On 25 March 2026, the Information Commissioner's Office (ICO) and Ofcom published a joint statement clarifying the interplay between online safety and data protection requirements as they relate to age assurance. The statement is particularly relevant for organisations in scope of the Online Safety Act (OSA) and UK data protection legislation, including the UK GDPR and Data Protection Act 2018. The joint statement aims to provide practical guidance to help organisations navigate the complex requirements of both regimes, supporting the shared goal of protecting children from harm online.
This latest collaboration signals a continued coordinated regulatory approach and builds on the ongoing collaboration between the ICO and Ofcom, following their previous joint statements in 2022 and 2024, whereby:
the 2022 statement set out a shared vision for a clear and coherent regulatory landscape for online services; and
the 2024 statement outlined the regulators' ways of working together.
The 2026 statement also draws on the ICO's recent open letter to social media and video sharing platforms, issued earlier this month, which urged immediate action to strengthen age assurance measures and move beyond reliance on self-declaration (see our update here). The ICO's communication emphasised that platforms must implement robust, privacy-friendly age assurance technologies and ensure full compliance with UK data protection law, particularly where a minimum age is set. Together, these interventions reinforce the commitment of both regulators to a coordinated, practical and risk-based approach to protecting children online and provide clear expectations for industry action and compliance.
1. Key Data Protection Considerations
The joint statement draws out several critical data protection themes for organisations implementing age assurance:
A. Lawful, Fair and Transparent Processing
Organisations must establish a lawful basis for processing personal data for age assurance. Where age assurance is required under the OSA, "legal obligation" is likely to be the relevant lawful basis.
Transparency is essential: organisations must provide clear and accessible privacy notices explaining why age assurance is required, what data is collected, how long it is stored and how users can exercise their data protection rights.
B. Data Minimisation and Purpose Limitation
Only data strictly necessary to confirm a user's age or age range should be collected. Age assurance processes must be designed to minimise the amount of personal data processed and ensure it is not retained for longer than necessary.
C. Proportionality and Risk-Based Approach
The chosen age assurance method must be necessary and proportionate to the risks presented by the service. For high-risk processing (e.g., large-scale profiling or targeting children for marketing), methods providing the highest possible level of certainty on a user's age are expected.
Where the risk of unlawful processing is high, self-declaration and profiling alone are not considered effective or compliant.
D. Accountability and Ongoing Review
Organisations must be able to demonstrate compliance with data protection principles, including conducting Data Protection Impact Assessments (DPIAs) where appropriate.
Age assurance processes should be regularly reviewed for effectiveness and updated in response to emerging risks or technological developments.
E. Children's Code (Age Appropriate Design Code)
Where a service is suitable for children, age assurance should support the application of the Children's Code standards, ensuring that children's experiences are age-appropriate and that essential data protection safeguards are in place.
F. Mitigating Circumvention Risks
Organisations must take steps to mitigate the risk of users circumventing age assurance measures, ensuring that the process is robust and binds proof of age to the user presenting for the age check.
2. Key Takeaways and Practical Next Steps
Given the regulatory clarity provided by the joint statement, organisations should consider the following practical steps:
A. Assess Applicability
Determine whether your service is likely to be accessed by children and whether it falls within the scope of the OSA and UK data protection legislation.
B. Review and Update Age Assurance Mechanisms
Evaluate your current age assurance methods against Ofcom and ICO guidance. Ensure that self-declaration is not used in isolation and that your chosen methods are effective, proportionate and minimise data collection.
For services with a minimum age (e.g., 13), deploy robust age assurance at account creation to prevent unlawful processing of underage children's data.
C. Enhance Transparency
Update privacy notices to clearly explain age assurance processes, data use, retention periods and user rights.
D. Conduct and Maintain DPIAs
Carry out DPIAs for age assurance processes, particularly where high-risk processing is involved. Regularly review and update DPIAs as technology and risks evolve.
E. Apply the Children's Code Where Appropriate
Where age cannot be reliably confirmed, apply the Children's Code standards to all users by default, ensuring a baseline of protection.
F. Monitor and Mitigate Circumvention
Implement technical and procedural safeguards to reduce the risk of circumvention and ensure ongoing effectiveness of age assurance.
G. Stay Informed
Monitor further guidance and updates from Ofcom and the ICO, as the regulatory landscape and best practices continue to develop.
3. Conclusion
The joint statement from the ICO and Ofcom provides much-needed clarity for organisations navigating the intersection of online safety and data protection. By adopting a risk-based, proportionate and transparent approach to age assurance, organisations can not only meet their legal obligations but also play a vital role in protecting children from harm online. Now is the time to review existing practices, enhance compliance frameworks and engage proactively with the evolving regulatory environment.
For further information or advice on implementing age assurance in line with the latest regulatory expectations, please contact your usual Simmons & Simmons adviser or reach out to one of the contacts listed on this page.
.jpg?crop=300,495&format=webply&auto=webp)
.jpg?crop=300,495&format=webply&auto=webp)
