On paper, the new UK law called the Online Safety Act (OSA) sounds like a step forward. It’s supposed to keep kids away from pornography and harmful content by forcing websites to verify users’ ages. However, it might be handing your personal data to companies with a track record of getting hacked or misusing it.
Roughly 6,000 pornography websites have already agreed to start age checks. Platforms like Reddit, Grindr, Bluesky, and even X (formerly Twitter) began requiring UK users to verify their age by uploading photos of government-issued ID or selfies. The goal is to make the internet safer for minors but who are we trusting to manage that data?
Why privacy experts are sounding the alarm
Groups like the Electronic Frontier Foundation are already warning that the OSA could do more harm than good.
To verify someone’s age, platforms will request government ID, facial scans, or other biometric data. That data has to be collected, stored, and processed and some companies turn to third-party vendors for all of that. Storing this data creates incentives for companies to use it for advertising or surveillance.
The core problem with the Online Safety Act (and laws similar to it) is that it assumes the companies collecting this data will be responsible and keep this info safe. They rarely do.
Take the data breach dating safety app Tea experienced recently. Selfies and photo IDs were leaked despite Tea’s claims that it deleted those images after verification. Now thousands of people are left wondering where their personal information will end up. The OSA will only create more scenarios where sensitive data could wind up in the wrong hands.
There are also broader concerns like discriminating against those who don’t have formal ID, such as undocumented migrants. Age verification removes online anonymity for users researching sensitive topics like mental health or gender identity. Also, age estimation tools can make mistakes due to racial bias, lighting, or camera quality. Add it all up, and you’ve got a system that’s easy to circumvent for bad actors—but risky for everyone else.
Workarounds already exist
The OSA’s effectiveness is already in doubt. Since its rollout, VPNs have become the most downloaded apps in the UK, as users look for ways to spoof their location and avoid age checks altogether.
People are also using video game characters or celebrity photos to fool AI facial recognition. Gamers have successfully tricked facial recognition services by using Death Stranding’s photo mode thanks to protagonist Sam Bridges. Ad blockers and third-party clients are also helping people bypass ID verification prompts entirely.
These incidents show a pattern where the people more likely to obey the rules are the ones most likely to hand over their personal information. Meanwhile, tech-savvy users will turn to shortcuts and workarounds that could expose them to security and privacy risks.
Who’s responsible when it all goes wrong?
When these systems fail, who’s on the hook? Is it the platform that leaked your data? The third-party vendor that stored it? Or the government that required it in the first place?
Laws like the Online Safety Act often look good in headlines but fall apart in practice because they ignore the real behavior of real people. Desperate users will find workarounds. Hackers will find vulnerabilities and the rest of us are forced into handing our IDs to a site that just wants to show us some memes.
A bad trade-off in the name of safety
The Online Safety Act’s goal of protecting children from online harm isn’t the problem. Using error-prone verification systems and handing over sensitive ID data to private platforms is a high-risk gamble. When you trade privacy for safety and still end up with neither, you’ve built the wrong system.
Until lawmakers recognize the flaws in both their tech assumptions and their enforcement strategy, expect more breaches, more loopholes, and more frustration from users who were never the real problem to begin with.
