All Part 3 user-to-user and search services must carry out a children’s access assessment by 16 April 2025.
Services that do not have highly effective age assurance in place must assess whether children are likely to be on the service or part of the service – either because the service, or that part of it has a significant number of users who are children, or because the service is of a kind likely to attract a significant number of children.
Services likely to be accessed by children will have additional duties to protect children online: they will need to also undertake a children's risk assessment and implement safety measures to protect children online.
Our final Children’s Access Assessments Guidance will help services comply with their children’s access assessment duties.
We think most services without highly effective age assurance will be in scope of the children’s safety duties.
This page
- Summarises the final children’s access assessment duties.
- Is only meant to introduce your online safety duties – our final guidance sets out your responsibilities in more detail.
All user-to-user and search services covered by the Act will need to complete a children’s access assessment by 16 April 2025
If you come into scope of the Act after 16 January 2025, you have three months to complete your assessment.
Follow our two-step process to assess whether children are likely to access your services.
Stage one – assess whether it is possible for children to normally access the service or part of it. You should only conclude that it is not possible for children to access the service if you are using highly effective age assurance, as well as access control measures that prevent users from accessing the service if they have not been identified as adults via the age assurance process.
Stage two: Assess if there is a significant number of children who are users of the service and/or the service is of a kind likely to attract a significant number of children.
Stage 1: Is it possible for children to access the service or part of it?
Under the Online Safety Act, ‘children’ means anyone under 18.
You can only conclude that it is not possible for children to access your service if you are using age verification or age estimation (together known as age assurance), which prevents children from normally being able to access that service.
The age assurance should be highly effective. By ‘highly effective’ we mean it must be:
- technically accurate
- robust
- reliable
- fair
There is more detail on what constitutes highly effective age assurance in our Guidance on Highly Effective Age Assurance for Part 3 Services.
Examples of age assurance methods that have the potential to meet the above criteria include:
- photo-ID matching
- facial age estimation
- reusable digital identity services.
Examples of age assurance methods that are not highly effective include:
- payment methods which do not require the user to be over 18
- your terms and conditions say the service is for over 18s only
To ensure that children cannot normally access a service, alongside highly effective age assurance providers need to have access control measures that prevent users from accessing the service if they have not been identified as adults via the age assurance process.
If you have highly effective age assurance and access controls in place, you can conclude that the service is not likely to be accessed by children and record this conclusion. You do not need to go on to complete Stage 2 of the children’s access assessment.
Stage two: The child user condition
If you find in Step 1 that children can access your service or part of it, you must complete Step 2 and consider whether the ‘child user condition’ is met. This is the case if:
- there is a significant number of children who are using the service; and/or
- the service is if a kind likely to attract a significant number of children.
In order to work out whether either or both of these criteria are met, you will need to consider a number of aspects relating to your service which might include the data that you hold about who your users are as well as the nature of the service itself.
It is up to you to decide which criterion to consider first to establish if the child user condition is met. For most service providers it is likely to be a challenge to accurately determine the number of children on a service without using highly effective age assurance. Given this challenge, you may wish to focus on the second criterion – whether the service is likely to attract a significant number of children.
We have suggested a list of factors for service providers to consider as part of stage 2 that might indicate whether a service is of a kind likely to attract a significant number of children:
- Whether the service provides benefits to children;
- Whether the content on a service is appealing to children;
- Whether the design of the service is appealing to children;
- Whether children form part of the service’s commercial strategy.
Even if your service does not actively target children or seeks to limit access to children below a certain age, it may still be of a kind likely to attract a significant number of children.
The Act does not define what is meant by a ‘significant number’ of children. This is likely to depend on the nature and context of the service and should reflect a number or proportion that is material in the context of that service.
Even a relatively small number of children could be significant in terms of the risk of harm. We suggest you should err on the side of caution in making your assessment.
You are required to record the outcome of your children’s access assessment regardless of its findings
All services need to record the outcome of each children’s access assessment.
- If you have highly effective age assurance in place, you can conclude that the service is not likely to be accessed by children and record this conclusion.
- If you go on to stage 2 of the children’s access assessment and conclude that the child user condition is not met (the service is not likely to be accessed by children), you must record the steps taken and the detailed evidence used to reach that conclusion.
Next steps
If your service is likely to be accessed by children, you will need to undertake a children’s risk assessment and implement safety measures to protect children online.
f you conclude your service is not likely to be accessed by children, you must repeat the assessment within 12 months, or earlier under the specific circumstances detailed in our guidance.
For full details read our Children’s Access Assessments Guidance.
Summary
- All user-to-user and search services must carry out a children’s access assessment by 16 April 2025.
- Service providers should only conclude that they cannot be accessed by children if they have highly effective age assurance.
- If a service provider concludes that the service is likely to be accessed by children, they will need to complete a children’s risk assessment and adopt appropriate safety measures to protect children. We will publish our final Children’s Risk Assessment Guidance in April, and our Protection of Children Codes will come into effect in July.
For a directory of all Ofcom publications relevant to online pornography services, head to ‘Adults Only’: what to do if your online service allows pornography - Ofcom