Age Verification and the UK Online Safety Act: What Adult Content Operators Must Do

By Steve Robertson 10 min read
A laptop screen showing an age verification error message blocking access to adult content under the UK Online Safety Act

If you run an adult website, age verification is no longer optional. Since 25 July 2025, any site or app that allows pornography must put highly effective age checks in front of that content. Ofcom is the regulator, and it started enforcing within days.

This is written for operators, not parents or curious users. The goal is simple: explain what the law actually requires, what counts as compliant, and what happens if you ignore it. We also cover the part most guides skip, which is how age checks sit alongside the payment side of running an adult business.

If you run an adult retail business selling physical products like toys or lingerie, the underwriting and tooling differ enough that we cover them separately on our adult retail payments page. If you are not sure where your business sits, tell us about your business and we will point you to the right setup.

What the Online Safety Act requires, and who is in scope

The Online Safety Act 2023 puts a legal duty on services likely to be accessed by children. If your service hosts or allows pornography, you must use age verification or age estimation to keep under-18s out of that content.

This is a duty of outcome, not effort. Putting a check somewhere on the site is not enough. The check has to actually stop children reaching the content, and it has to be applied before the content is visible.

The obligation reaches further than dedicated adult sites. In practice, the services Ofcom treats as in scope include:

  • Dedicated adult sites. Any site whose business is pornographic content sits at the centre of the rules.
  • User-generated content platforms. If users can publish adult content on your platform, you carry the duty even if you did not create it.
  • Subscription and creator platforms. Cam sites, fan-subscription services and paid membership platforms hosting adult material are squarely covered.
  • Social, dating and some gaming services. These face child-safety duties too, though the sharpest age-check obligation falls on pornographic content.

The legal basis sits in Section 81 of the Act, which sets out the duty to use age verification or age estimation so children are not normally able to encounter regulated content. You do not need to read the statute to comply, but you do need to treat the duty as live.

Does it apply to my site if I'm small or based overseas?

Yes, in most cases. The trigger is whether UK users can access your service, not how big you are or where your company is registered. A small operator hosting adult content for a UK audience is in scope.

There is no small-operator exemption for pornographic content. The common assumption is that Ofcom will only chase large platforms. What usually happens is the opposite at the edges: smaller adult sites have been among the first investigated, because non-compliance is easy to spot from the outside.

Being based overseas does not remove the duty either. If you serve UK users and take their money, treating UK law as someone else's problem is a weak risk position.

The 'highly effective' standard and the accepted age-check methods

Ofcom does not just ask for an age check. It asks for a highly effective one. A method is judged against four criteria, and it has to meet all of them.

  • Technical accuracy. The method must correctly assess age using sound, evidenced technology or data.
  • Robustness. It must hold up against people trying to get around it, not fold at the first workaround.
  • Reliability. It must produce consistent results across your real user base, not just in ideal conditions.
  • Fairness. It must work across different groups without unfairly excluding or misjudging them.

Self-declaration fails this standard. A box that asks "are you 18?" or a date-of-birth field with nothing behind it does not count. Neither does a warning page the user clicks through.

The methods Ofcom treats as capable of being highly effective share one feature: they put real evidence behind the check. The main options work differently and ask different things of your users.

MethodHow it worksWhat it asks of the user
Facial age estimationTechnology analyses a live selfie to estimate age, without saving the image or identifying the person.A quick selfie. Low friction, though some users dislike face scanning.
Photo ID matchingThe user uploads a passport or driving licence, checked against a live selfie to confirm it is them.An ID document plus a selfie. Higher friction and higher assurance.
Credit card checkA payment processor confirms a valid credit card, which only over-18s can hold in the UK.Card details. Simple, but excludes adults who use debit only.
Open bankingThe user briefly shares bank-held age data through a regulated connection. Designated as capable of being highly effective.A bank login step. Strong assurance, some user hesitancy.
Digital identity and mobile checksReuses verified age from a digital ID wallet or mobile network operator.Account access. Low friction where the user already has it.

Specialist age-assurance providers such as Yoti, Verifymy, OneID and TransUnion supply these checks. Merchant Advice is not an age-assurance provider and does not resell them, so treat that list as market context rather than a recommendation.

A common issue is choosing the method that looks cheapest or easiest to bolt on, then watching it crush conversion or fail the robustness test. The method matters more than operators expect. The right choice balances assurance against how many real adult users will actually finish the check.

Age verification vs age estimation: which do you need?

The two terms get used interchangeably, but they are not the same thing. The difference affects both your compliance position and your drop-off rate.

