As one of few people kicking around who has actually read the Online Safety Act 2023 in the entirety of its 353 pages too many times now [you can read a TLDR version of the Act that I wrote translating it from legal jargon to layman terms here], I feel it is somewhat a level of duty to correct some of the narrative that is floating around the internet presently relating to what is in itself a misinformation of requirements under the Act.
The Online Safety Act does NOT require the providers of Regulated Services (aka most websites/online services) to collect the Government issued ID of every user. Where age verification is required, there are alternatives permitted to collecting ID’s to do this.
This is what the Online Safety Act actually says about IDENTITY VERIFICATION (note the wording, this is important!)
Section 64 of the Online Safety Act stipulates that ‘a Provider of a Category 1 service must offer all adult users of the option to verify their identity (if identity verification is not required for access for the service)’.
It goes on to say ‘the verification process may be of any kind (and in particular, it need not require documentation not be provided).
As an Information Security professional, it is deeply alarming that so many providers of online service are being so very quick to make drastic decisions based on hearsay and assumptions without it seems fully understanding the facts, placing the privacy of their entire user base and in many instances paying customers at risk.
Compounded, this is the ID’s and thus privacy of tens of millions of people in the UK alone you’re dangling in front of threat actors with no real genuine need. You’re placing each one of those individuals at risk of identity theft, fraud and/or financial loss in collecting an ID you don’t actually need to collect.
Think about that for a second, really think about it.
There are alternative options available to verify a persons identity under the Act, and it is YOUR duty as vendors to consider them.
If you’re not sure where to start, seek the guidance and council from an Information Security Consultant, perhaps one well versed in understanding the OSA and its requirements on Regulated Services.
We are not even two full months into 2026 and I have already lost count of the number of successful cyber attacks resulting in data breaches, literally.
It is easy in the age of information bombardment from media outlets and social media to get caught up in the pressure of feeling as though you have to make an immediate decision based on what is in front of you.
That is miscalculated and foolish. Do you own research. Understand the facts from the source not the horses mouth of profit driven media outlets and engagement farming social media accounts.
The OSA has permitted Regulated Services time to make appropriate changes to enact the new requirements under the Online Safety Act, you are not required to rush.
I urge you to make informed decisions that actually benefit your user base and won’t result in an unnecessary data breach, loss of trust in your product, service and brand in placing the privacy of people at risk – not to to mention the financial costs a business incurs following a successful data breach.
I would also say this, if you insist on collecting the ID’s of users, if you say that you delete them after verification is complete, make sure that you really do.
Not doing so would open you up to law suit after law suit when the ID’s you stated in writing you had deleted end up on the open internet in a pubic data breach.
To understand your position and requirements as a Regulated Service under the Online Safety Act, reach out and start a conversation with us.
