The Online Safety Act imposes statutory duties on providers of online services, which are services made available over the internet. The regulations aim to help keep people in the UK – especially children – safe from illegal and harmful content online.

This tool can help you to carry out an assessment and understand what to do next.

What is a children’s access assessment?

A children’s access assessment requires you to determine whether your service is likely to be accessed by children. A child is defined in the Act as a person under the age of 18.

As you complete your assessment, you will be asked about:

  • whether children can access your service
  • if there are a significant number of children using your service
  • if your service is likely to attract a significant number of children

Who needs to carry out an assessment?

If you or your business provides an online user-to-user or search service, such as a website or an app, you must carry out a children’s access assessment.

You must carry out separate assessments for each service you provide, if you provide more than one service.

What will the outcome mean?

If you conclude that your service is likely to be accessed by children, you will need to carry out a children’s risk assessment and comply with the children’s safety duties in the Act.

If only part of your service is likely to be accessed by children (for example, because you are using highly effective age assurance to restrict access to other parts of the service), you will need to carry out a children’s risk assessment and will be in scope of the children’s safety duties for that part of the service.

If you conclude that your service is not likely to be accessed by children, you will need to carry out a new assessment each year, or sooner in certain circumstances.

Steps to follow

  1. Complete a children’s access assessment

This step-by-step tool will help you to determine whether your service is likely to be accessed by children.

  1. Keep a record of your assessment

Once you have used this tool to carry out your assessment, you’ll be able to download a template containing your answers. You can use this as a record.

Alternatively, you can make your own records in any written format provided that it can be easily shared with Ofcom if required. You also have the option to download a template before starting the tool to fill in as you go.

The Online Safety Act imposes statutory duties on providers of online services, which are services made available over the internet. The regulations aim to help keep people in the UK – especially children – safe from illegal and harmful content online.

This tool can help you to carry out an assessment and understand what to do next.

What is a children’s access assessment?

A children’s access assessment requires you to determine whether your service is likely to be accessed by children. A child is defined in the Act as a person under the age of 18.

As you complete your assessment, you will be asked about:

  • whether children can access your service
  • if there are a significant number of children using your service
  • if your service is likely to attract a significant number of children

Who needs to carry out an assessment?

If you or your business provides an online user-to-user or search service, such as a website or an app, you must carry out a children’s access assessment.

You must carry out separate assessments for each service you provide, if you provide more than one service.

What will the outcome mean?

If you conclude that your service is likely to be accessed by children, you will need to carry out a children’s risk assessment and comply with the children’s safety duties in the Act.

If only part of your service is likely to be accessed by children (for example, because you are using highly effective age assurance to restrict access to other parts of the service), you will need to carry out a children’s risk assessment and will be in scope of the children’s safety duties for that part of the service.

If you conclude that your service is not likely to be accessed by children, you will need to carry out a new assessment each year, or sooner in certain circumstances.

Steps to follow

  1. Complete a children’s access assessment

This step-by-step tool will help you to determine whether your service is likely to be accessed by children.

  1. Keep a record of your assessment

Once you have used this tool to carry out your assessment, you’ll be able to download a template containing your answers. You can use this as a record.

Alternatively, you can make your own records in any written format provided that it can be easily shared with Ofcom if required. You also have the option to download a template before starting the tool to fill in as you go.

If you have highly effective age assurance in place on your service, it should not be possible for children to access it.

Age assurance is the implementation of an age assurance method or combination of methods to determine whether or not a particular user is or is not a child. The age assurance used must ensure that children (under-18s) are not normally able to access the service or part of it.

For more information on highly effective age assurance, you should refer to our Guidance on highly effective age assurance (PDF, 394.54 KB).

If you do not use highly effective age assurance, you should answer ‘yes’ as this means children are normally able to access your service. This will enable you to move on to stage 2 of the assessment. You do not have to carry out detailed further analysis or provide any evidence to reach this conclusion.

If you have highly effective age assurance in place on your service, it should not be possible for children to access it.

Age assurance is the implementation of an age assurance method or combination of methods to determine whether or not a particular user is or is not a child. The age assurance used must ensure that children (under-18s) are not normally able to access the service or part of it.

For more information on highly effective age assurance, you should refer to our Guidance on highly effective age assurance (PDF, 394.54 KB).

