods that comply with both the OSA and UK data protection law to protect children online.

The background

On 25 March 2026, Ofcom and the ICO published their most recent joint statement on age assurance for services likely to be accessed by children that are within scope of both the OSA and UK data protection legislation. Building on earlier joint statements (2022 and 2024) and reflecting changes under the Data (Use and Access) Act 2025, it aims to clarify how services can meet both regimes using a risk-based, tech-neutral approach.

The development

The statement highlights several key positions for businesses using age assurance technologies.

Self-declaration alone is no longer acceptable
Self-declaration alone is not effective for determining an individual's age or preventing underage access. Other inefficient mechanisms for this purpose include payment-based checks that do not require the user to be 18+ (e.g. debit cards) or general contractual age restrictions. The ICO also considers aiming to establish an individual's age through automated decision making, such as profiling (i.e. automated analysis of a user's behaviour, characteristics, or data patterns), is not currently effective for preventing underage access to unsuitable services.

A risk-based, technology-neutral framework
Organisations can choose age assurance methods suited to the risks presented by their particular service, provided the approach is necessary, proportionate, and UK GDPR-compliant. The framework is intended to be future-proof and does not require use of methods that are not technically feasible or that create disproportionate risks to the rights and freedoms of individuals.

Highly Effective Age Assurance (HEAA) requirements
Under the OSA, certain user-to-user services likely to be accessed by children must use HEAA to prevent children encountering primary priority content (e.g. that related to pornography, self-harm, suicide). Ofcom describes four criteria for HEAA and allows flexibility based on context and resources. Methods capable of being highly effective include facial age estimation, digital ID and photo matching. Services must also mitigate circumvention of the checks and ensure they are both resistant to fake inputs and linked to the user presenting for the check. For services most used by children, both regulators expect HEAA to enforce minimum age policies effectively.

Data protection obligations run in parallel
Compliance with the OSA does not displace data protection obligations; both apply. Services must follow UK GDPR principles (including data minimisation, purpose limitation, storage limitation and transparency), complete a DPIA where this is required, and provide clear privacy information (including purpose for processing, data collected, retention and data subject rights).

Preventing underage access and lawful basis
The ICO indicates that where a service sets a minimum age (e.g. 13), it is unlikely to have a lawful basis to process the personal data of children below that age. For this reason, an effective age gate can help prevent both underage access and unlawful processing. Technologies cited as viable for enforcing a minimum age of 13 include facial age estimation, digital ID and one-time photo matching. Where children above the minimum age can access the service, the experience must be age-appropriate (as set out in the ICO's Children’s Code) and the age assurance method proportionate to risk. If sufficient certainty about age cannot be achieved (relative to risk), the Children’s Code standards should be applied to all users of the service.

Why is this important?

This is the clearest joint articulation so far of how Ofcom and the ICO expect age assurance to work in practice. It argues that there is no “either/or” decision to be made when balancing OSA compliance and data protection compliance, and signals enforcement risk for services relying on self-declaration or profiling. It also strengthens expectations that services most used by children deploy HEAA to enforce age limits.

Any practical tips?

• Review any current age assurance technologies used against the joint statement, prioritising any services relying on self-declaration or profiling.
• Start assessing alternatives to current processes (e.g. facial age estimation or digital ID) where higher assurance is needed.
• Ensure implementation is supported by a DPIA and updated privacy notices explaining the technologies and process used clearly.
• Monitor further Ofcom/ICO guidance and developments, including potential updates to Ofcom codes that may further embed HEAA expectations.

Summer 2026