The United Kingdom's Online Safety Act 2023, which comes into force in stages throughout 2025, represents the most ambitious attempt by any democracy to regulate the internet. The law imposes sweeping legal duties on social media platforms, search engines, messaging apps, and online services to protect users—especially children—from illegal and harmful content. Ofcom, the communications regulator, gains unprecedented powers to fine companies up to £18 million or 10% of global revenue, block non-compliant services, and even pursue criminal charges against senior executives.
Supporters say the Act will finally hold Big Tech accountable for the harms facilitated by their platforms: child sexual abuse, terrorist radicalisation, fraud, harassment, and the mental health crisis among young people. Critics warn it threatens privacy, free speech, and encryption, and could force tech companies to abandon the UK market rather than comply with unworkable demands. As implementation begins, the stakes could not be higher.
What the Act requires
The Online Safety Act creates a duty of care framework, placing legal responsibility on platforms to keep users safe. The obligations vary depending on the type of service and the risks it poses.
Illegal content duties (all platforms)
Every platform accessible in the UK must take proactive steps to prevent and remove illegal content, including:
- Child sexual abuse material (CSAM)
- Terrorism content and material encouraging violence
- Fraud and financial scams
- Hate crimes and incitement to hatred
- Harassment, stalking, and threatening communications
- Revenge pornography and intimate image abuse
- Assisting suicide or self-harm
Platforms must use proactive technology (such as AI content moderation, hash-matching databases, and user reporting systems) to detect and remove illegal content quickly. They cannot wait for users to report it. Failure to comply can result in fines up to £18 million or 10% of global turnover, whichever is higher.
Child safety duties (platforms likely to be accessed by children)
Services likely to be used by under-18s—including social media, gaming platforms, messaging apps, and video-sharing sites—must implement child safety measures:

- Age verification or age assurance to prevent children accessing adult content
- Default safety settings for child accounts, including restricted contact from strangers, disabled location sharing, and content filtering
- Prohibition of harmful content for children, including pornography, graphic violence, eating disorder promotion, self-harm encouragement, and bullying
- Transparent reporting and complaints systems so children and parents can report harmful content and accounts
Ofcom's codes of practice, published in November 2024, specify that platforms must assess the risk of children accessing their service and implement "highly effective" age assurance if that risk is significant. This applies even to services not explicitly designed for children, such as pornography sites and social media platforms with 18+ terms of service but known child users.
Adult safety duties (Category 1 services)
The largest platforms—those with over 7 million UK users or "high-risk functionalities" like live streaming or algorithmic recommendation—are designated Category 1 services and face additional duties:
- User empowerment tools allowing adults to filter out legal but harmful content (such as graphic violence, misinformation, or abuse) according to their own preferences
- Transparency reports detailing content moderation decisions, algorithms, and risks
- Complaints and appeals processes that are accessible, timely, and fair
Crucially, platforms cannot remove legal content posted by adults unless it violates their own terms of service. The Act does not create new speech restrictions for adults, but it does require platforms to give users control over what they see.
Ofcom's enforcement powers
Ofcom becomes the online safety regulator, with powers that dwarf its traditional broadcasting and telecoms remit. The regulator can:
- Issue codes of practice specifying how platforms must comply with their duties
- Conduct investigations and demand internal documents, algorithms, and data
- Impose fines up to £18 million or 10% of global turnover for non-compliance
- Issue business disruption orders requiring app stores and payment providers to stop serving non-compliant platforms
- Apply for service restriction orders blocking access to platforms that refuse to comply, effectively banning them from the UK
- Pursue criminal charges against senior managers who fail to provide information or obstruct investigations
These powers are extraordinary. No other regulator in the UK can unilaterally block access to a global service or criminally prosecute executives for regulatory non-compliance. The government argues such powers are necessary to force compliance from tech giants that have ignored voluntary codes for years. Critics warn they create a chilling effect and risk being weaponised against platforms that displease the government.