If you do not use highly effective age assurance, you should answer ‘yes’ as this means children are normally able to access your service. This will enable you to move on to stage 2 of the assessment. You do not have to carry out detailed further analysis or provide any evidence to reach this conclusion.

Is it possible for children to access all or part of the service?

An age assurance process refers to the end-to-end process through which an age assurance method or combination of methods are implemented to determine whether or not a particular user is or is not a child. The effectiveness of an age assurance method will depend on how it is implemented, including whether by itself or in combination with other methods. The age assurance process as a whole needs to be highly effective at correctly determining whether or not a particular user is a child.

To ensure that an age assurance process is, in practice, highly effective at correctly determining whether or not a user is a child, service providers should ensure that the process fulfils each of the following four criteria:

  • it is technically accurate
  • it is robust
  • it is reliable
  • it is fair

Kinds of age assurance that are capable of being highly effective include:

  • open banking
  • photo-identification (photo-ID) matching
  • facial age estimation
  • mobile-network operator (MNO) age checks
  • credit card checks
  • email-based age estimation
  • digital identity services

Kinds of age assurance that are not capable of being highly effective include:

  • self-declaration of age
  • age verification through online payment methods which do not require a user to be over the age of 18 (such as debit cards)
  • general contractual restrictions on the use of the regulated service by children

For more information on what constitutes highly effective age assurance, you should refer to our guidance on highly effective age assurance (PDF, 394.54 KB).

To conclude that children cannot normally access your service, you need to record details of the age assurance process you have in place.

Age assurance means the end-to-end process through which an age assurance method or combination of methods are implemented to determine whether or not a particular user is or is not a child.

To conclude that children cannot normally access your service, you need to record details of the age assurance process you have in place.

Age assurance means the end-to-end process through which an age assurance method or combination of methods are implemented to determine whether or not a particular user is or is not a child.

Do you have age assurance in place on your service?

Capability of the age assurance method on your service

The effectiveness of an age assurance method will depend on how it is implemented on your service, whether by itself or in combination with other methods. The entire age assurance process needs to be highly effective at correctly determining whether a user is or is not a child.

Age assurance methods considered capable of being highly effective include:

  • open banking
  • photo-identification (photo-ID) matching
  • facial age estimation
  • mobile-network operator (MNO) age checks
  • credit card checks
  • email-based age estimation
  • digital identity services

This list is non-exhaustive, and methods may be used in combination with each other.

Age assurance methods that are not capable of being highly effective include:

  • self-declaration of age
  • age verification through online payment methods which do not require a user to be over the age of 18 (such as debit cards)
  • general contractual restrictions on the use of the regulated service by children

Capability of the age assurance method on your service

The effectiveness of an age assurance method will depend on how it is implemented on your service, whether by itself or in combination with other methods. The entire age assurance process needs to be highly effective at correctly determining whether a user is or is not a child.

Age assurance methods considered capable of being highly effective include:

  • open banking
  • photo-identification (photo-ID) matching
  • facial age estimation
  • mobile-network operator (MNO) age checks
  • credit card checks
  • email-based age estimation
  • digital identity services

This list is non-exhaustive, and methods may be used in combination with each other.

Age assurance methods that are not capable of being highly effective include:

  • self-declaration of age
  • age verification through online payment methods which do not require a user to be over the age of 18 (such as debit cards)
  • general contractual restrictions on the use of the regulated service by children

Is the age assurance capable of being highly effective at determining whether a user is a child?

Implementation of the age assurance method on your service

For the age assurance method to be considered highly effective, the age assurance should be implemented in a way that is;

  • technically
  • robus
  • reliable
  • fair.

You can find more information about what this means and how you can ensure the age assurance is highly effective below.

Implementation of the age assurance method on your service

For the age assurance method to be considered highly effective, the age assurance should be implemented in a way that is;

  • technically
  • robus
  • reliable
  • fair.

You can find more information about what this means and how you can ensure the age assurance is highly effective below.

Technical accuracy is the degree to which an age assurance method can correctly determine the age of a user under lab test conditions.

How to ensure technical accuracy

Ensure the age assurance method(s) has been evaluated against appropriate metrics and the results indicate that the method(s) is able to correctly determine whether or not a particular user is a child under test lab conditions.

Where the age assurance process used involves the use of age estimation, the provider should use a challenge age approach.

Periodically review whether the technical accuracy of the age assurance process for the service could be improved by making use of new technology and where appropriate, make changes to the age assurance process.

