Decoding the world of cybersecurity

TikTok age controls face Ofcom investigation

Ofcom has opened an Online Safety Act investigation into whether TikTok’s age-assurance controls are sufficiently effective at identifying children and limiting their exposure to harmful content.

TikTok age controls face Ofcom investigation
Summary
  • Ofcom is investigating TikTok under section 12 of the Online Safety Act.
  • The regulator says age-inference systems may, in some cases, have failed to identify a significant proportion of children.
  • No breach finding has been reached, and TikTok’s compliance remains under investigation.

Ofcom has opened an investigation into whether TikTok has complied with its duty to protect children from harmful content under the UK Online Safety Act.

The investigation concerns TikTok Information Technologies UK Limited and the obligations imposed by section 12 of the Act. Services likely to be accessed by children must use proportionate systems and processes to prevent or reduce exposure to defined categories of harmful material.

Where a service permits primary priority content that is harmful to children, it must use age assurance that is highly effective at determining whether a user is a child. Providers can follow Ofcom’s codes of practice or use alternative measures capable of meeting the statutory duty.

Ofcom’s case notice follows a review of measures used by major platforms and research into children’s online experiences. A separate report on age assurance says that, in some cases, age-inference models such as those used by TikTok may have failed to identify a significant proportion of children correctly.

The regulator has not concluded that TikTok breached the law. Its investigation will determine whether there are reasonable grounds to believe the company failed, or is failing, to comply.

The relevant child-safety duties took effect on 25 July 2025, giving Ofcom an operating period from which to examine implementation evidence. The inquiry will test the performance and governance of an automated control rather than merely confirming that one has been deployed.

Regulation reaches model performance

Age inference estimates an attribute rather than checking a single authoritative record. Systems may consider declared dates of birth, account activity, behavioural signals, device information, social connections, images, and other data.

Those models can produce false positives, where an adult is treated as a child, and false negatives, where a child is treated as an adult. The second error is central to the investigation because it can allow younger users to encounter material that the control was intended to restrict.

Compliance depends on how effectiveness is measured across age groups, languages, devices, behaviours, and attempts to evade the system. An aggregate performance figure may conceal poor results among users who misstate their age or alter their behaviour to avoid detection.

Platforms also need a process for uncertainty. Requiring stronger evidence before granting access can improve protection, but it can introduce privacy, fairness, accessibility, and user-friction concerns. The statutory assessment covers both technical performance and the way the wider process operates.

Internal testing, independent evaluation, live monitoring, appeals, and records of model changes can show whether the system remained effective over time. A one-off assessment provides limited assurance where user behaviour, model performance, and platform features continue to change.

Age assurance becomes identity infrastructure

Online-safety regulation is turning age assurance into a formal identity and access function. Although its purpose differs from workplace authentication, the control relies on comparable decisions about trusted signals, confidence thresholds, overrides, error handling, and adversarial use.

Platforms may depend on age-verification companies, mobile operators, digital-identity services, payment mechanisms, or facial age-estimation providers. Those arrangements bring data-protection, procurement, supplier-assurance, and technical-governance requirements alongside the platform’s own statutory responsibility.

Ofcom can impose financial penalties of up to £18 million or 10% of qualifying worldwide revenue, whichever is greater, where non-compliance is established. The Act also provides routes to seek court orders affecting services that support access in serious cases.

The investigation may find that TikTok’s controls comply, require improvement, or breach the Act. Its outcome will establish what evidence Ofcom expects when a platform describes age assurance as highly effective and how model errors are assessed within a statutory safety regime.

×