ICO and Ofcom: Self-declaration is not sufficient for age assurance

The ICO and Ofcom say that self-declaration alone (such as using tick-boxes) is not an effective means to determine the age range of online users, or prevent access by underage users.

This joint statement is aimed at organisations that use age assurance and are in scope of the Online Safety Act, and offer services likely to be accessed by children. Published under the umbrella of the Digital Regulation Cooperation Forum (DRCF) on 25 March, the statement recognises that all age assurance methods involve the processing of personal data. “You can process personal data for age assurance, as long as the method you use is necessary, proportionate to your risks, and complies with data protection legislation.”

However, the ICO and Ofcom say that they do not expect organisations caught under the Online Safety Act to use age assurance methods “that are not technically feasible or that introduce risks to rights and freedoms that outweigh the benefits”.

The Joint Statement emphasises several areas of alignment between Ofcom’s and the ICO’s approaches. It also includes a useful Annex on how to comply (high level summary) with the Online Safety Act and UK data protection legislation.

See:

• ICO - Joint statement from ICO and Ofcom on age assurance

PL&B’s 39th International Conference, 6-8 July 2026 at St. John’s College, Cambridge, has a:

• Session Digital vulnerability: Data privacy and consumer law compared which addresses these issues and includes a speaker from BEUC, the European consumer organisation, and
• Formal debate at the Cambridge Union on the motion: This House considers there is a need for specific laws to govern the use of online services by children.