The term 'highly effective' appeared throughout the UK's Online Safety Act, but for months platforms struggled to understand what regulators actually meant. This week, clarity finally arrived; though experts suggest the definition still contains more flexibility than some had hoped.
Ofcom, the UK's online regulator, established four core criteria for evaluating whether age assurance methods qualify as 'highly effective': technical accuracy, robustness, reliability, and fairness. The guidance avoids prescribing specific technologies, instead setting principles that methods must meet.
Technical accuracy requires that systems correctly identify a user's age. If a method has a margin of error, platforms must set their challenge age higher to ensure children are not accidentally granted access. Robustness means platforms must stress-test systems against common circumvention attempts and develop countermeasures. Reliability demands that results remain consistent and derive from trustworthy evidence. Fairness requires systems to minimise bias across different user groups.
Ofcom has published a non-exhaustive list of acceptable methods, including photo ID matching combined with facial recognition and liveness checks, facial age estimation, open banking verification, mobile network operator checks, credit card verification, and reusable digital identity services. Email-based age estimation, which analyses the uses a user's email address has been put to, is also considered capable of meeting the standard.
What platforms cannot do is rely on self-declaration, payment card checks alone, or simple terms and conditions agreements. These fall plainly outside the 'highly effective' threshold. Services must also consider accessibility and interoperability, ensuring systems work for all users regardless of characteristics or group membership, and comply with data protection law overseen by the Information Commissioner's Office.
The principle-based approach aims to encourage innovation in a safety technology sector where the UK holds significant global expertise. Platforms retain flexibility in choosing which methods suit their services, provided the chosen method demonstrably meets the four criteria.
Research from Ofcom shows that eight per cent of children aged 8-14 in the UK visited an online pornography site in a month, including 3 per cent of 8 to 9-year-olds. The average age children first encounter pornography online is 13. This backdrop explains the regulatory urgency, particularly for services hosting adult content.
Services that publish their own pornographic material faced an immediate deadline to begin implementation. Most other platforms likely to be accessed by children had until 16 April 2025 to complete children's access assessments. The broader compliance deadline arrives 25 July 2025, when all platforms allowing pornography must have 'highly effective' age assurance in place.
Ofcom has already begun enforcement, issuing fines totalling more than £1 million to platforms failing to implement adequate age assurance or respond to regulatory information requests. Twenty new sites are now under investigation, bringing the total to 76.
Large platforms including PornHub, Stripchat and others have publicly confirmed compliance. Yet the definition's flexibility creates a grey zone. What constitutes sufficient 'robustness' against circumvention? How much drift in accuracy is acceptable? These questions will likely be resolved through enforcement actions and further guidance, rather than fixed rules, as Ofcom learns what works in practice.
Ofcom's implementation roadmap shows the regulator will publish a report by June 2026 assessing the effectiveness of age assurance measures and identifying any factors hindering their use. This review period suggests the regulatory definition will likely evolve as real-world deployment reveals its strengths and weaknesses.