How to Implement Age Assurance for UK Online Safety Act Compliance

On April 24th, 2025, Ofcom, the independent regulator for communications services in the UK, published its Protection of Children Codes of Practice.

These Codes comprise over 40 practical safety measures that digital platforms will be required to implement by July 25th, 2025 to comply with the UK Online Safety Act and avoid penalties of up to £18 million or 10% of global revenue.

What is the UK Online Safety Act?

As social media, online gaming, search platforms, adult content websites and other online services play an ever-growing role in daily life, the UK Online Safety Act, passed into law on October 26th, 2023, sets out to make the UK “the safest place in the world to live and work online.” (gov.uk)

The Online Safety Act is one of the most ambitious regulatory frameworks to date, designed to safeguard people, particularly children, online. The strongest protections have been designed to prevent minors from accessing harmful and age-inappropriate content, as well as provide parents and children with clear and accessible ways to report problems online when they do arise.

The Online Safety Act Makes Platforms Accountable For Their Users’ Safety

Ofcom’s Protection of Children Codes insist on a ‘safety-first’ approach in how tech firms design and operate their services in the UK. The measures include:

• Safer feeds. Children mostly find harmful content through personalized “For You” pages and recommendations. Algorithms that pose medium or high risk of harm must be configured to prevent harmful content from appearing in children’s feeds.
• Effective age checks. Higher-risk services are required to implement effective age assurance to identify younger users and protect them from encountering harmful material. These age checks preserve adults’ rights to access legal content.
• Fast action. All sites and apps must have processes to review, assess, and quickly filter or remove harmful content when reported or detected.
• More choice and support for children. Children need to be granted more control over their online experience, such as being able to indicate what content they don’t like, accept or decline group chat invitations, block and mute accounts, and disable comments on their own posts. Platforms are responsible for providing supportive information for children who encounter harmful content.
• Easier reporting and complaints. It must be easy for children to report content or make complaints, and platforms should respond with appropriate action. The terms of service must be clear so that children can understand them.
• Strong governance. All services must have a named person accountable for children’s safety, and a senior body should annually review the risk management to children.

What Content Is Considered Harmful or Age-Inappropriate for Children According to the Online Safety Act?

Under the UK Online Safety Act, children must be prevented from accessing Primary Priority Content, and should be given age-appropriate access to Priority Content. The types of content that fall into these categories are set out below:

Primary Priority Content

• adult content
• content that encourages, promotes, or provides instructions for either:
  • self-harm
  • eating disorders or
  • suicide

Priority Content

• bullying
• abusive or hateful content
• content that depicts or encourages serious violence or injury
• content which encourages dangerous stunts and challenges; and
• content which encourages the ingestion, inhalation, or exposure to harmful substances.

Which Online Services Need to Comply With Ofcom’s Protection of Children Codes?

Search services and services that allow users to post content online or interact with other users, will need to implement Ofcom’s safety measures, including:

• social media
• online gaming
• consumer file cloud storage and sharing sites
• video-sharing platforms
• online forums
• dating services
• online instant messaging services
• e-commerce

The Act applies to all search services and user-to-user services operating in the UK. This includes services based outside the UK. As long as a service is accessible to UK users, it must comply with the Online Safety Act.

What Happens if You Fail to Comply?

Ofcom has the power to take action against service providers that fail to meet their Protection of Children Codes from July 25th, 2025. The consequences of not complying include:

• Fines: Up to £18 million or 10% of global revenue, whichever is higher
• Criminal charges: Senior managers can face prosecution for ignoring Ofcom’s information requests or failing to meet child safety duties
• Business shutdown: In extreme cases, courts can allow Ofcom to cut off a site’s payment processors, advertisers, and internet access in the UK

How Can Platforms Prevent Children From Encountering Harmful Content by Implementing Age Checks?

Services must assess any risks their platforms pose to children and set appropriate age restrictions, ensuring that child users have age-appropriate experiences.

