On July 25, 2025, the Online Safety Act (OSA) went into effect in the UK, requiring sites hosting adult content and social media platforms to verify users' ages before allowing them to access adult content.
With age verification techniques including supplying personal/sensitive information to these sites or platforms (e.g. photo ID, a face scan, credit card information, email address or phone number), many UK residents have turned to using the best VPNs to circumvent the ban.
Concerns about the integrity of the third parties employed by sites or platforms have been raised, with many worried that their sensitive personal information will be stored, shared or even used to train AI models. However, many of these concerns have not been addressed by the UK government, with the focus being on the Online Safety Act's enforcement.
Cybersecurity and the UK government
While this may be concerning to many UK citizens who do not want their personal information to be shared or stolen, and are worried about the potential ramifications of a data breach or leak of an age verification platform, it's not necessarily surprising that personal data safety hasn't been considered in the OSA.
In May 2024, it was revealed that nearly 70% of UK MPs had had their personal information leaked on the dark web, including personal and login information. MP's email addresses were exposed 2,110 times, with some MPs targeted up to 30 times, and over 200 plain-text passwords were also leaked.
The most common cause for these information leaks were hacks or breaches of companies that MPs had signed up for using their parliamentary email – including Adobe, Dropbox and LinkedIn. This is incredibly poor cybersecurity practice, as the leaks demonstrate – if the MPs had reused the same login information for any other account, it would be easily accessible.
Even MPs who were on committees dedicated to looking after the cybersecurity of the UK had their personal data leaked, which is concerning considering the fact that you would expect them to have much more rigorous and robust data security practices.
However, it does make it less surprising that the Online Safety Act does not include any requirements for businesses to ensure that users' personal data is kept secure. It appears as though this simply hasn't been considered.
Additionally, with MPs like the Secretary of State for Science, Innovation and Technology Peter Kyle making inflammatory statements regarding pushback to the act – he posted on X that those who oppose it are "on the side of predators" – it appears that the government is far more concerned with the enforcement of age verification than ensuring that the sensitive information used for this is kept safe.
What does the Online Safety Act say about data security?
The Online Safety Act does lay out guidelines for the age verification checks themselves, namely that they must be "technically accurate, robust, reliable and fair," but this doesn't mention anything about them being secure.
By not outlining any guidelines for these age verification checks, it means that sites and platforms do not have to use secure third parties. While many are choosing to – for example, Reddit has employed the use of Persona, which deletes all user information within 7 days, and Spotify has employed the use of Yoti, which deletes user data immediately – this offers little reassurance that this will be the case for most other sites.
The only statement regarding personal data safety has been from OFCOM, who shortly addressed data security and privacy concerns in an article on the Online Safety Act and what users need to know about it.
OFCOM stated: "Strong age checks can be done effectively, safely, and in a way that protects your privacy. As with everything you do online, you should exercise a degree of caution and judgement when giving over personal information.
"Data protection in the UK is regulated and enforced by the Information Commissioner’s Office (ICO). We work closely with the ICO and where we have concerns that a provider has not complied with data protection law, we may refer the matter to the ICO.
"In the UK people are familiar with having to prove their age in the offline world to buy age-restricted goods like alcohol and tobacco. Age checks to access [mature content] are just the same. It will help stop children from encountering [mature content] online, in the same way that a child should not be able to simply walk into a shop and buy a [NSFW] DVD or magazine."
In this statement, the onus is on the end user to make sure their personal data is kept safe, rather than having the Online Safety Act require that the age verification techniques must be secure in the first place.
Additionally, providing an ID card to a shop assistant, bouncer or bartender is incredibly different to taking a picture of your ID or scanning your face, especially when there is no guarantee that this information will be deleted.
After all, a shop assistant would not take a photocopy of your ID and then hang onto it for an unspecified amount of time afterwards.
Will UK citizens' data be protected under the Online Safety Act?
However, there is some comfort to come from the fact that third-party age verification services will have to follow UK-based data regulations.
Under the General Data Protection Regulations in the UK, personal data can only be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed." Essentially, this means that data should not be retained when it is no longer needed.
While this could technically mean that age verification companies delete user data once their age has been verified – for example, Spotify's age verification partner, Yoti, does this – this may not be the case for all age verification services.
Additionally, the statement that OFCOM "may" refer companies to the ICO if they have sufficient concerns that an age verification company has not complied with GDPR does not quite feel good enough when people's faces and sensitive information are at risk.
Overall, while many companies do appear to be putting secure age verification checks in place, the concerns about personal data raised by the OSA are not unfounded.
Hopefully there will be more guidance released regarding the safety and security of UK citizens' personal data in the coming weeks.
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
