Ofcom and ICO Issue Joint Age Assurance Rules as UK Tightens Online Safety Act Enforcement
The UK's online safety regulator Ofcom and the Information Commissioner's Office (ICO) have issued a landmark joint statement setting out shared expectations for age assurance on online services, as enforcement of the Online Safety Act intensifies in 2026.
The joint statement, published on 25 March 2026, aims to help online platforms comply with both online safety and data protection obligations when deploying age verification systems. It comes as Ofcom ramps up scrutiny of tech firms' compliance with child safety rules that became legally binding in mid-2025.
Background
The Online Safety Act 2023 requires online services likely to be accessed by children to use "highly effective" age assurance measures to prevent access to the most harmful content, including pornography and material promoting self-harm. Ofcom's Protection of Children Codes of Practice — containing 40 specific rules — became legally binding in July 2025, with fines of up to £18 million or 10% of global revenue for non-compliant companies.
Key Developments
The Ofcom-ICO joint statement makes clear that self-declaration — such as a simple tick-box age confirmation — is insufficient for determining a user's age. Both regulators also state that profiling-based approaches are not sufficiently effective. Age assurance methods must be technically accurate, robust, reliable, fair, and easy to use for all users, while also addressing risks of circumvention.
Ofcom's first major assessment of the tech sector's response to the Online Safety Act, published in December 2025, found a mixed picture. While some firms had taken initial steps, many had failed to name a senior individual responsible for risk assessment, and their analyses of harmful content were often incomplete. A particular concern was the failure to address risks arising from algorithms that amplify harmful content.
Separately, the government has introduced a new law requiring tech companies to remove non-consensual intimate images within 48 hours of being reported. Platforms that fail to comply face fines of up to 10% of their global revenue or having their services blocked in the UK. Technology Secretary Liz Kendall stated that "the days of tech firms having a free pass are over." The End Violence Against Women Coalition praised the measure as a "powerful message" for women's rights.
Why It Matters
The joint statement and the intimate images law represent a significant tightening of the UK's digital regulatory environment. The Categorisation Register — which will formally designate online services into different tiers and determine the extent of their legal duties — has been pushed back to July 2026, partly due to a legal challenge from the Wikimedia Foundation. However, Ofcom has signalled it will continue to increase scrutiny throughout 2026.
What's Next
From April 2026, services will be required to report child sexual exploitation and abuse content to the National Crime Agency. Ofcom is also scheduled to publish a dedicated report on age assurance by the end of July 2026. The UK's broader tech ecosystem, valued at approximately $1.2 trillion in 2025, faces a more demanding regulatory environment as these rules bed in.
Full details of the joint statement are available via the ICO.
