Dear Secretary of State for Science, Innovation and Technology,
CC Ofcom
CC ICO
Age Assurance Must Be Safe, Private and Trusted
We are writing to raise serious concerns about how age assurance is being implemented under the Online Safety Act.
Platforms are now introducing age checks not only to restrict access to pornographic content, but also to limit access to features like direct messaging, or other forms of ‘harmful content’ covered by the Online Safety Act in order to meet their wider legal duties.
This means that millions of UK users are being asked to verify their age across a wide range of services from social media sites such as Bluesky and Reddit to Grindr a location-based social networking and online dating application for gay, bisexual, queer, and transgender people.
In many cases, this involves submitting highly sensitive personal data, such as ID documents or facial scans. Yet there is currently:
- No public register of approved providers
- No requirement for providers to meet any specific privacy or security standards, instead relying on data protection alone
- No requirement for platforms to choose trusted or certified providers
With other high risk industries, such as card payments, robust and compulsory standards have been developed. There are also powers within the data protection regime to create certification for industry standards.
However, while the banking industry can close card payment systems that are poorly managed, there is no simple way to enforce high standards within age verification.
Instead we are witnessing many big tech companies choose providers that are based outside of the UK and who have poor privacy terms and conditions. This leaves users exposed to unacceptable risks:
- Phishing, Sextortion, and impersonation: Without official verification, it is easy for scammers to mimic these checks to steal personal data.
- Weak security: Many age assurance systems process extremely sensitive data, yet often follow fewer cybersecurity standards than UK banks.
- Reuse of data: Some companies are using age assurance checks to collect extra data for advertising and profiling, such as users’ age and location.
- Loss of public trust: People are being asked to hand over private information to systems they can’t assess, understand, or opt out of to access.
This is especially concerning for LGBTQ+ users, and other marginalized groups who may rely on platforms that now require age checks and who face particular risks if privacy is not properly protected.
The UK already suffers billions of pounds in losses from cybercrime each year. Weak and unregulated age assurance systems will only make things worse. Exposing people to online harms such as blackmail unless Government acts it is likely to become a major vector for fraud, data breaches and exploitation.
What the Government must do
We urge the Government to work with the ICO and Ofcom to regulate age assurance conducted to comply with the Online Safety Act with a compulsory, high privacy and security standard that providers must adhere to.
We would welcome the opportunity to discuss these issues further and support the development of a safer, more accountable approach to age assurance.
Yours sincerely,
Firstname Lastname
