AGE VERIFICATION

smartphone-interface-with-user-profile-chat-icons.png

This July, millions of British users launched their favorite social websites and games to be greeted with a new requirement to verify their age in accordance with the Online Safety Act (OSA). This legal novel passed in 2023, and its key provisions came into power on July 25, 2025, with the remaining parts coming into full force in early 2026. The Act created a new duty of care for online platforms, games, etc, to protect younger users from a wide range of content deemed illegal, potentially harmful, or just age-inappropriate.

The basics

The Act implies that any website that hosts content with themes potentially inappropriate to minors is subject to regulation. It’s not limited to pornography, as information about reproductive health or LGBTQ+ rights can be potentially considered “too adult”. Platforms with content catered to different audiences, such as Facebook or Reddit, must establish robust automated content classification rules. The Wikimedia Foundation tried to challenge the OSA in court, arguing that the regulation threatens its anonymous users rather than protects them.

OSA applies to most of the web, especially to the websites and apps with user-generated content and interactions, if they have a considerable audience in the UK. Some extra transparency and risk assessment requirements are implied for Category 1 platforms that exceed 45 million monthly UK visitors, which include gaming, streaming, sharing, etc.

The Act permits different methods of age verification: age assessment based on facial recognition, via providing one’s banking information, credit card age check, email-based estimation (based on cross-checking other resources where email was used), mobile network operator check (confirming whether a phone number has age filters applied to it), digital ID wallet connection, and ID document photo upload.

The solution

For most companies subject to OSA, compliance can be reached through a connection with a third-party age verification provider, such as Dataspike. Our platform evolved from a KYC/KYC provider to a full-featured customer verification and onboarding platform that has a solution for the two most common age verification approaches: through face recognition and liveness checks, and based on a state-issued ID. Dataspike’s verification pipeline is fully automated, easily integrated via APK or SDK, and supports requirements for numerous regions, such as the UK, US, and EU, simplifying compliance for global companies.

The concerns

Numerous privacy advocates and tech representatives voiced strong concerns that the Online Safety Act’s focus on age verification can create more harm than it averts.

Data breaches

No company is immune to data breaches—including both content platforms and customer verification providers. There have been numerous cases when leaks have dramatically affected personal well-being. For instance, the Ashley Madison dating platform hack half a decade ago led to attacks on unfaithful partners. A breach of Tea (women-only dating app) exposed 13,000 selfies and ID photos used for verification and 59,000 images from posts, comments, and personal messages.

Many risks related to data breaches can be mitigated through adherence to international data protection standards (such as GDPR) and well-thought-out data management policies. Dataspike doesn’t store sensitive data provided by users and deletes it immediately after the check, ensuring that no sensitive information can be leaked. We isolate each partner and customer from others to make sure no data can end up in the wrong hands.

Actually, we believe that digital privacy and data protection are a priority. In the case the user doesn’t trust the data management policies of the platform or its provider, we’d rather recommend not to provide personal data. There are no legal consequences for end users circumventing OSA (aside from sanctions for Terms of Service violations on a particular platform or service: the Act focuses on larger corporate entities, not individual users.

Identity theft

One serious concern is a potential spread of fake age assurance websites and phishing pop-ups aimed at stealing users’ information. We believe that the developers of content blockers (standalone apps, browser extensions, or built-in tools) will do their best to protect users from such fraud attempts.

Users threshold

The Online Safety Act aims to protect underage Brits from adult content. However, there’s a whole internet out there that doesn’t care about the British regulations. Hence, the widespread age verification in the UK will most probably push people towards unregulated websites that don't require users to provide a state-issued ID to watch pornography.

Technological flaws

Following the launch of widespread age verification for UK users, tech media reported that age verification on Discord and Reddit could be tricked by a video game’s photo mode. The users could use the face of Death Stranding’s protagonist, Sam Porter Bridges, performed by Norman Reedus, and apply a variety of facial expressions to pass the Liveness test easily. The providers claimed that they blocked nearly 100% of such attempts, but it’s pretty impossible to confirm or deny.

VPN

The simplest way to circumvent the current implementation of age verification is a VPN that allows users to appear as a person from a different location (a foreigner, when it comes to a UK-based website or app). The downloads of popular VPN apps spiked by over a thousand percent in late July 2025.

What about non-compliance?

Unlike end users, companies can’t ignore OSA requirements. Platforms can be fined up to GBP 18 million or 10 percent of their qualified worldwide revenue (whichever is greater). We recommend that companies take a three-step approach to Online Safety Act compliance.

  • First, consult with your lawyers about noncompliance-related risks. For instance, a company without UK-based users can generally ignore OSA requirements for now.
  • Second, use Dataspike’s API integration to introduce reliable age verification for a website or an app in a matter of hours. The user will be able to verify on an external web page, in an external app, with a chatbot, etc.
  • Third, use SDK to seamlessly build Dataspike’s customer verification into the user onboarding and other stages of the customer journey (if needed). Dataspike has a fair and transparent pay-as-you-go plan that fits companies of any size or industry.

Trend for age verification

The developments of the UK internet regulations ain’t unique. For instance, 24 US states have issued their own age verification laws, and the nationwide Kids Online Safety Act (KOSA) has been discussed in Congress since 2022. In the EU, the age verification pilot project was introduced within the context of the European Digital Services Act (DSA) in Italy, France, Spain, Greece, and Denmark.

Dataspike is a global customer verification provider with solutions tailored for different national legislations, document formats, and trained to recognize people of different skin colors with varying facial features. Dataspike is a privacy-focused company that is serious about data safety, so we follow the best practices in the industry to protect our customers and their customers.