60 Days of OSA Age Assurance: Learnings and what the future looks like

The Online Safety Act (OSA) marks a new chapter in how we think about digital responsibility. 60 days after the first duties came into effect, experts from across policy, industry, and child protection joined OneID®’s webinar – Making Online Safety Work for All: Learnings from 60 Days of Age Assurance in the UK – to share what’s working — and what’s next.

Hosted by George Billinge,Co-founder & CEO, illuminate tech, the session brought together Rob Kotlarz, Founding Director, OneID®, Ella Bradshaw, Policy and Public Affairs Manager, NSPCC, Iain Corby, Executive Director, AVPA, and Samiah Anderson, Head of Digital Regulation, TechUK to explore what the public, young people, and businesses are really saying about online safety — and how the next stage of age assurance will evolve.

To crystallise the discussions into a statement, Age Assurance and the Online Safety Act are not the end of the journey, but the start of a continuous process to make the online world safer, smarter, and more age-appropriate for everyone.

How have the UK public responded to the OSA?

The OSA applies to over 100,000 user-to-user and search services, introducing new duties to assess risk, identify child users, and apply appropriate safety measures.

Many children gain access to platforms meant for older users. Research shows that a significant number of children aged 8–12 are signing up to online platforms as 16+. It exposes them to risks they’re not ready for — from harmful content to unwanted contact.

The urgency is clear. Before the Act:

• Online grooming cases increased by 89% since 2018.
• 1 in 10 boys aged 11–14 saw harmful content within 60 seconds of going online.
• 59% of children said they accidentally encountered pornography.

The OSA is already helping reduce exposure to such harms and restore confidence in digital spaces. The Act answers years of advocacy from children, parents, and carers who called for meaningful reform.

“This isn’t about removing children from the internet. It’s about ensuring they can enjoy it safely.”
Ella Bradshaw, Policy and Public Affairs, NSPCC

Citing NSPCC’s conversations with parents and child protection campaigners, Ella noted families are comfortable with verification if they know it’s secure, limited in scope, and doesn’t build a digital profile of their child.

What businesses and the industry are learning

For many online platforms, the question has shifted from “Do we have to?” to “How do we do it well?”

In sectors such as dating, gaming and social media, businesses are realising that compliance and customer experience can go hand in hand. The perception that age assurance is costly or complex is quickly being replaced by evidence that modern, standards-based solutions are efficient and scalable.

“The technology to deliver compliant age assurance is already here — and digital identity wallets can make it more cost-effective.”
Rob Kotlarz, Founding Director, OneID®

Digital wallets and interoperable identity technologies enable businesses to verify customers repeatedly — securely — without storing sensitive personal data or repeating the entire verification process. These innovations reduce ongoing costs while building long-term trust.

Rob concluded his point on costs by warning about delaying action, “The biggest expense is often not the technology, but the cost of inaction — reputational damage, regulatory scrutiny, and loss of customer trust.”

Implementation in practice

According to AVPA, industry adoption has been faster and broader than expected.

“Immediately after the new rules came into force, we recorded 5.7 million age checks per day — and that’s just among our members.”
Iain Corby, Executive Director, AVPA

Rob shared that consumer adoption has been “huge”. OneID®’s privacy-first model connects to trusted data sources — like banks and mobile operators — enabling sub-second verification without ID uploads.

In just the first few weeks:

• Over 7 million users were verified.
• 150,000 minors were prevented from accessing age-restricted content.

Mobile-based checks quickly became the preferred method, valued for speed and ease.

“We’re verifying facts — not building profiles. That distinction is critical for both privacy and compliance. Businesses can confirm a user is over 18 without ever seeing their birth date or name.”
Rob Kotlarz, Founding Director, OneID®

This privacy-by-design approach ensures users remain in control while platforms gain confidence in who’s accessing their services.

The truth behind VPNs and OSA compliance

While VPN usage reportedly spiked by 1800%, Iain clarified that these numbers can be misleading. Even if adults downloaded VPNs to reduce friction, that doesn’t undermine the policy’s intent, which is to stop minors from accessing harmful content.

AVPA’s analysis found:

• Traffic on adult sites fell by around 47–48% post-implementation.
• Only 10–20% of that drop relates to VPN use — the rest shows the Act working as intended.

Reflecting on the numbers, Iain said, “Fingers crossed, the Act is delivering.”

A key question from the webinar audience — and one many businesses have asked — was whether using a VPN could allow users to bypass UK age assurance requirements.

Iain addressed the issue directly, “A VPN might obscure a user’s IP address, but it doesn’t exempt a platform from compliance. The duty of care still applies to any service accessible from the UK.”

What’s next: Smarter, global Age Assurance

Ella stressed that the Online Safety Act is just the first step in an evolving framework:

“If I’m a 7-year-old or a 17-year-old, you don’t have to be a child expert to know [they’ve] got very different vulnerabilities, very different risk levels, and need different protections online.”
Ella Bradshaw, Policy and Public Affairs, NSPCC

Future regulation will likely push towards:

• Minimum age enforcement — ensuring platforms uphold their own internal rules.
• Age-appropriate experiences — tailoring protections to developmental stages.

The next generation of age assurance must give every child an internet that matches their needs. The OSA was designed to evolve — and so will age assurance. Regulators are taking an iterative, technology-neutral approach that encourages innovation rather than prescribes it.

Beyond the UK, similar frameworks are emerging under the Digital Services Act (EU) and policy developments in the US and Australia. The UK’s experience is quickly becoming a blueprint for international best practice.

The conversation around age assurance is shifting from compliance to confidence. It’s not about ticking boxes — it’s about ensuring that everyone, from a 10-year-old gamer to a 17-year-old creator, can engage safely online.

Here are key learnings from the Age Assurance implementation.

1. Public adoption of age assurance has exceeded expectations.
2. Privacy-first technologies like OneID® are setting the standard for trust and usability.
3. VPNs don’t remove compliance obligations — jurisdiction still applies.
4. Innovations like Digital ID Wallets will drive costs down, making age verification more accessible to all platforms.
5. Children’s experiences are improving — early reports show reduced harm and greater confidence online. 

Learn more about Age Assurance and how it works.

Our Online Safety Age Assurance Buyer's Guide is all you need to learn about different age assurance measures, what compliance with Online Safety regulations across different regions requires, what privacy-preserving and seamless age checks should look like, and more.