AspectAge verificationAge estimation
What it doesConfirms a user's exact age against a trusted source such as a bank or government ID.Estimates an age range using technology such as a facial scan.
Typical methodsPhoto ID matching, open banking, credit card checks.Facial age estimation.
CertaintyHigh. It proves the person is over 18.Probabilistic. It judges whether the person is clearly an adult.
Best suited toPornographic content, where firm proof of 18+ is expected.Faster filtering, usually with a conservative age buffer.

For pornographic content, lean toward firm verification or estimation set to a safe margin. The decision usually comes down to a few practical points:

  • Assurance level needed. The more clearly your content is pornographic, the stronger the proof Ofcom expects.
  • Robustness against sharing. Estimation set too loosely is easier to defeat, which undermines the robustness criterion.
  • Fairness across users. Estimation accuracy varies near the 18 boundary, so a buffer protects you and treats users fairly.

Estimation is not a soft option. Set badly, it fails the standard. Set well, it can be both compliant and low friction.

Penalties and Ofcom enforcement: the real cost of non-compliance

The headline penalty is severe. As the government's own explainer sets out, Ofcom can fine a non-compliant service up to £18 million or 10% of qualifying worldwide revenue, whichever is greater. For most operators, the revenue percentage is the number that hurts.

Enforcement is not theoretical. Ofcom opened investigations into dozens of adult sites within days of the 25 July 2025 deadline, and the pace has not slowed since.

  • Fines are already landing. By early 2026 Ofcom had launched investigations into more than 90 platforms and issued multiple fines, including a £1 million fine against an adult website operator.
  • Investigations move fast. Non-compliance is visible from the outside, so Ofcom does not need an insider tip to act.
  • Sites can be blocked. Beyond fines, non-compliant services can be blocked by UK internet providers, cutting off the audience entirely.
  • Reputation takes a hit. Being named in an enforcement action follows the business into every future banking and processing conversation.
  • Half-measures still count as failure. Early enforcement showed that a check users can trivially skip is treated as non-compliance, not partial compliance.

The reality check here is blunt. Most operators who get caught did have something in place. It just was not highly effective, or it was not applied before the content loaded.

Worried your setup leaves you exposed on both compliance and payments? Speak to a specialist and we will help you understand where the gaps are.

Age verification is only half of it: compliant payments for adult businesses

Solving age verification still leaves the other half of the problem. Adult content is a high-risk category for payments, and most mainstream processors will not touch it. Operators who fix age checks but ignore this often lose their ability to take money overnight.

Mainstream providers exclude adult content in their acceptable-use policies, then enforce it through account reviews and closures.

ProcessorStance on adult contentTypical outcome
StripeProhibited under its restricted businesses list and acceptable use policy.Account review, then closure, often with a settlement hold.
PayPalSexually oriented content and services are prohibited under the user agreement.Account limitation and funds held for up to 180 days.
Shopify PaymentsInherits Stripe underwriting, with adult content excluded.Underlying account closure cascades and store payments stop.

This is why easy onboarding is a trap. Signing up takes minutes, trading feels fine for a while, and then a routine review flags the content type. The closure is sudden, and any held funds and recurring subscriptions go with it.

Why mainstream processors don't work for adult content

The gap is not just policy. Mainstream platforms are built for low-risk volume, and adult traffic sits outside what their underwriting and risk appetite will support long term. A specialist high-risk acquirer is the stable route, because the whole account is priced and managed for the category from day one.

FactorMainstream processorsSpecialist high-risk processing
Adult contentProhibited by policy.Supported and underwritten for the category.
UnderwritingAutomated and low tolerance for the vertical.Manual and risk-aware, with the content type disclosed upfront.
ReservesRarely set until a problem appears, then imposed abruptly.Priced in from the start, so there are fewer surprises.
Account stabilityProne to sudden closure on review.Built to keep adult businesses trading.
Chargeback handlingGeneric thresholds that adult traffic often breaches.Tools and tolerances suited to the category.

The trade-off is real. Specialist processing usually carries higher rates and stricter onboarding than a mainstream account. What you buy with that is continuity, which is worth far more than a cheap rate that disappears at the first review.