To do this, services must use Highly Effective Age Assurance, or HEAA, which refers to age verification or estimation methods that Ofcom deems strong enough to reliably enforce age restrictions and protect children from harmful content or services.

Ofcom considers the below methods to be examples of HEAA:

• Government-issued ID checks
• Biometric age estimation (e.g. face-based AI)
• Credit card or payment-based age proof
• Digital identity wallets / reusable tokens

Services must specify what measures are being used to enforce this age limit and enforce this consistently in their terms of service.

If services have minimum age requirements but are not using strong age checks, they must assume children are accessing their platform and ensure they have an age-appropriate experience.

Ensuring children have age-appropriate experiences may involve preventing children from accessing their entire site or app, or certain parts or sections.

Effective Age Assurance with Incode

0 Friction, Full Compliance

Incode’s age verification solution uses a dynamic waterfall approach to meet global age assurance regulations while minimizing friction and protecting user privacy. These are the three optimized ways in which Incode verifies a user’s age:

• Facial age estimation Uses in-house built AI models to estimate age based on a facial image, without requiring an ID.
• Document verification Extracts and validates the date of birth from an identity document while verifying the document’s authenticity; later, the user’s selfie is compared against the ID picture to ensure ownership of the document.
• DOB data verification Verifies date of birth data provided by the user against authoritative sources or client-owned data

Automated Waterfall Flow

The system automatically begins with the least invasive method and escalates only when required, ensuring compliance without sacrificing conversion.

• Automatically escalates to stronger checks only when needed
• Built-in compliance logic adjusts by country, industry, and platform
• One unified SDK powers the full flow with zero user interruption
• Completes verification in under 50 secs, even with step-ups
• Approach recommended by regulators as best practice in age assurance

Why Partner With Incode For Effective Age Assurance

• Fully compliant with global age assurance regulations around the world, including the UK’s Online Safety Act.
• Reduces user churn caused by the friction introduced by these regulations.
• Follows a privacy-first by design approach, with live data redaction and automatic data deletion.
• Achieves lowest error rates, no demographic bias, and 99.9% true positive accuracy.
• Built to scale and adapt fast.
• Stops identity fraud before it starts with liveness checks, spoof detection, and deepfake detection.
• Powered by proprietary technology: Incode does not rely on third-party solutions.

Recognized by Industry Leaders

• Market-leading performance in NIST Age Estimation testing
• Named a leader in age verification and age estimation by Liminal
• Named most visionary leader in the first-ever Gartner® Magic Quadrant™ for Identity Verification
• PAS 1296 certified for global performance and compliance
• 1st certified Passive Liveness solution under ISO 30107-3

Trusted By Users

Incode was recently awarded 13 new G2 badges, including a Leader badge in Age Verification, in the G2 Spring 2025 Reports. G2 is one of the world’s most trusted software review platforms, and helps buyers find the right solutions for their needs.

Incode was among the 4% of software and services featured on G2 to receive at least one Leader badge in G2’s Spring 2025 Reports. In total, Incode received three Leader badges.

What Happens Next?

Two key dates are coming up fast:

By July 24th, 2025: Providers of services likely to be accessed by UK children now have until 24 July to finalize and record their assessment of the risk their service poses to children, which Ofcom may request

By July 25th, 2025: The safety measures set out in Ofcom’s Protection of Children Codes must be implemented to avoid penalties. For companies with UK users, compliance is not optional.

A New Era for Online Regulation

The UK Online Safety Act represents a significant shift in the regulation of digital platforms, and calls on companies to take more responsibility for the content on their platforms. The Act prioritizes a safety-first approach over reactive moderation.

Incode’s solutions have been designed to comply with global regulations, including the UK’s Online Safety Act and Ofcom’s Protection of Children Codes.

As the July 25th, 2025 deadline approaches, services will need to act fast to ensure compliance. If you would like to talk to our team about our available solutions or learn more about how to comply with Ofcom’s safety measures, contact our sales team now.

Learn more about Incode’s Age Assurance solutions.