The Online Safety Act has introduced new rules on robust age checks that services must follow to protect children.
- All service providers which allow pornography must implement highly effective age assurance to ensure that children are not normally able to encounter pornographic content.
- Services that display or publish their own pornographic content (Part 5 services) must take steps from 17 January 2025 to implement highly effective age assurance to ensure that children are not normally able to encounter pornography.
- When we publish our final Protection of Children Codes and guidance in April 2025, user-to-user services that are likely to be accessed by children will need to assess the risks they pose and take action to protect them in line with our Protection of Children Codes. This may include using highly effective age assurance to prevent children from accessing harmful content.
Robust age checks are a cornerstone of the Online Safety Act. Ofcom has published our Part 3 Highly Effective Age Assurance Guidance and Part 5 Guidance to assist you in implementing highly effective age assurance where you fall into the scope of age assurance duties which explains how you can effectively assure the ages of your users. The rest of this page explains the new rules and outlines the steps you should be taking to ensure you are complying with your new duties.
Our approach to highly effective age assurance is consistent across Part 3 and Part 5 services and designed to be flexible, tech-neutral and future-proof. We have produced dedicated guidance for Part 5 and Part 3 services to assist them in implementing ‘highly effective age assurance’:
- Part 5 providers should refer to the final Part 5 Guidance, as well as Section 3 and 4 of the statement, to understand the scope of Part 5 and how they can meet all the requirements of the Part 5 of the Act.
- Part 3 services should consult the Part 3 HEAA Guidance, as well as Section 3 of the statement, to understand our recommendations, including further technical detail to help services implement highly effective age assurance.
Part 3 user-to-user services should also consult the Part 3 HEAA Guidance when we publish our final Protection of Children Codes and associated guidance in April, to understand how to implement the recommended measures in our codes that involve age assurance.
This page
- Summarises what highly effective age assurance means in the context of the Online Safety Act.
- Our final guidance (for Part 5 services and Part 3 services) sets out more information to assist you in complying with your duties under the Online Safety Act
Decide which age assurance method(s) is appropriate for your service
We recognise that there are likely a number of ways to implement an age assurance process that is highly effective. Our approach to the guidance affords service providers a degree of flexibility in how to comply.
Our guidance documents mentioned above set out a non-exhaustive list of kinds of age assurance that we consider are capable of being highly effective at correctly determining whether or not a user is a child, as well as methods we do not consider capable of being highly effective.
| Methods capable of being highly effective | Methods not capable of being highly effective |
| Open banking | Self-declaration of age |
| Photo-identification (photo-ID) matching | Age verification through online payment methods which do not require a user to be over 18 (Debit cards) |
| Facial age estimation | General contractual restrictions on the use of the service by children |
| Mobile-network operator (MNO) age checks | |
| Credit card checks | |
| Digital identity services | |
| Email-based age estimation |
Ensure your age assurance process meets our four criteria
To ensure that an age assurance process is, in practice, highly effective at correctly determining whether or not a user is a child, service providers should ensure that the process fulfils each of the following four criteria:
- technically accurate;
- robust;
- reliable; and
- fair.
| Criteria | Practical steps to fulfil criteria |
| Technical accuracy: the degree to which an age assurance method can correctly determine the age of a user under test lab conditions. |
Ensure the age assurance method(s) has been evaluated against appropriate metrics and the results indicate that the method(s) is able to correctly determine whether or not a particular user is a child under test lab conditions. Where the age assurance process used on the service involves the use of age estimation, the provider should use a challenge age approach. Periodically review whether the technical accuracy of the age assurance process for the service could be improved by making use of new technology and where appropriate, make changes to the age assurance process. |
| Robustness: the degree to which an age assurance method can correctly determine the age of a user in actual deployment contexts. |
Implement age assurance processes that have undergone tests in multiple environments during development. Identify and take appropriate steps to mitigate against methods of circumvention that are easily accessible to children and where it is reasonable to assume that children may use them. |
| Reliability: the degree to which the age output from an age assurance method is reproducible and derived from trustworthy evidence. |
Where age assurance methods forming part of the age assurance process rely on artificial intelligence or machine learning, take steps to ensure that:
|
| Fairness: the extent to which an age assurance method avoids or minimises bias and discriminatory outcomes. |
Ensure that any elements of the age assurance process which rely on artificial intelligence or machine learning have been tested and trained on data sets which reflect the diversity in the target population. For methods reliant on artificial intelligence or machine learning, ensure the age assurance method(s) has been evaluated against the outcome / error parity and the results indicate that the method(s) does not produce significant bias or discriminatory outcomes. |
Age assurance should be implemented either at the point of entry to the site or no pornographic or other harmful to children should be visible to users on entering the site before they have completed the age check.
Both of our final guidance documents state that that service providers should not host or permit content on your service that directs or encourages child users to circumvent the age assurance process or the access controls, for example by providing information about, or links to, a virtual private network (VPN) which may be used by children to circumvent the relevant processes.
Consider accessibility and interoperability when implementing HEAA
Remember that, as well as meeting the four criteria, your method should be easy to use and work for all users. This will also help you make sure that adult users can still access legal content. You should consider the following two principles:
- Accessibility: the principle that age assurance should be easy to use and work for all users, regardless of their characteristics or whether they are members of a certain group.
- Interoperability: the ability for technological systems to communicate with each other using common and standardised formats.
Remember users’ right to privacy.
All age assurance methods involve the processing of personal data and should follow a data protection by design approach.
We’ve worked closely with the Information Commissioner’s Office (ICO) to adopt a cohesive approach supporting compliance with our respective regulatory regimes. Our guidance sets out where services should consult ICO guidance for further information on data protection requirements.
Compliance by service providers with both the online safety and the data protection regime is mandatory and should not be considered a trade-off.
Summary
- Online services should determine if they are a Part 3 or Part 5 service and can use our online tool to help with this.
- Services should then determine what age assurance method is appropriate for their service and ensure that their age assurance process fulfils each of our four criteria: technical accuracy, robustness, reliability, and fairness.
- Services should also consider the principles of accessibility and interoperability.
- Services should ensure they meet their data protection and privacy obligations when implementing highly effective age assurance.
For a directory of all Ofcom publications relevant to online pornography services, head to ‘Adults Only’: what to do if your online service allows pornography - Ofcom.