Robustness is the degree to which an age assurance method can correctly determine the age of a user in actual deployment contexts.

How to ensure robustness

Implement age assurance processes that have undergone tests in multiple environments during development.

Identify and take appropriate steps to mitigate against methods of circumvention that are easily accessible to children and where it is reasonable to assume that children may use them.

Reliability is the degree to which the age output from an age assurance method is reproducible and derived from trustworthy evidence.

How to ensure reliability

Where age assurance methods forming part of the age assurance process rely on artificial intelligence or machine learning, take steps to ensure that:

  • The artificial intelligence or machine learning method(s) has been suitably tested during the development of the age assurance process to ensure it produces reproducible results.
  • Once deployed, the artificial intelligence or machine learning method(s) is regularly monitored to ensure it produces reproducible results.
  • The outputs of the artificial intelligence or machine learning method(s) are assessed against key performance indicators designed to identify whether the artificial intelligence or machine learning produces reproducible results.
  • In circumstances where the artificial intelligence or machine learning method(s) used is observed to be producing unreliable or unexpected results, the root cause of the issue is identified and rectified.

Take steps to ensure that any data relied upon as part of the age assurance process comes from a trustworthy source.

Fairness is the extent to which an age assurance method avoids or minimises bias and discriminatory outcomes.

How to ensure fairness

Ensure that any elements of the age assurance process which rely on artificial intelligence or machine learning have been tested and trained on data sets which reflect the diversity in the target population.

For methods reliant on artificial intelligence or machine learning, ensure the age assurance method(s) has been evaluated against the outcome / error parity and the results indicate that the method(s) does not produce significant bias or discriminatory outcomes.

Is the age assurance used or implemented in a way that is highly effective at determining whether a user is a child?

Children are not normally able to access your service

You should select ‘no’ and move on to stage 2 of the assessment if highly effective age assurance does not entirely prevent children from accessing your service. This includes cases where:

  • you allow children to access your service, or parts of it, even if you have highly effective age assurance in place
  • you allow children to access your service, or parts of it, and this is limited to certain features, functionalities, communities or content
  • you use highly effective age assurance but do not use access controls alongside it

Children are not normally able to access your service

You should select ‘no’ and move on to stage 2 of the assessment if highly effective age assurance does not entirely prevent children from accessing your service. This includes cases where:

  • you allow children to access your service, or parts of it, even if you have highly effective age assurance in place
  • you allow children to access your service, or parts of it, and this is limited to certain features, functionalities, communities or content
  • you use highly effective age assurance but do not use access controls alongside it

Does the age assurance method ensure that children are not normally able to access your service?

The following questions will help you to consider age assurance measures you may have in place. Answering these should enable you to conclude whether it is possible for children to normally access your service.

Age assurance means the end-to-end process through which an age assurance method or combination of methods are implemented to determine whether or not a particular user is or is not a child.

The following questions will help you to consider age assurance measures you may have in place. Answering these should enable you to conclude whether it is possible for children to normally access your service.

Age assurance means the end-to-end process through which an age assurance method or combination of methods are implemented to determine whether or not a particular user is or is not a child.

Do you have age assurance in place on your service?

Capability of the age assurance method on your service

The effectiveness of an age assurance method will depend on how it is implemented on your service, whether by itself or in combination with other methods. The entire age assurance process needs to be highly effective at correctly determining whether a user is or is not a child.

Age assurance methods considered capable of being highly effective include:

  • open banking
  • photo-identification (photo-ID) matching
  • facial age estimation
  • mobile-network operator (MNO) age checks
  • credit card checks
  • email-based age estimation
  • digital identity services

This list is non-exhaustive, and methods may be used in combination with each other.

Age assurance methods that are not capable of being highly effective include:

  • self-declaration of age
  • age verification through online payment methods which do not require a user to be over the age of 18 (such as debit cards)
  • general contractual restrictions on the use of the regulated service by children

Capability of the age assurance method on your service

The effectiveness of an age assurance method will depend on how it is implemented on your service, whether by itself or in combination with other methods. The entire age assurance process needs to be highly effective at correctly determining whether a user is or is not a child.

Age assurance methods considered capable of being highly effective include:

  • open banking
  • photo-identification (photo-ID) matching
  • facial age estimation
  • mobile-network operator (MNO) age checks
  • credit card checks
  • email-based age estimation
  • digital identity services

This list is non-exhaustive, and methods may be used in combination with each other.

