AgeGateOverview
The UK Online Safety Act 2023 requires platforms that allow users to access pornographic content, or content that is harmful to children, to implement age verification measures. Ofcom, the UK's communications regulator, has published detailed guidance on which age assurance methods it considers "highly effective." Self-declaration — such as clicking a button to confirm you are 18 — is explicitly not acceptable.
Ofcom began enforcement in January 2025. As of early 2026, Ofcom has issued enforcement notices to over 30 pornography websites and fined non-compliant platforms. Several smaller platforms have chosen to geo-block UK users rather than implement verification, highlighting the need for accessible, affordable compliance solutions.
Who needs to comply
The Online Safety Act applies to "user-to-user services" and "search services" that are accessible in the UK. In practice, this means:
- Websites and apps that host or provide access to pornographic content
- Platforms where users can post content that may be harmful to children (including violence, self-harm, eating disorder content, and other categories defined in the Act)
- Social media platforms, community forums, and UGC sites where harmful content may appear
- Dating apps with adult features or content
The Act applies regardless of where the platform is based — if UK users can access it, it's in scope.
Approved verification methods
Ofcom has assessed various age assurance methods and rated them on their effectiveness. The following methods are considered "capable of being highly effective":
| Method | How it works | Ofcom rating | Offered by |
|---|---|---|---|
| Email age estimation | Analyses metadata associated with an email address to estimate the user's age. No action required from the user beyond providing an email. | Highly effective | Third-party |
| Facial age estimation | Uses a brief selfie to estimate age. The model runs entirely on the user's device — no image is uploaded, transmitted, or stored. Result returned in under 100ms. | Highly effective | AgeGate |
| Photo ID verification | User uploads a government-issued photo ID (passport, driving licence). The document is verified and age extracted. | Highly effective | Third-party |
| Credit card check | Verifies that a payment card belongs to a person aged 18 or over using card network data. | Highly effective | Third-party |
| Mobile operator check | Confirms via the mobile network operator that the phone number is registered to a person aged 18+. | Highly effective | Third-party |
| Open Banking verification | Uses Open Banking data to verify the user's age via their bank account. | Highly effective | Third-party (coming soon) |
| Reusable age credential (AgeKey) | A FIDO2 passkey-based reusable credential. Users verify once and can reuse the credential across sites. | Highly effective | Third-party |
Rejected methods
The following methods are NOT considered acceptable by Ofcom:
- Self-declaration ("I am over 18" checkboxes or buttons)
- Debit card checks (insufficient assurance)
- Warnings and disclaimers without verification
- Age gating by date of birth entry alone
Penalties and enforcement
Ofcom has the power to:
- Issue confirmation decisions and enforcement notices requiring platforms to take specific steps
- Impose fines of up to £18 million or 10% of qualifying worldwide revenue, whichever is greater
- Apply to court for business disruption measures, including ISP blocking orders for non-compliant sites
- In extreme cases, impose personal liability on senior managers
As of Q1 2026, Ofcom has issued enforcement notices to 34 pornography sites and imposed fines on multiple platforms.
How AgeGate helps
AgeGate handles UK compliance automatically:
- Detects UK users via IP geolocation
- Presents AgeGate's facial age estimation — Ofcom-approved, runs entirely on the user's device in under 100ms
- No image is uploaded, transmitted, or stored — fully compatible with UK GDPR
- Logs every verification event with the detail Ofcom expects: timestamp, method, jurisdiction, outcome
- Exports audit trail as CSV for regulator submissions