The encryption battleground
The most controversial aspect of the Act is its treatment of end-to-end encryption. Messaging apps like WhatsApp, Signal, and iMessage encrypt messages so that only the sender and recipient can read them—not even the platform provider can access the content. This protects privacy and security but also prevents platforms from scanning messages for child abuse material.
The Act does not explicitly ban encryption. However, it requires platforms to use "accredited technology" to detect and remove CSAM, even in private messages. Ofcom's draft codes suggest this could include client-side scanning, where messages are scanned on the user's device before encryption, or machine learning systems that detect abuse patterns without reading content.
The problem: no such technology currently exists that can reliably detect CSAM without breaking encryption or creating unacceptable false positives. Cryptography experts, including the UK's own GCHQ, have stated that client-side scanning fundamentally undermines encryption by creating a backdoor that can be exploited by malicious actors or authoritarian governments.
WhatsApp, Signal, and Apple have warned they will withdraw from the UK market rather than comply with requirements that break encryption. In July 2024, Signal's president Meredith Whittaker said: "We will not undermine the security and privacy of our users, even if it means shutting down in the UK."
The government insists that technology will be developed to square this circle, and that Ofcom will only require scanning if it is technically feasible and proportionate. But the standoff remains unresolved, and legal challenges are expected once Ofcom issues final codes in early 2025.
Age verification: necessary safeguard or privacy nightmare?
The Act's child safety duties require platforms to implement age verification or age assurance to prevent children accessing harmful content. This has sparked fierce debate about privacy, effectiveness, and unintended consequences.
Proposed methods include:
- Photo ID verification (passport, driving licence) checked against the user's selfie
- Credit card or bank account checks (children rarely have these)
- Facial age estimation using AI to guess age from a selfie
- Third-party age verification services that verify age without sharing ID with the platform
Each method has drawbacks. Photo ID verification is accurate but creates honeypots of sensitive data—databases linking real identities to online accounts, vulnerable to breaches or government surveillance. The 2024 hack of age verification provider Yoti, which exposed 2.3 million users' ID documents, illustrated this risk.
Facial age estimation is less invasive but highly inaccurate, especially for people of colour, and can be spoofed with photos. Credit card checks exclude young people and can be bypassed with parents' cards. Third-party services add friction and cost.
Privacy campaigners warn that mandatory age verification will normalise digital ID systems, eroding anonymity and enabling mass surveillance. Civil liberties groups argue it will push young people to unregulated platforms or VPNs, making them less safe.
The government counters that children are already being harmed by unrestricted access to pornography, violent content, and predatory adults, and that age verification is a proportionate response. Ofcom's codes allow platforms to choose their method, but require it to be "highly effective"—a standard that may force platforms toward the most invasive options.
Free speech concerns
While the Act does not criminalise new categories of speech for adults, critics warn it will lead to over-removal of legal content. Platforms, facing massive fines for failing to remove illegal content, will err on the side of caution, taking down borderline material that might be legal but risky to host.
This is already happening under voluntary content moderation. Platforms routinely remove legal political speech, satire, and journalism because automated systems cannot distinguish context. The Act's proactive duties will intensify this, as platforms deploy more aggressive AI moderation to avoid liability.
There are also concerns about "legal but harmful" content. While the Act allows adults to choose their own filters, the government's definition of harmful content is broad and subjective. During the Bill's passage, ministers suggested it could include content promoting "harmful" political views or "misinformation". Though these provisions were removed after backlash, the framework remains vulnerable to future expansion.
Index on Censorship, a free speech charity, warned in September 2024 that the Act "creates a template for authoritarian governments to demand censorship under the guise of safety". If the UK can require platforms to remove legal content or break encryption, what stops China, Russia, or Saudi Arabia demanding the same?
Industry response: compliance or exit?
Tech companies are scrambling to comply with the Act's April 2025 deadlines. Meta (Facebook, Instagram, WhatsApp) has announced £100 million investment in UK content moderation and age verification systems. Google is developing age assurance for YouTube. TikTok is piloting facial age estimation.