Getting approved for adult-content payments: underwriting, documents and odds

High-risk approval is more involved than a mainstream sign-up, and a thin or careless application is the most common reason for rejection. Underwriters want to see a real, compliant business they can support. In practice, that means preparing the following before you apply:

  • Identity and ownership. Director ID, KYC documents, and clear ownership details for the business.
  • Proof of age-verification compliance. Evidence that highly effective age checks are live, which is increasingly a precondition, not a nice-to-have.
  • Processing history. Statements showing volumes, average transaction values, and chargeback performance where you have them.
  • Honest content disclosure. A frank description of what you sell or host. Undisclosed adult content is a leading cause of later closure.
  • Chargeback control. Evidence of how you keep disputes down, since high chargebacks are a top rejection trigger.

What improves your odds is rarely complicated. Live age-verification compliance, clean chargeback management, transparent disclosure and realistic volume projections do more than a polished pitch. This is where we help: as a broker, Merchant Advice matches operators to specialist acquirers that fit the business, rather than leaving you to guess. The full process sits on our adult content payments page.

Want to know your realistic approval chances for a specialist account? Speak to a specialist and we will assess your business and match you to the right acquirer.

How we got here: the age-verification timeline

The current rules did not appear overnight. They are the latest step in a decade of UK attempts to age-gate online pornography, and the trajectory matters because it shows this is settled, accelerating law rather than a proposal that might fade.

UK online age-verification timeline Key milestones from the 2017 Digital Economy Act to 2026 enforcement under the Online Safety Act. 2017 Digital Economy Act age-check mandate passed, never implemented October 2023 Online Safety Act becomes law and sets the age-assurance duty 17 March 2025 Ofcom gains enforcement powers under the regime 25 July 2025 Highly effective age checks required for sites allowing pornography 2026 Consultation on a safer digital childhood proposes going further
UK online age-verification, from the 2017 Digital Economy Act to live Online Safety Act enforcement.
  1. 2017: Digital Economy Act. The UK passed an earlier age-verification mandate for commercial pornography, but it was beset by problems and never implemented.
  2. October 2023: Online Safety Act becomes law. The Act set the duty of care framework and the age-assurance requirements.
  3. 17 March 2025: Ofcom gains enforcement powers. The regulator moved from guidance into active enforcement under the regime.
  4. 25 July 2025: age checks required. Sites allowing pornography had to have highly effective age checks in place.
  5. 2026: tightening continues. The government opened a consultation on a safer digital childhood, including proposals reaching further than the current rules.

The lesson from the earlier failed scheme is the opposite of reassuring. This time the duty is live, the regulator is funded and active, and the enforcement record is growing.

VPNs and the operator's robustness duty

The most common objection from operators is that users will simply switch on a VPN, so why bother. It is a fair observation about user behaviour and a poor basis for a compliance strategy.

VPN use does not remove your duty. The obligation is on you to deploy a highly effective check, and robustness against circumvention is one of Ofcom's four criteria. You are judged on the strength of your system, not on whether a determined user can route around it.

  • The duty stays with the operator. A user reaching for a VPN does not transfer responsibility away from your service.
  • Robustness is graded. A check that collapses under obvious workarounds risks failing the standard on its own terms.
  • You must not facilitate workarounds. Promoting or signposting circumvention methods aimed at users cuts against your duties.
  • Effort is not the test. The question is whether the method is highly effective, not whether it is perfect.

The practical takeaway is to choose a method that is genuinely hard to defeat, document why it meets the standard, and avoid anything that looks like helping users slip past it.

Privacy and data handling: what operators are responsible for

Age checks and user privacy are not in conflict, but how you handle the data is your responsibility. Done properly, a check confirms age without exposing identity or building a profile.

Strong methods are designed for data minimisation. Facial age estimation can return an age estimate without storing the image, and open banking can confirm age without handing you a user's full financial life.

Where you use a third-party age-assurance provider, you remain accountable for the user relationship and for choosing a provider that handles data responsibly. UK GDPR still applies, and mishandling sensitive age data carries both regulatory and reputational consequences. The ICO is the authority that enforces it. For adult services, a privacy failure is the kind of story that follows the brand for years.

Conclusion: get both halves right

Age verification under the Online Safety Act is mandatory, live, and actively enforced. For adult operators, the practical job is to deploy a highly effective method, apply it before the content loads, and be able to show why it meets Ofcom's four criteria.

Treat compliant age checks and compliant payments as two halves of the same problem. Solving one while ignoring the other still leaves the business exposed, either to a regulator or to a processor that drops you without warning.

Merchant Advice works as a broker for high-risk operators, matching adult businesses to specialist acquirers that will support the category for the long term. If you are setting up or reviewing an adult business, tell us about your business and we will help you get the payments side right while your age-verification compliance keeps the regulator satisfied.