UK Online Safety Act for Adult Platforms: 2026 Compliance Guide Regulatory · Deep-diveUK Online Safety Act for Adult Platforms2026 compliance, in plain EnglishThe UK Online Safety Act 2023 became enforceable for "Part 5" services — services that publish or display pornographic content — in mid-2025. From January 2026 OFCOM is actively investigating non-compliant sites. Fines reach £18M or 10% of global revenue, whichever is greater. This guide is the operator-side summary: what you must do, what you can stop doing, and what the typical pricing looks like in 2026.£18Mmax fine12 moaudit-log retention"highly effective"age-assurance barGlobal reachapplies if any UK user The triggerWhat changed in 2026 — and why your VPN visitor doesn't help youThe Act applies to services that "have a significant number of users in the UK" or where the UK is a target market. There is no traffic-share floor: a site with 99% of traffic from the US can still fall under OFCOM jurisdiction if the operator markets to UK users, or if a single UK user can access pornographic content without highly effective age assurance.OFCOM's enforcement playbook in the first six months: 1) traffic-sample audit on the largest 80 sites; 2) UK-source complaints route to enforcement queue; 3) formal information requests; 4) formal investigation; 5) penalty notice or business disruption order. The disruption order is the one operators dread — it instructs ISPs and payment processors to cut off the service.The "VPN argument" — that all UK visitors are actually using VPNs — has been pre-rejected. Operators are required to take "proportionate" steps to detect VPN-based circumvention. Geo-blocking by IP alone is insufficient. The requirement"Highly effective age assurance" — what countsOFCOM's August 2025 guidance lists six categories that qualify as "highly effective":Photo ID + facial-similarity match — government ID upload plus live selfie matched within a defined similarity thresholdFacial age estimation — AI-based age estimate with a documented false-negative rate against under-18sMobile-network operator check — adult-content flag returned by UK MNO (EE, Vodafone, O2, Three) for the subscriber's accountOpen banking-derived age — bank-confirmed age via Open Banking APICredit-card check — credit-card-only verification (UK credit cards require 18+)Digital identity wallet — UK Government Verify successor or accredited third-party (Yoti, Persona, AgeGo)Self-declaration ("click here if you are over 18") is explicitly NOT highly effective. Cookie-based "remember my age" without re-verification at session start is also NOT compliant. Audit obligationsWhat you must log and retainWhatDetailRetentionVerification attemptsTimestamp, IP-hash, method used, outcome (pass / fail / fall-back)12 monthsMethod selection rationalePer-region / per-session reason the method was chosen12 monthsVendor identityWhich third-party processed the verification + their accreditation12 monthsOverride eventsAny case where a human operator overrode an automated fail5 yearsPeriodic-review recordsQuarterly OFCOM-style internal review of method efficacy5 yearsRetention is from the last access to the record, not creation. Plan storage accordingly. Real costsWhat this actually costs a 100K-MAU adult platform in 2026ItemOne-offAnnualYoti / Persona / AgeGo integration (Standard SDK)£5,000 – £15,000—Per-verification fees (assuming 30% return-rate, 100K MAU, 1 verify/quarter)—£48,000 – £120,000Audit-log infrastructure (storage + retrieval API)£3,000 – £8,000£1,200Compliance officer time (0.2 FTE)—£15,000 – £25,000Periodic-review external audit—£8,000 – £20,000Total Year 1£8,000 – £23,000£72,200 – £166,200Year 1 total range: £80K – £190K for a single-region UK-only implementation. Multi-region operators (UK + Texas + Louisiana + EU) typically 2-3× this. Cost driver is per-verification fee, not engineering. What we shipHow adults.dev fits inTwo products in our validation pipeline directly address UK OSA compliance:Compliance API →UK OSA + Texas SB12 + EU AI Act + 44 other jurisdictions in a single API. Pass user IP + age status + content category, get back the required gate type, audit-log spec, geo-block flag.Age Gate Widget →Drop-in JavaScript snippet that auto-selects the right verification method per region — Yoti for UK, Persona for US-states, AgeGo for EU. White-label. Built-in audit log. FAQCommon questionsDoes the OSA apply to a site hosted outside the UK?Yes. The Act is extra-territorial. If a UK user can access pornographic content without highly effective age assurance, the operator is in scope regardless of where the servers live.Can self-hosted age estimation count as "highly effective"?Only with documented false-negative rates against a representative under-18 population and periodic re-validation. Most operators use an accredited third-party because the documentation burden of "rolling your own" is higher than the per-verify fee.What about the CCBill / Verotel angle?CCBill updated their merchant requirements (v3.2, March 2026) to require OSA-compliant age assurance on UK traffic before processing. Verotel published similar policy in April 2026. Falling out of compliance puts your merchant account at risk before OFCOM gets involved.Will Cloudflare / our CDN cut us off?Cloudflare has historically been responsive to OFCOM business-disruption orders. The way to stay live is to fix compliance before the order issues — once it issues, getting the CDN back is a multi-week recovery.Does a paid-subscription paywall count as age assurance?Only if the payment instrument itself is 18+-gated (UK credit card √; PayPal ✗). Stripe + PayPal are mixed-age and do not qualify. SEPA direct debit is also insufficient.What if a user fails verification — can they still browse a "PG" version?Yes, and it is the recommended pattern. Send under-18 traffic to a non-pornographic mirror or a coming-soon page. OFCOM has explicitly approved the bifurcated approach as long as the gate decision is logged. RelatedKeep readingAI Regulatory Tracker →Subscription intelligence on the laws that affect your platform. 47 jurisdictions, weekly digest, real-time alerts.Verified Identity Portability →KYC-once, attestation passes to any participating platform. Cuts the per-verification cost from £0.50 to £0.05.All 16 validation ideas →B2B and creator-side ideas under demand validation. Each has a landing page; the ones that pull traffic are the ones we ship.