Why the Online Safety Act Puts People at Risk

The UK’s Online Safety Act sounds reasonable on paper: protect children from harmful content online. Who could argue with that? But like most well-intentioned legislation written by people who don’t understand how the internet actually works, it’s turned into a privacy-destroying mess that puts vulnerable people at serious risk.

Let me explain why this matters, and why you should care – even if you’re not in the UK.

What the Act Actually Does

The Online Safety Act forces websites and apps to verify users’ ages before they can access “adult content.” This includes obvious things like porn sites, but also dating apps, social media platforms, and pretty much anywhere adults might encounter adult topics.

But here’s where it gets absurd: the definition of “adult content” is so broad that platforms you’d never expect are now requiring face scans and passport uploads. Spotify now requires facial recognition to watch music videos marked 18+¹. Wikipedia is being forced to implement age verification systems that could compromise its open editing model². Even Discord has had to change its default settings for all UK users³.

Most perversely, people struggling with addiction now need to undergo facial recognition scans to access help quitting smoking or drinking⁴. Reddit communities about sexual assault support, mental health resources, and addiction recovery are all locked behind government ID checks. The law that’s supposed to protect vulnerable people is making it harder for them to get help when they need it most.

The government estimates over 100,000 online services could be subject to these regulations⁵. That’s not protecting children – that’s surveilling everyone.

The verification has to be “highly effective,” which in practice means uploading your passport, driving licence, or using facial recognition technology. The days of just ticking a box saying “I’m over 18” are over.

Companies that don’t comply face fines of up to £18 million or 10% of their global revenue. So they’re taking this seriously.

The Grindr Problem

Here’s where it gets dangerous. We already know Grindr has a terrible track record with user data – in January 2025, researchers discovered location data from millions of users was being sold to data brokers⁶. But the Online Safety Act makes this much worse.

To use Grindr in the UK now, you need to verify your identity using third-party verification services like FaceTec or Yoti. These companies don’t just check your age – they create detailed biometric profiles, share data with multiple partners, and retain information far longer than they claim⁷.

Here’s the critical issue: when you verify your age on Grindr, you’re not just sharing data with Grindr. You’re sharing it with verification companies that work with hundreds of other platforms, creating a comprehensive database of who uses which services. Research has shown these verification providers establish “multiple connections to third parties without user consent” and share data with partners you never agreed to work with⁸.

Think about what this means. There’s now a permanent, verifiable link between your real identity, your biometric data, and your presence on a gay dating app – all managed by third-party companies with questionable privacy practices. In countries where being gay is illegal, this kind of data trail can mean imprisonment or death. Even in supposedly tolerant places like the UK, LGBTQ+ people face discrimination, violence, and family rejection. Hate crimes based on sexual orientation still number over 22,000 per year, while transgender hate crimes have reached nearly 5,000 annually and are still rising⁹.

Beyond LGBTQ+ Communities

This isn’t just about gay dating apps. The verification requirements apply to any platform with adult content, including Reddit (where people discuss mental health, addiction, and abuse), Discord servers dealing with sensitive topics, dating apps like Tinder and Bumble, and even Spotify. Each verification creates another database linking your real identity to your online behaviour. Every database is a target for hackers, government requests, and data brokers.

The Technical Reality

The government promised “privacy-preserving” age verification, but that’s largely bollocks. The most “privacy-preserving” systems still require significant personal data, and many platforms are implementing much more invasive verification.

When similar laws were tried before (like the Digital Economy Act 2017), they were quietly abandoned because they were technically unworkable and privacy disasters waiting to happen¹⁰. The government failed to notify the EU of its plans, faced multiple delays, and eventually scrapped the scheme in 2019 after civil liberties groups warned it would create “vulnerable records of the public’s porn preferences” that could lead to blackmail and destroyed careers¹¹. But this time, the fines are big enough that companies can’t just ignore the rules.

The result? Many platforms are simply blocking UK users entirely rather than deal with the compliance nightmare. Others are implementing invasive verification that makes everyone less safe.

What Actually Happens

Early data from similar laws elsewhere shows a predictable pattern:

• Traffic to compliant sites drops significantly
• VPN usage surges as people try to bypass restrictions
• Users migrate to less regulated, often less safe platforms
• Children end up on platforms with worse safety protections

Meanwhile, the verification databases become honeypots for bad actors. Every breach puts real people at real risk.

The Censorship Problem

The Act’s definition of “harmful content” is deliberately vague, giving the government broad powers to decide what adults can see online. Ofcom, the regulator, still can’t agree on whether the law even covers misinformation.

This vagueness isn’t a bug – it’s a feature. It allows future governments to expand censorship without new legislation. Today it’s protecting children from porn. Tomorrow it might be protecting adults from “divisive” political content.

What We Lose

The Online Safety Act trades away fundamental rights – privacy, anonymous speech, access to information – for the promise of child safety. But it doesn’t actually deliver that safety. It just pushes activity underground, concentrates power with big tech companies that can afford compliance, and creates massive surveillance infrastructure.

Public opinion polling shows the complexity here – while 69% of people support age verification in principle, only 14-19% are actually willing to submit their ID to access these services, and two-thirds worry that harmless content is being blocked¹². But when Technology Secretary Peter Kyle was challenged on these legitimate concerns, his response was to accuse critics of being “on the side of predators” and compare them to Jimmy Savile¹³. This kind of rhetoric makes rational discussion impossible – call someone a paedophile sympathiser and suddenly no one wants to talk about surveillance overreach, privacy rights, or technical feasibility.

A Better Way

Real online safety comes from education, better platform design, and targeted enforcement against actual harmful content. It comes from giving parents and users tools to control their own experience, not from creating a surveillance panopticon that treats every adult like a potential threat to children.

The Online Safety Act isn’t making anyone safer. It’s making the internet more like China’s internet – tracked, monitored, and controlled. And the people who’ll suffer most are those who can least afford to have their private lives exposed.

We could have protected children without sacrificing everyone’s privacy. Instead, we chose surveillance. Don’t say you weren’t warned about what happens next.