Online Safety Act: Age Verification and Data Reuse

Public debate around the UK’s Online Safety Act 2023 (OSA) has intensified since its age verification provisions came into effect in July 2025. Critics have warned that the Act could create a new pipeline for collecting valuable personal data, which technology platform companies and service providers might then monetise and reuse.

Without doubt, the risk of reuse is conceivable, especially where data collected during age verification is used to build advertising profiles, sell identity datasets, or fuel commercial analytics. Also, it appears that the UK Online Safety Act does not directly regulate how age verification data can be reused. This is understandable as its scope is about requiring proof of age for certain content, not setting the privacy standards for processing age verification data.

This concern, while grounded in the realities of how personal data has been exploited in other contexts, requires a review, especially in view of the obligations placed on data processors and data controllers under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). For instance, a platform or service provider collecting age verification data will likely qualify as a data controller (or a processor for a controller) and must comply with strict data processing rules, including:

(a) Lawful Basis & Purpose limitation: Personal data collected for age verification cannot be repurposed for advertising or unrelated analytics without a separate lawful basis. Accordingly, platforms and service providers must identify a lawful basis for processing personal data obtained during age verification.

(b) Special Categories of Data: Biometric verification (face scans, fingerprints) is generally subject to even stricter processing conditions. If a platform or service provider were to use age verification data for unrelated commercial purposes without a valid lawful basis, the ICO can impose significant monetary fines. Data controllers and processors may also be subject to Enforcement Notices to stop the unlawful processing or even civil claims for compensation by affected users for material or non-material damage.

Key Takeaway

(1). For tech platforms and age verification service providers, the key takeaway is this: the OSA creates the requirement for robust age checks, but DPA governs what can be done with the data. Commercial reuse of age verification data is not automatically permitted. In fact, the reuse of age verification data appears to be highly restricted.

(2). The OSA does not override the DPA 2018 protections.

(3). Unauthorised commercial use would almost always be unlawful under existing data protection law.

(4). Privacy-by-design models, such as pass/fail verification without storing personal data, are technically possible and already used by some providers.

In our view, the real compliance challenge is not the letter of the law, but ensuring that privacy commitments are embedded in technology design, operational processes, and contractual safeguards. In the age of mandatory verification, trust will be as important a competitive advantage as technical capability.  

Balogun Harold's insights are shared for general informational purposes only and do not constitute legal advice. For tailored guidance, please contact our Technology and Data Protection Lawyers at bhlegalsupport@balogunharold.com