UK Age Verification Law: Progress, Gaps, and What Comes Next
The UK's first year of enforced age verification has produced something rare in internet regulation: actual evidence. Ofcom's Report on the use of age assurance, published this week, shows that UK age verification law is working at the level of individual compliant services and not yet working at the level of the internet as a whole. That gap is the story.
Over 69 million age checks were completed across 32 UK services in the second half of 2025, a 23-fold increase on the preceding six months, according to the report. The Age Verification Providers Association told Ofcom this represented the largest coordinated deployment of age checks ever seen at a national scale. Ofcom chief executive Dame Melanie Dawes put it plainly: "The job is not done and tech companies need to go further," she said.
Three questions determine whether age verification is actually working: Have services deployed checks? Do those checks deter children at the gate? Has children's overall exposure to restricted content fallen? The first-year data shows meaningful progress on the first two. On the third, it does not.
What Ofcom age verification guidance actually shows
Video of the Day

Start with the number that connects deployment to experience. The proportion of children who encountered highly effective age checks when asked to verify their age rose from 25% to 43% between July 2025 and January 2026, Digit.fyi reported. That figure is the missing link between "69 million checks ran" and "something changed for children." It also explains why raw deployment numbers can mislead.
The deterrence evidence, where it exists, is striking. Among the roughly 8% of children aged 8 to 14 who attempted to access pornography, those who encountered an age gate largely did not persist. Around 87% of those children's visits to age-checked sites lasted under 30 seconds; 65% lasted under 10 seconds, the report shows. The presence of age assurance appears to deter children Ofcom's own careful phrasing rather than simply inconveniencing them.
Enforcement has teeth, too. Ofcom has opened 23 investigations into providers of 88 adult services; those investigations led 73% of targeted services to either implement age assurance or block UK users entirely, the report notes. Seven providers have been fined, with penalties ranging from £50,000 to £1.35 million.
Ofcom's own verdict on all of this is precise: age assurance is proving effective at the individual service level when deployed correctly, but not yet at an overall sector level, according to the report. That distinction carries the whole article.
Video of the Day
Why service-level success doesn't add up to system-level protection

The structural problem is this: nearly half of the pornography services actually visited by children in Ofcom's panel had no age checks in place, and children found them through ordinary search engines, the report found. Compliant services have raised the floor on the sites children most easily encounter. They have not removed the rest.
The search engine data makes the gap concrete. In May 2026, a third of first-page Google results for general pornography queries led to sites without protections; on Bing the figure was 54%. At least one unprotected result appeared in 90% of Google queries and 98% of Bing queries, Ofcom found. A child who meets an age gate, navigates back to a search engine, and tries again is in most cases one click from a site without one.
VPN use compounds this. Estimated daily UK VPN users rose from 1.2 million to 2.2 million immediately after age checks launched in July 2025, and have remained elevated, the report shows. A quarter of children aged 11 to 17 reported using a VPN in the preceding six months; 5% said they had used one specifically to access age-restricted content or features.
The government's response is to leave VPNs alone. "VPNs have legitimate privacy and security uses and we will therefore not age-gate or ban them," Technology Secretary Peter Kendall's statement said, as reported by Biometric Update. Instead, Ofcom has been asked to report by October on what platforms can do to detect and prevent VPN-based circumvention. The tension in that position is practical, not political: the government has acknowledged the circumvention tool, declined to restrict it, and asked platforms with limited means to solve it themselves.
Worth separating out here: search gaps and non-compliant sites are problems of coverage, not technology. They are fixable in principle through search engine cooperation, broader enforcement, and app-store-level controls. That matters because it points toward what would actually close the gap a whole-of-system approach rather than tighter checks at individual sites.
Where age checks work differently: social media and UK online safety age verification

Outside pornography, the question shifts. It is no longer just whether checks work, but whether the same type of check can work at all on platforms designed for mixed-age use.
Despite widespread adoption of age assurance on social platforms, Ofcom's research indicates no material change in the proportion of children encountering harmful content online. Some 73% of 11 to 17-year-olds recalled exposure to at least one piece of harmful content in the four weeks before the survey, the report found.
The reason progress hasn't transferred from pornography to social media is structural. On pornography sites, age assurance functions as a front gate: the entire service is off-limits until age is confirmed. On mixed-age social platforms, age checks at registration tell you who was a child when they signed up. They say nothing about what content reaches that child once inside. Ofcom's own guidance acknowledges this directly age assurance on social media needs to work alongside content moderation, recommendation systems, and product design, the report states. None of those are age assurance problems.
The technology compounds the issue. Several major platforms rely on proprietary age inference systems algorithms that estimate age from user behaviour which Ofcom does not consider capable of meeting its "highly effective" standard. The regulator says these systems may have failed to correctly identify large numbers of children on their platforms, according to the report. Ofcom has particular concerns about TikTok's approach and launched a formal investigation into whether it is complying with its duties to protect children from harmful content, Digit.fyi reported.
The limits that won't be engineered away

Even if search gaps close and social platforms adopt stronger checks, some constraints are not implementation problems. The Knight-Georgetown Institute's technical assessment, published earlier this year, is direct: no single age signal is sufficient on its own, all existing approaches carry either accuracy or availability problems, and it is not technically feasible to block all minors without also wrongly excluding a substantial number of adults. Every tighter check involves a tradeoff.
Privacy sits at the centre of this. Data protection and privacy concerns were the most commonly occurring theme in responses to Ofcom's own call for evidence, the report notes. Adults consistently resist submitting identity documents or biometric data to verify age online. One participant in Ofcom's qualitative research put it flatly: "There's no way I'm sticking my passport details in a random website." Those concerns have a concrete basis a data breach linked to identity verification on Discord exposed government-issued IDs belonging to around 70,000 users, the Open Rights Group noted earlier this year.
The Knight-Georgetown Institute notes that more privacy-protective approaches, including cryptographic and zero-knowledge designs, exist but are not yet widely deployed. The most commonly used systems, by contrast, require users to identify themselves directly or hand over facial images to third-party providers. UK age assurance rules have not yet resolved this tension.
Compliance costs appear manageable Ofcom estimates a median per-check cost of around £0.06 but user friction at age gates is suppressing traffic in ways that are difficult to cleanly separate from intended deterrence, the report indicates. Estimated daily visitors to approximately 21,000 adult services have declined by roughly a third since age checks launched, a figure that may reflect deterrence as well as migration to non-compliant alternatives.
What comes next
The first-year data is real evidence that age verification can deter children at the point of entry on major compliant sites. It is not evidence that the internet is safer for children overall. Treating per-site deterrence figures as proof of system-wide effectiveness would misread what Ofcom's report actually measures and Ofcom says so explicitly.
The next phase of UK age verification law is already in motion. Ofcom will deliver a rapid assessment to Parliament by the end of October on what highly effective age assurance looks like for an over-16 threshold, ahead of potential social media restrictions coming into force in 2027, the report confirms. Researchers at Frontiers in Public Health cautioned earlier this year that signals available so far are governance and implementation signals rather than evidence of policy effectiveness a distinction that will matter considerably when the UK applies the same logic to platforms where children are the intended users.
The practical upshot: the UK has demonstrated it can mandate and enforce age gates at individual services. Translating that into meaningful protection at scale requires coverage at search, app-store, device, and operating-system level. Ofcom has signalled it understands this its app-store report is due by January 2027, and Dame Melanie Dawes has called explicitly for a "whole-of-system approach." Whether the system can deliver on that ambition is the question the second year of data will need to answer.