Online Safety Act: Age Verification and Data Reuse
Public debate around the UK’s Online Safety Act 2023 (OSA) has intensified since its age verification provisions came into effect in July 2025. Critics have warned that the Act could create a new pipeline for collecting valuable personal data, which technology platform companies and service providers might then monetise and reuse.
Without doubt, the risk of reuse is conceivable, especially where data collected during age verification is used to build advertising profiles, sell identity datasets, or fuel commercial analytics. Also, it appears that the UK Online Safety Act does not directly regulate how age verification data can be reused. This is understandable as its scope is about requiring proof of age for certain content, not setting the privacy standards for processing age verification data.
This concern, while grounded in the realities of how personal data has been exploited in other contexts, requires a review, especially in view of the obligations placed on data processors and data controllers under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). For instance, a platform or service provider collecting age verification data will likely qualify as a data controller (or a processor for a controller) and must comply with strict data processing rules, including:
(a) Lawful Basis & Purpose limitation: Personal data collected for age verification cannot be repurposed for advertising or unrelated analytics without a separate lawful basis. Accordingly, platforms and service providers must identify a lawful basis for processing personal data obtained during age verification.
(b) Special Categories of Data: Biometric verification (face scans, fingerprints) is generally subject to even stricter processing conditions. If a platform or service provider were to use age verification data for unrelated commercial purposes without a valid lawful basis, the ICO can impose significant monetary fines. Data controllers and processors may also be subject to Enforcement Notices to stop the unlawful processing or even civil claims for compensation by affected users for material or non-material damage.
Key Takeaway
(1). For tech platforms and age verification service providers, the key takeaway is this: the OSA creates the requirement for robust age checks, but DPA governs what can be done with the data. Commercial reuse of age verification data is not automatically permitted. In fact, the reuse of age verification data appears to be highly restricted.
(2). The OSA does not override the DPA 2018 protections.
(3). Unauthorised commercial use would almost always be unlawful under existing data protection law.
(4). Privacy-by-design models, such as pass/fail verification without storing personal data, are technically possible and already used by some providers.
In our view, the real compliance challenge is not the letter of the law, but ensuring that privacy commitments are embedded in technology design, operational processes, and contractual safeguards. In the age of mandatory verification, trust will be as important a competitive advantage as technical capability.
Balogun Harold's insights are shared for general informational purposes only and do not constitute legal advice. For tailored guidance, please contact our Technology and Data Protection Lawyers at bhlegalsupport@balogunharold.com
Olu A.
LL.B. (UNILAG), B.L. (Nigeria), LL.M. (UNILAG), LL.M. (Reading, U.K.)
Olu is a Partner in the Firm’s Transactions & Policy Practice. Admitted as a Barrister & Solicitor of the Supreme Court of Nigeria in 2009, he has spent over a decade advising clients on high-value transactions and policy matters at some of Nigeria’s leading law firms.
olu@balogunharold.com
Kunle A.
LL.B. (UNILAG), B.L. (Nigeria), LL.M. (UNILAG), Barrister & Solicitor (Manitoba)
Kunle is a Partner in the Firm’s Transactions & Policy Practice. Admitted as a Barrister & Solicitor of the Supreme Court of Nigeria in 2009, he has spent over a decade advising clients on high-value transactions and policy matters at some of Nigeria’s leading law firms.
k.adewale@balogunharold.comRelated Articles
Sovereign Liability Exposure under Nigeria’s Space Economy Regulations - Key Considerations
The decision to cap an operator’s insurance and indemnity obligations at USD 15 million under sections 39 and 40 of the Regulation on Licensing and Supervision of Space Activities, 2015, raises questions as to the extent of residual exposure borne by the Federal Government of Nigeria under international space law.
Certificate of Capital Importation for Capital Goods and Equipment Imports into Nigeria: Key Considerations for Foreign Investors
Foreign investors entering the Nigerian market are often focused on company registration, tax compliance, and import approvals. However, one critical aspect that is frequently overlooked is the requirement to obtain a Certificate of Capital Importation (CCI) for the importation of capital equipment.
The FIRS-DGFIP Memorandum of Understanding: Key Legal Considerations for NRS
The NRS is subject to strict confidentiality and secrecy obligations under Sections 142 and 143 of the Nigeria Tax Administration Act (NTAA), 2025. The general rule mandates the confidentiality and secrecy of all taxpayer information. Under Section 143, taxpayer information may only be shared in the following limited circumstances
Dangote Refinery and the Legal Test for Predatory Pricing: Key Considerations
In the realm of competition law, predatory pricing is an illegal business strategy whereby a dominant operator intentionally reduces prices, often below the cost of production, with the goal of eliminating competitors from the market or preventing the expansion of competitors or entry of new competitors. While low prices are generally celebrated as pro-consumer, competition law draws a careful distinction between aggressive competition on the merits and exclusionary pricing by a dominant firm.