Online Safety: Age Assurance, one year on

17 July 2026. Published by Mafruhdha Miah, Senior Associate and Alex Littlewood, Senior Associate (Barrister)

This week, Ofcom published its statutory report on age assurance pursuant to section 157 Online Safety Act 2023 (OSA). The report comes almost a year after the duty to protect children from harm under section 12 OSA came into force, which includes the duty to have highly effective age assurance (HEAA) measures for user-to-user services within the remit of the OSA.

The scope of Ofcom's review

The report summarises Ofcom's analysis of information provided by a sample of 32 regulated pornography, dating and social media services in relation to the age assurance measures each service had in place in the second half of 2025, in addition to its own research on children's online experiences and the responses to a call for evidence published in November 2025.

Ofcom has made clear that its review was not intended to reach any final conclusions about the effectiveness of the age assurance measures (though more on that below). Ofcom also noted that its review did not assess the use of age assurance measures in relation to enforcing a minimum age limit to access services, but rather it assessed whether the relevant measures are assisting the service providers in complying with their duties to protect children from harm online.

What did Ofcom find?

In summary, it found that between July and December 2025, there were 69 million age checks completed across the 32 services, which was a 23-fold increase on the number of checks in the preceding six months.

Ofcom's research showed that facial age estimation and photo ID matching were the most common forms of age assurance, whilst verification based on existing account signals (such as account tenure) and open banking were the least used.

It found that there were broadly two approaches to age assurance in social media platforms:

  • An active age-gated content approach: where users can generally use the service without an age check but the user only needs to actively complete an age check when attempting to access specific content or functionality reserved for adults; or
  • A passive age inference approach: where users declare their age upon access to the service and age inference models are subsequently used to infer whether a user is an adult or a child by analysing the user's activity on the service.

Those who use a passive age inference approach noted that they did so for proportionality and data minimisation reasons as this approach does not require users to submit any personal documents such as ID documents in order for the service provider to make a decision as to whether a user is likely underage. Such an approach would require a large-scale collection of personal data which they say could be contrary to the service provider's separate data protection obligations, in particular in relation to its duties to only process data which is necessary and only for as long as is necessary.

Ofcom noted that whilst service providers can use any form of age assurance measures provided that the effect is compliance with the provider's duties under the OSA, it did not recommend using age inference measures in its HEAA guidance because by its nature, age inference requires a user to use the platform for a period of time before the service provider's system can analyse the user's activity on the platform.

More work to be done

Ofcom found that the age assurance measures had been an effective deterrent in preventing children from accessing pornography sites, but there was more to do as there was evidence that children were still using search services to find pornographic content which they could access without age assurance measures.

More generally, Ofcom has not seen a material reduction in the volume of harmful content being surfaced to children and noted that age assurance is not delivering the intended outcome of effectively protecting children from harmful content. It speculated that this may be because children are circumventing the service providers' age assurance measures by using a VPN (the use of which has increased since the age assurance measures came in force), using an adult's details to pass through the relevant age gate, or they are using an adult's account or an account shared with an adult. Ofcom also suggested that it may be that the service providers' content recommender systems were failing to filter out the content harmful to children. 

Ofcom have therefore recommended that service providers:

  • Use methods for age assurance suggested in the HEAA guidance, including liveness detection to prevent children from using still images of adults to circumvent an age gate;
  • Have appropriate appeal mechanisms in place, and systems to track and monitor the number of appeals and the number of appeals upheld; and
  • Measure and monitor performance of the relevant age assurance measures to regularly consider the effectiveness of such measures.

Where does that leave us?

With the Government's social media ban for children under 16 coming into force by Spring 2027, Ofcom will need to be sure that the HEAA measures it has suggested (which all of the providers in their sample were using at least one of) are indeed going to be effective in enforcing the ban. Whilst this study did not consider the minimum age gate, i.e. access to each of the relevant platforms, at present its own findings suggest that these measures are not going to significantly reduce the harm to children online.

With particular regard to the use of VPNs rising in the 6 months after the introduction of age assurance measures, it is clear that Ofcom will need to do more to help service providers prevent child users from circumventing the measures put in place to protect them.

This is not the last word on age assurance from Ofcom; by the end of October 2026, it has promised to deliver to Parliament a rapid assessment of how highly effective age checks could work in practice to determine whether a user is over 16 for the purposes of the ban. It remains to be seen how this "rapid assessment" will deliver different results to the assessment underpinning this report. Watch this space…

Stay connected and subscribe to our latest insights and views 

Subscribe Here