UK Online Safety Act Age Assurance Options

The main options are age verification, age estimation, and risk-based checks that support a safer default experience. Ofcom and the ICO describe age assurance as a broad term covering methods used to inform a service about a user's age online, and the ICO says in-scope services may need to apply age verification or age estimation where required.

Choose the option that gives enough confidence for the feature or content at issue. For higher-risk services or content, stronger age assurance may be needed; for lower-risk situations, services should avoid collecting more personal data than necessary.

Start with the online safety risk and the user experience you are trying to protect. If the service needs to block children from a service or content type, use a stronger method; if the goal is only to tailor content or controls, a less intrusive method may be enough.

The right choice should balance safety, privacy, accuracy, and usability. In practice, that means explaining why the selected option is sufficient, why alternatives were rejected, and what would trigger a review if the service changes.

Edge cases usually involve mixed audiences, shared accounts, optional sign-up, or services where the same method is used for both safety and privacy controls. These situations need a fresh check because the chosen option may be more or less intrusive depending on the user flow.

Revisit the decision if the service adds new content types, changes the data flow, introduces a vendor, or expands into a market where the risk profile is different.

Create a short decision record that names the service, the age-related risk, the chosen method, the privacy safeguards, and the owner. That record should be easy to update when the product, the vendor, or the regulatory expectation changes.

Use the decision record to show that the service chose a proportionate method, limited data collection to what was necessary, and planned a review date or trigger for reassessment.