Decoding the world of cybersecurity

UK social ban tests age assurance

The UK government plans to block major social media platforms from serving under-16s, creating a major compliance and identity challenge.

UK social ban tests age assurance
Summary
  • The UK government plans to ban major social media platforms from offering services to under-16s.
  • The measure is expected to come before Parliament before Christmas, with protections expected in spring 2027.
  • Platforms face difficult age assurance, privacy, product design, and enforcement choices.

The Department for Science, Innovation and Technology has set out plans to ban major social media platforms from offering services to under-16s, pushing age assurance, product design, and platform accountability deeper into the UK’s online safety regime.

The government says the restrictions are expected to be brought to Parliament before Christmas, with protections expected to come into force in spring 2027. The planned ban would apply to user-to-user platforms whose purpose is social interaction and which allow users to post material alongside algorithms. Snapchat, TikTok, YouTube, Instagram, Facebook, and X were named as examples of platforms expected to be in scope.

Messaging services such as WhatsApp and Signal are not intended to be included in the social media ban. The government also plans restrictions on harmful functions such as livestreaming and strangers communicating with children, with those controls applying across a wider range of online services, including gaming sites. Restrictions on those functions would be on by default for 16- and 17-year-olds.

The proposal goes beyond content moderation and takedown processes. Platforms would have to determine whether users are eligible to access a service at all, making age assurance an operational control rather than a policy statement. Services will need systems that can identify under-16 users with enough confidence to satisfy regulators while limiting unnecessary collection, retention, or exposure of identity data.

The engineering and governance choices are difficult. Age assurance can involve document checks, facial age estimation, payment instrument signals, mobile operator data, parental approval, device-level controls, account history, or third-party verification providers. Each approach creates trade-offs between accuracy, privacy, bias, accessibility, fraud resistance, exclusion, and data minimisation.

Large platforms and smaller services will face different operational pressures, but the compliance burden will be substantial across both groups. Weak systems will be bypassed easily, while intrusive systems can create new identity and privacy risks, especially for children. Heavy reliance on third-party providers adds dependency, auditability, data handling, breach exposure, and accountability concerns.

The exclusion of encrypted messaging services may reduce some privacy concerns, but it also creates scope boundaries that will need careful legal drafting. Social interaction, content posting, recommendation algorithms, livestreaming, gaming communities, private groups, direct messaging, and AI chatbot companions increasingly overlap inside the same digital environments. Services will have to determine which features are in scope, which users are affected, and which controls must be applied by default.

Ofcom’s role will become central once the framework is implemented. The regulator is already responsible for online safety enforcement and will have to translate political commitments into practical compliance expectations. Evidence of risk assessment, design changes, assurance testing, record keeping, complaint handling, and enforcement readiness will determine how credible implementation looks.

The proposal sits alongside wider UK platform regulation, including duties under the Online Safety Act and recent pressure around device-level child safety controls. Taken together, the direction is moving from content removal toward preventive design, eligibility checks, and default restrictions.

Technology companies will need more than revised terms of service. Identity architecture, data governance, moderation workflows, safety engineering, customer support, parental controls, fraud detection, and supplier contracts may all be affected. The compliance challenge is to prove that age controls work without creating a new stockpile of sensitive identity data.

×