On 16 January 2025, the UK Office of Communications (Ofcom) published its Statement on Age Assurance and Children’s Access, and officially commenced the process for user-to-user and search services (“Service Providers”) to conduct a children’s access assessment and implement robust age checks based on Ofcom’s published guidance. For completeness, we note that Ofcom also has published separate guidance on robust age checks for platforms that allow, display or publish their own pornographic content, but this is not considered further below.
We have outlined below some of the key elements of conducting a children’s access assessment and implementing age checks to assist in your review of Ofcom’s more detailed guidance on these topics.
Children’s access assessments
All Service Providers that fall within scope of Part 3 of the Online Safety Act 2023 (OSA) are required to carry out a children’s access assessment by 16 April 2025. This is essentially an assessment to establish whether the service that they provide is likely to be accessed by children.
See Ofcom’s detailed guidance on how this assessment should be carried out, but in summary, the assessment comprises two stages:
- Stage 1: Determining whether it is possible for children to normally access the service or part of the service. If Service Providers conclude that it is not possible for children to normally access the service because they have ‘highly effective age assurance’ in place (see more on this below), then they do not need to go on to Stage 2 and will not need to comply with children’s protection duties under the OSA.
- Stage 2: Determining (a) whether there are a significant number of children who are users of the service, and/or (b) whether the service is of a kind likely to attract a significant number of children.
The OSA does not define what is meant by a ‘significant number’ of children; however, Ofcom guidance suggests that this is ‘likely to depend on the nature and context of the service and should reflect a number or proportion that is material in the context of that service’. The guidance also notes that even a relatively small number of children who are users of the service could be deemed ‘significant’ in terms of the risk of harm, and that Service Providers should ‘err on the side of caution’ in making their assessment.
Helpfully for point (b), Ofcom has suggested a list of factors to assist Service Providers in assessing whether their service is of a kind likely to attract a significant number of children. These include an assessment of whether the service provides benefits to children; whether the content on the service is appealing to children; whether the design of the service is appealing to children; and whether children form part of the service’s commercial strategy. It is worth noting that even if a service does not actively target children or seeks to limit access to children below a certain age, it may still be of a kind likely to attract a significant number of children.
A Service Provider can only conclude that the Stage 2 test’ is not met, if they have evidence that they do not satisfy either of these criteria. If this test is not met, then the Service Provider does not fall within scope of children’s protection duties under the OSA.
If, after completing their first access assessment, a Service Provider concludes that their service is not likely to be accessed by children, they must continue to carry out new access assessments not more than a year apart.
A new children’s access assessment also must be carried out under specific circumstances – e.g., before the Service Provider makes any significant change to any aspect of the service’s design or operation; in response to evidence about reduced effectiveness of age assurance; or in response to evidence about a significant increase in the number of children using the service.
Highly effective age assurance
As mentioned above, when carrying out children’s access assessments, Service Providers may only conclude that it is not possible for children to access the service, or part of it, if age assurance measures have been implemented with the result that children are not normally able to access the service or that part of it.
Ofcom also provided guidance on implementing highly effective age assurance (HEAA) requirements for Service Providers. The guidance does not prescribe how Service Providers can meet their HEAA requirements. Instead, it recognises that there are likely several ways to implement HEAA measures and affords Service Providers a level of flexibility by:
- Setting out a nonexhaustive list of the kinds of age assurance that Ofcom considers are capable of being highly effective at correctly determining whether or not a user is a child – e.g., photo ID matching, facial age estimation, mobile-network operator age checks, credit card checks, email-based age estimation, etc. – as well as methods that Ofcom does not consider capable of being highly effective – e.g., self-declaration of age, age verification through online payment methods which do not require a user to be older than 18 (debit cards), and general contractual restrictions on the use of the service by children.
- Requiring that any age assurance method meet the following four criteria:
- Technical accuracy – the degree to which an age assurance method can correctly determine the age of a user under test lab conditions.
- Robustness – the degree to which an age assurance method can correctly determine the age of a user in actual deployment contexts.
- Reliability – the degree to which the age output from an age assurance method is reproducible and derived from trustworthy evidence.
- Fairness – the extent to which an age assurance method avoids or minimises bias and discriminatory outcomes.
- Requiring that they consider accessibility and interoperability when implementing HEAA, so that it is easy to use and works for all users (regardless of their characteristics or whether they are members of a certain group), and also requiring technological systems to communicate with one another using common and standardised formats.
- Requiring that all age assurance methods involving the processing of personal data follow a data protection by design approach. In this regard, the guidance flags where Service Providers should consult Information Commissioner’s Office (ICO) guidance for further information on data protection requirements.
What can you do to prepare?
All Service Providers have until 16 April 2025 to complete their children’s access assessment.
As a starting point, we recommend that your appointed team responsible for complying with the OSA determine whether your service (or part of your service) falls within scope of having to complete a children’s access assessment – i.e., if it is a user-to-user or search service as governed by Part 3 of the OSA.
Assuming your service is within scope, when completing Stage 1 of the children’s access assessment, your team should assess whether it is possible for children to normally access the service or part of the service.
If it is possible for children to normally access your service, you may wish to consider implementing HEAA to be able to conclude that it is not possible for children to normally access your service, and to avoid implementing children’s duties under the OSA.
If you choose not to implement HEAA, and your service has a significant number of children as users of the service, and/or the service is of a kind likely to attract a significant number of children, then you will need to carry out a children’s risk assessment within three months of Ofcom publishing its children’s risk assessment guidance in April 2025 (so by July 2025), as well as comply with Ofcom’s Protection of Children Codes once they come into effect in July 2025.
All Service Providers should ensure that they record the outcome of their children’s access assessment, as well as the steps taken and the detailed evidence used to reach their conclusion, regardless of the conclusion that is reached.
If you require any assistance with carrying out your children’s access assessment or determining which HEAA measures to implement, please don’t hesitate to contact Cooley’s online safety team.
Contributors