The UK's Online Safety Act, which became effective in July 2025, has failed to deliver significant improvements in child protection online, according to a new survey by Internet Matters. While the legislation aimed to make digital spaces safer for young users, early results show that families continue to bear most of the responsibility for managing children's online safety, with enforcement mechanisms proving both intrusive and ineffective.

The survey found mixed results in the Act's early implementation. Approximately half of children reported seeing more age-appropriate content, and roughly 40% of parents and children felt the online environment had become somewhat safer. Over 90% of children who noticed improved blocking and reporting features viewed these changes positively, citing clearer rules, restricted contact with strangers, and limits on high-risk functions as helpful developments.

However, age verification systems have proven easy to circumvent. Nearly half of children surveyed said age checks were simple to bypass, and about one-third admitted to doing so recently using tactics including fake birthdates, borrowed login credentials, spoofed facial recognition (one parent reported their 12-year-old son using an eyebrow pencil to draw a moustache for verification), and VPNs. More than half of children reported being asked to verify their age within a two-month period on major platforms like TikTok, YouTube, and Roblox, using methods including facial age estimation, government ID, and third-party assurance apps.

The protection gaps remain substantial. In the month following implementation of child protection codes, almost half of children encountered online harm, including violent, hateful, and body image-related content that should fall under the Act's protections. Parents expressed growing concerns about privacy and data use related to age verification, questioning whether collected information would be stored or reused by government or industry. The survey did not capture perspectives from adults posing as children to access child-only spaces, a risk parents associate with predatory behavior.

Security professionals should note that the current age assurance systems represent a poor safety-to-privacy trade-off. The report's authors concluded that while the Act has made safety features more visible, it has not produced a fundamental shift in online child protection. Harmful content remains widespread, age verification is inconsistent and easily circumvented, and emerging concerns around screen time, AI risks, and persuasive design remain inadequately regulated. Organizations implementing age verification should prioritize privacy-protective, centralized solutions over fragmented data collection across multiple platforms.

Source: https://www.malwarebytes.com/blog/family-and-parenting/2026/05/if-a-fake-moustache-can-fool-age-checks-is-the-online-safety-act-working