However, smaller platforms and startups face existential challenges. The compliance costs—legal advice, content moderation systems, age verification, transparency reporting—are prohibitive for companies without Big Tech's resources. Many are likely to geofence the UK, blocking British users rather than complying.
This could fragment the internet, creating a UK-only version of global services with reduced features and innovation. It also raises questions about enforceability: how will Ofcom regulate platforms based in jurisdictions that do not recognise UK law?
Encrypted messaging apps remain the wildcard. If WhatsApp and Signal withdraw, millions of UK users will lose access to secure communication tools used by journalists, activists, lawyers, and ordinary people. The government has hinted at exemptions for private messaging, but no formal carve-out exists in the legislation.
What happens next?
The Act's implementation is phased:
- January 2025: Ofcom's illegal content codes of practice come into force
- April 2025: Platforms must comply with illegal content duties and child safety duties
- July 2025: Category 1 services must comply with adult safety and transparency duties
- October 2025: Ofcom begins enforcement action against non-compliant platforms
Ofcom has published draft codes and is consulting with industry, civil society, and technical experts. The final codes, expected in February 2025, will determine how the Act's broad principles translate into specific requirements.
Legal challenges are inevitable. Privacy groups, tech companies, and free speech advocates are preparing judicial reviews on grounds that the Act violates human rights, is technically unworkable, or exceeds the government's powers. The encryption question will likely reach the Supreme Court.
Internationally, the UK is being watched closely. The EU's Digital Services Act, adopted in 2022, takes a similar but less prescriptive approach. Australia, Canada, and several US states are considering online safety laws modelled on the UK Act. If it succeeds, it could become a global template. If it fails—driving platforms out, breaking encryption, or collapsing under legal challenges—it will be a cautionary tale.
The bottom line
The Online Safety Act is a high-stakes experiment in internet regulation. It addresses real harms—child abuse, terrorism, fraud, harassment—that platforms have failed to tackle voluntarily. It gives regulators teeth to enforce accountability and protect vulnerable users.
But it also risks unintended consequences: privacy erosion, free speech chilling effects, encryption backdoors, and a fragmented internet. The tension between safety and liberty, between protecting children and preserving privacy, between holding platforms accountable and preserving innovation, is not easily resolved.
The next 12 months will determine whether the UK has charted a path other democracies will follow, or whether it has overreached, creating a regulatory regime that harms the very people it seeks to protect. For millions of UK internet users, the stakes are profound.
Frequently asked questions
What content will be illegal or restricted under the Online Safety Act?
The Act creates two categories: illegal content (which platforms must proactively prevent) includes child sexual abuse material, terrorism content, fraud, hate crimes, harassment, and revenge porn. Harmful content (which platforms must protect children from) includes pornography, violent content, eating disorder promotion, self-harm encouragement, and bullying. Adult users can choose their own safety settings for legal but harmful content, but children must be protected by default. Platforms must remove illegal content quickly and prevent it being uploaded in the first place.
How will age verification work and what are the privacy concerns?
Platforms likely to be accessed by children must implement age verification or age assurance. Methods include: credit card checks, photo ID verification, facial age estimation AI, or third-party age verification services. Privacy campaigners warn this creates honeypots of sensitive data (ID documents, biometric data) vulnerable to breaches. There are also concerns about excluding young people who lack ID or whose parents won't provide it. Ofcom's codes of practice, published in November 2024, allow platforms to choose their method but require high accuracy and data minimisation.
Will the Online Safety Act break end-to-end encryption on WhatsApp and Signal?
The Act does not explicitly ban encryption, but requires platforms to use 'accredited technology' to detect child abuse material. No such technology currently exists that can scan encrypted messages without breaking encryption. WhatsApp, Signal, and Apple have warned they may withdraw from the UK rather than comply. The government insists technology will be developed, but cryptography experts say this is mathematically impossible without creating backdoors that undermine security for everyone. This remains the most contentious aspect of the Act, with legal challenges expected.