The ICO exists to empower you through information.

This opinion outlines some of the legislative frameworks about age assurance. It explains your responsibilities under our Children’s code. It also sets out considerations when deciding on your approach to age assurance if your service is likely to be accessed by children.

The UK data protection regime is set out in the DPA 2018 and the UK GDPR. It requires you to take a risk-based approach when you use people’s personal information, based on principles, rights and obligations. We published the Children’s code to help you understand your obligations to ensure you offer online services to children in a way that is compliant with UK data protection law.

We recognise that many providers also have obligations under other legislation, including the OSA. In November 2022, we published a joint statement with Ofcom on online safety and data protection to promote compliance with both regimes.

Ofcom is the regulator for the OSA. It is responsible for implementing the regime and supervising and enforcing the online safety duties. Ofcom will be publishing codes of practice and guidance which will provide more detail about the regime.

The OSA places requirements for age assurance on organisations that fall in scope. These requirements are separate to the Children’s code standards. If you are a service that is in scope of the OSA and processing personal information, you must comply with data protection law. You should also conform with the Children’s code if you are a service that is likely to be accessed by children.

4.1 Are we in scope of the Children’s code?

The code provides guidance on how to comply with the UK GDPR by setting out specific protections you should build in when designing online services likely to be accessed by children.

It applies to “relevant information society services which are likely to be accessed by children” in the UK. An information society service is defined as:

“any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”

The code applies to services that are intended for use by children and to services that are not aimed at children but are likely to be accessed by a “significant number of children”.

Standard 3 of the code sets out the approach to age-appropriate application. It states that ISS should:

“take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing, or apply the standards in this code to all your users instead.”

If a significant number of children are likely to access your service, you should conform with the standards of the code in a risk-based and proportionate way. You should use age assurance to conform with the code when:

  • your service is likely to be accessed by children and you wish to establish the age of your users as part of your compliance with the code; or
  • you provide an adult service and wish to restrict access to children. If restricting access is done effectively so that children no longer represent a significant number of users, the code does not apply.

If it is not appropriate for children to access your service, you should focus on preventing access.

4.2 Are we in scope of the Online Safety Act?

The OSA requires that age assurance is applied to the following types of online services where they have links to the UK:

  • User-to-user services.
  • Search services.
  • Services which publish or display regulated provider pornographic content.

The OSA acknowledges the links between the requirements in the Act and data protection legislation. When implementing age assurance, services in scope of the OSA are under a duty to have particular regard to protecting users from a breach of privacy legislation. This includes data protection legislation. This opinion will be a helpful resource to support you with this requirement.

If you are a service in scope of the OSA, you will need to consider applying age verification and age estimation where required by the OSA.

Ofcom will set out more information about the OSA in codes of practice and guidance. You should familiarise yourself with these documents as they become available.

4.3 Overview of the application of the legislative framework

All organisations that use personal information are required to comply with UK GDPR and the DPA 2018. The Children's code sets out what ISS in scope of the code should do to comply with this legislation when processing children's information. The table below categorises different types of organisations and explains where standard 3 of the code on age-appropriate application applies, and where the OSA applies. Ofcom’s draft guidance on age assurance, and other duties under part 5 of the OSA, is published for consultation.

Type of organisation Applicable requirements
ISS that are likely to be accessed by children, but are not in scope of the online safety regime.

Children’s code

  • Establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your information processing or apply the standards in the code to all your users instead.
ISS that are likely to be accessed by children and are user-to-user or search services in scope of the OSA.

Children’s code

  • Establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your information processing or apply the standards in the code to all your users instead.

OSA

  • Services should refer to Ofcom's online safety codes of practice and guidance.
ISS that are likely to be accessed by children and are in scope of part 5 of the online safety regime (regulated provider pornographic content).

Children’s code

  • Establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your information processing. Where it is not appropriate for children to access your service, you should focus on preventing access.

OSA

  • Services should refer to Ofcom's online safety codes of practice and guidance.
Adult online services that are not likely to be accessed by children, but which deploy age assurance to restrict child access.

Children’s code

  • If the age assurance restricts access to child users effectively, the children’s code will not apply.

OSA

  • Services should refer to Ofcom's online safety codes of practice and guidance.