Online Safety Act Forces U.K. Identity Verification Providers to Scale Fast and Shift Focus

The Online Safety Act 2023 came into force on July 25 in the United Kingdom, requiring a huge proportion of websites delivering content to U.K. citizens to begin enforcing age verification requirements. The new laws apply to websites, regardless of where they are based, provided there are “a significant number” of U.K. users or U.K. users are a “target market.” The misconception that the laws apply primarily to sites serving strictly adult content belies the true scale of the change, spanning mixed social media platforms to search engines and information sites such as Wikipedia, all falling under the affected umbrella. There are three categories of websites that have “additional duties,” largely coming down to the use of searches, content recommendation, and user-to-user capability, as well as the size of the U.K. user base.

This is a seismic change in the U.K. identity verification market, which has previously been focused on highly regulated markets such as finance and gambling, where Know Your Customer (KYC) requirements drive integration. U.K. media regulator Ofcom provides guidance on the criteria that define a site’s compliance requirements, as well as the measures they must implement. Where identity verification is required, a number of methods are deemed suitable, including credit card checks, photo ID matching, and age estimation through live biometric image processing. Platforms are instructed to ensure their verification methods are “technically accurate,” “robust,” and “reliable,” and the dual burden of compliance with the new requirements as well as data privacy requirements create a significant headache for sites with U.K.-based users.

For site owners, choice of partnerships is key. Established, mature verification service providers such as Jumio, ID.me, Ondato, and Onfido are key players benefitting from the explosion in adoption, due to the need for a proven track record in this high-risk environment. Security is of the utmost importance, and must scale with availability as the number of verification transactions skyrockets. Balancing capabilities, cost, and customer experience will be a challenging transition, with U.K. customers familiar with certain procedures—such as those common in financial verification—but lacking the trust and willingness to provide identity information to certain types of websites, and for certain types of services. The unpopularity of the new laws may result in an attrition to U.K. user bases and customers if the experience is not managed carefully. Websites seeking to avoid this must:

• Provide a seamless, low-disruption verification process that minimizes customer inconvenience.
• Offer a full range of options, ensuring that customers have at least one method available that they are comfortable using.
• Ensure data analytics capability to track attrition and user experience when faced with a verification prompt.
• Minimize unnecessary verifications with highly-reliable flagging of content. Excessive false positives requiring verification to access content that should not be restricted will erode trust and increase customer frustration—particularly if issues around flagging specific types of socially-sensitive content as “adult” automatically persist.
• Take responsibility for data privacy, partnering exclusively with demonstrably secured providers and participating actively in auditing.

As well as providing solutions with the reliability, interoperability, and security features to meet the needs of site owners, verification vendors have a core need to educate both the public and their customers. Identity service providers must find an efficient method to communicate the processes involved in a verification method, highlighting differentiation to customers and ensuring informed consent when prompting end users to choose between available options.