Quick guide to children’s access assessments

Published: 7 May 2024
Last updated: 21 June 2024

Children’s access assessments are a new assessment that all user-to user-services and search services (‘Part 3 services’) regulated under the Online Safety Act must carry out to establish whether a service – or part of a service – is likely to be accessed by children. Services likely to be accessed by children will have additional duties to protect children online and they will need to also undertake a children’s risk assessment and implement safety measures to protect children online.

We’re currently consulting on our draft guidance for children’s access assessments (PDF, 1000.8 KB). This page explains what online services will need to do under our draft guidance. This is separate from our consultation on protecting people from illegal harms online.

We are consulting on our proposals, so this information could change;

This page:

  • Summarises proposals we are consulting on – we will update this information when final documents are in place;
  • Is only meant to introduce your online safety duties – our guidance will set out your legal responsibilities in full.

All online services covered by the Act will need to do a children’s access assessment in the future.

The Online Safety Act 2023 (‘The Act’) creates a new regulatory framework which aims to make the online world safer for people in the UK. Securing better protections to help keep children safer online is on one of the Act’s main objectives. The Act is clear that the duties imposed on regulated services aim to make sure they are safe by design, and designed and operated in a way that provides a higher standard on protection for children than for adults.

All user-to-user and search services regulated under the Act are required to carry out children’s access assessments. This duty comes into force once Ofcom has finalised our guidance on children’s access assessments, which we expect to do in early 2025. From then, most services will have three months to complete your first assessment but please see our draft guidance (PDF, 1000.8 KB) for more information on when children’s access assessment must be completed and/or repeated.

You don’t need to do anything right now, but we’ve suggested some steps to help you get ready. This quick guide covers the first  step with additional quick guides available on our draft Children’s Risk Assessment Guidance and Draft Children’s Safety Codes.

protection-children-flowchart-nc

What you can do now

We have created an easy tool to check if the Online Safety Act is likely to apply to your business. You can also register for email updates and we'll send you the latest information about how we regulate. This includes any important changes to what you need to do. You'll also be the first to know about our new publications, research and our webinars on online safety.

Assessing whether a service is likely to be accessed by children

We have published our draft Children’s Access Assessments Guidance (PDF, 1000.8 KB) on how services should complete a children’s access assessment.

Children’s access assessments must be ‘suitable and sufficient’.

A ‘suitable and sufficient’ children’s access assessment involves two stages:

  • Stage 1: Providers must determine whether it is possible for children to access their services or part of it; and if so, move to stage 2.
  • Stage 2: Whether the child user condition is met (the ‘child user condition’: there is a significant number of children who are users of the service; and/or the service is of a kind likely to attract a significant number of users who are children).

Under the Online Safety Act, ‘children’ means anyone under 18.

Our draft guidance is aimed at helping services to complete their children’s access assessment, including by setting out how to approach the assessment and what to consider at each stage. It is important to note that you will be required to record your outcome at each stage.

What you can do now

Read our draft guidance to familiarise yourself with the process and what factors to consider and how these might apply on your service.

Follow our two-step process to assess whether children can access your services

Stage 1: Is it possible for children to access the service or part of it?

Under the Online Safety Act, ‘children’ means anyone under 18.

You can only conclude that it is not possible for children to  access your service if you are using age verification or age estimation (together known as age assurance), which prevents children from normally being able to access that service.

The age assurance should be highly effective. By ‘highly effective’ we mean it must be:

  • technically accurate
  • robust
  • reliable
  • fair.

There is more detail on what constitutes highly effective age assurance in our draft guidance at Annex 10.

Examples of age assurance methods that have the potential to meet the above criteria include:

  • photo-ID matching
  • facial age estimation
  • reusable digital identity services.

Examples of age assurance methods that are not highly effective include:

  • payment methods which do not require the user to be over 18
  • your terms and conditions say the service is for over 18s only

If you have highly effective age assurance in place, you can conclude that the service is not likely to be accessed by children and record this conclusion. You do not need to go on to complete Stage 2 of the children’s access assessment.

What you can do now

Read more about highly effective age assurance in our draft guidance (Annex 10)  and consider how you currently manage age assurance on your service.

Stage 2: Is the child user condition met?

If you find in Step 1 that children can access your service or part of it, you must complete Step 2 and consider whether the ‘child user condition’ is met. This is the case if:

  • there is a significant number of children who are using the service; and/or
  • the service is if a kind likely to attract a significant number of children.

In order to work out whether either or both of these criteria are met, you will need to consider a number of aspects relating to your service which might include the data that you hold about who your users are as well as the nature of the service itself.

It is up to you to decide which criterion to consider first to establish if the child user condition is met. For most service providers it is likely to be a challenge to accurately determine the number of children on a service without using highly effective age assurance.

Given this challenge, you may wish to focus on the second criterion – whether the service is likely to attract a significant number of children.

We have proposed a list of factors to consider as part of stage 2:

  • Whether the service provides benefits to children;
  • Whether the content on a service is appealing to children;
  • Whether the design of the service is appealing to children;
  • Whether children from part of the service’s commercial strategy.

Even if your service does not actively target children or seeks to limit access to children below a certain minimum age, it may still be of a kind likely to attract a significant number of children.

The Act does not define what is meant by a ‘significant number’ of children. This is likely to depend on the nature of the service and should reflect a number or proportion that is material in the context of that service.

Even a relatively small number of children could be significant in terms of the risk of harm. We suggest you should err on the side of caution in making your assessment.

You are required to record the outcome of your children’s access assessment regardless of its findings.

All services need to record the outcome of each children’s access assessment.

  • If you have highly effective age assurance in place, you can conclude that the service is not likely to be accessed by children and record this conclusion.
  • If you go on to stage 2 of the children’s access assessment and conclude that the child user condition is not met (the service is not likely to be accessed by children), you must record the steps taken and the detailed evidence used to reach that conclusion.
  • If you go on to stage 2 of the children’s access assessment and conclude that the child user condition is met (the service is likely to be accessed by children), you must record the outcome, but do not need to record detailed evidence.

If your service is likely to be accessed by children you will need to undertake a children’s risk assessment and implement safety measures to protect children online.

If you have already assessed whether you are likely to be accessed by children for the purpose of the ICO’s Children’s code to comply with data protection regulation, you may be able to draw on similar evidence and analysis for both.

What you can do now

Think about the users of your service and what you know about them. Learn more about how risks of harm to children manifest online through our draft Children’s Register of Risks; see our draft Guidance on Content Harmful to Children for examples of what Ofcom considers to be content harmful to children.

For full details, you can read our draft guidance on Protecting children online and respond to our consultation. If you have views on our proposals, we’d love to hear from you.

Rate this page

Thank you for your feedback.

We read all feedback but are not able to respond. If you have a specific query you should see other ways to contact us.

Was this page helpful?
Back to top