Privacy & Cybersecurity Law Blog

On March 25, 2026, the UK Information Commissioner’s Office (“ICO”) and the UK Office of Communications (“Ofcom”), the UK’s online safety regulator, released a joint statement addressing the intersection of online safety and data protection in relation to age assurance (the “Joint Statement”). The Joint Statement targets online services likely to be accessed by children that are subject to both the Online Safety Act (OSA) and UK data protection legislation.

The Joint Statement outlines that organizations in scope must adopt age assurance methods that are risk-based, flexible, and technology-neutral. It also confirms that self-declaration alone is not considered effective for verifying user age or restricting underage access. According to the Joint Statement, all age assurance methods necessarily involve the processing of personal data, and such processing is required to be necessary, proportionate, and compliant with data protection law. The regulators also highlight the need for organizations to address risks of circumvention and avoid age assurance methods that are technically unfeasible or present undue risks to users’ rights and freedoms.

For user-to-user services regulated under the OSA that are likely to be accessed by children and which make harmful content available (including pornography, self-harm, suicide, or eating disorder material), the Joint Statement confirms that highly effective age assurance (“HEAA”) must be used to prevent children from accessing such content. The regulators refer to Ofcom’s HEAA guidance, which identifies technical accuracy, robustness, reliability, and fairness as key criteria, alongside accessibility and interoperability. The Joint Statement also includes a non-exhaustive list of methods capable of being highly effective at determining user age, while making clear that self-declaration, certain payment methods, and generic contractual restrictions do not meet the HEAA standard.

Where services are suitable for children, the Joint Statement notes the importance of providing an age-appropriate user experience and complying with the ICO’s Children’s Code. In cases of high-risk data processing, the use of age assurance methods with the highest possible accuracy is expected. When user age cannot be reliably established, Children’s Code standards should apply to all users. The Joint Statement also includes practical scenarios demonstrating how compliance may be achieved by different types of services, such as social media networks.

Read the press release here. Read the Joint Statement here.