The UK Online Safety Act 2023 applies to a broad range of services that allow users to encounter harmful content. Forums, comment sections, and community platforms can fall in scope when they host user-generated content that may be harmful to children. Ofcom expects "highly effective" age assurance where the service is likely to be used by under-18s and exposes them to such content.
Ofcom's "highly effective" age assurance methods
Ofcom’s guidance (January 2025) lists methods it considers highly effective: photo ID matching, facial age estimation, Open Banking–based checks, mobile network operator verification, and accredited digital identity services. Self-declaration of age or unverified payment methods alone are not considered sufficient. The regulator has already opened investigations and issued fines, so delay is a real compliance risk.
Online Safety Act penalties
Fines can reach £18 million or 10% of global annual revenue, whichever is higher. Ofcom can also block non-compliant services from reaching UK users.
Balancing friction and compliance for forums
For forums and community platforms, teams usually need to balance friction and compliance. Full ID upload on every visit is unrealistic. One pattern that works: the user proves age once (e.g. via a trusted provider), and the platform receives only a signed assertion (e.g. "18+") or token, with no need to store documents or faces. Returning users can re-verify with a quick check (e.g. face-only) without resubmitting ID.
Next steps for in-scope services
If your service is in scope, the next steps are to confirm your risk profile, choose an age-assurance approach that meets Ofcom’s bar, and ensure you can demonstrate compliance (e.g. via audit logs or verification receipts) when asked.
Frequently asked questions
Services likely to be accessed by under-18s that expose them to harmful content. That includes forums, comment sections, community platforms, social networks, video-sharing, and adult content sites. Size alone does not exempt you.
No. Ofcom states that self-declaration of age or unverified payment methods are not highly effective. You need a recognised method like photo ID plus liveness, facial age estimation, Open Banking, MNO checks, or accredited digital identity.
Up to £18 million or 10% of global annual revenue, whichever is higher. Ofcom has already opened investigations and issued fines in 2025-2026.
No. A privacy-preserving flow lets the user verify once (ID plus liveness) and then re-prove age on returning visits with a quick face-only check, while your platform still receives a fresh signed token and Audit ID.