Age assurance methods that are not capable of being highly effective include:

  • self-declaration of age
  • age verification through online payment methods which do not require a user to be over the age of 18 (such as debit cards)
  • general contractual restrictions on the use of the regulated service by children

Is the age assurance method capable of being highly effective at determining whether a user is a child?

Implementation of the age assurance method on your service

For the age assurance method to be considered highly effective, the age assurance should be implemented in a way that is;

  • technically accurate
  • robust
  • reliable
  • fair.

You can find more information about what this means and how you can ensure the age assurance is highly effective below.

Implementation of the age assurance method on your service

For the age assurance method to be considered highly effective, the age assurance should be implemented in a way that is;

  • technically accurate
  • robust
  • reliable
  • fair.

You can find more information about what this means and how you can ensure the age assurance is highly effective below.

Technical accuracy is the degree to which an age assurance method can correctly determine the age of a user under lab test conditions.

How to ensure technical accuracy

Ensure the age assurance method(s) has been evaluated against appropriate metrics and the results indicate that the method(s) is able to correctly determine whether or not a particular user is a child under test lab conditions.

Where the age assurance process used involves the use of age estimation, the provider should use a challenge age approach.

Periodically review whether the technical accuracy of the age assurance process for the service could be improved by making use of new technology and where appropriate, make changes to the age assurance process.

Robustness is the degree to which an age assurance method can correctly determine the age of a user in actual deployment contexts.

How to ensure robustness

Implement age assurance processes that have undergone tests in multiple environments during development.

Identify and take appropriate steps to mitigate against methods of circumvention that are easily accessible to children and where it is reasonable to assume that children may use them.

Reliability is the degree to which the age output from an age assurance method is reproducible and derived from trustworthy evidence.

How to ensure reliability

Where age assurance methods forming part of the age assurance process rely on artificial intelligence or machine learning, take steps to ensure that:

  • The artificial intelligence or machine learning method(s) has been suitably tested during the development of the age assurance process to ensure it produces reproducible results
  • Once deployed, the artificial intelligence or machine learning method(s) is regularly monitored to ensure it produces reproducible results
  • The outputs of the artificial intelligence or machine learning method(s) are assessed against key performance indicators designed to identify whether the artificial intelligence or machine learning produces reproducible results
  • In circumstances where the artificial intelligence or machine learning method(s) used is observed to be producing unreliable or unexpected results, the root cause of the issue is identified and rectified

Take steps to ensure that any data relied upon as part of the age assurance process comes from a trustworthy source.

Fairness is the extent to which an age assurance method avoids or minimises bias and discriminatory outcomes.

How to ensure fairness

Ensure that any elements of the age assurance process which rely on artificial intelligence or machine learning have been tested and trained on data sets which reflect the diversity in the target population.

For methods reliant on artificial intelligence or machine learning, ensure the age assurance method(s) has been evaluated against the outcome / error parity and the results indicate that the method(s) does not produce significant bias or discriminatory outcomes.

Is the age assurance used or implemented in such a way that it is highly effective at determining whether a user is a child?

Children are not normally able to access your service

You should select ‘no’ and move on to stage 2 of the assessment if highly effective age assurance does not entirely prevent children from accessing your service. This includes cases where:

  • you allow children to access your service, or parts of it, even if you have highly effective age assurance in place
  • you allow children to access your service, or parts of it, and this is limited to certain features, functionalities, communities or content
  • you use highly effective age assurance but do not use access controls alongside it

Children are not normally able to access your service

You should select ‘no’ and move on to stage 2 of the assessment if highly effective age assurance does not entirely prevent children from accessing your service. This includes cases where:

  • you allow children to access your service, or parts of it, even if you have highly effective age assurance in place
  • you allow children to access your service, or parts of it, and this is limited to certain features, functionalities, communities or content
  • you use highly effective age assurance but do not use access controls alongside it

Does the age assurance ensure that children are not normally able to access your service?

The child user condition consists of two criteria. The child user condition is met if one or both of the following statements is true for your service:
  • there is a significant number of children who are users of your service
  • your service is likely to attract a significant number of users who are children
The child user condition consists of two criteria. The child user condition is met if one or both of the following statements is true for your service:
  • there is a significant number of children who are users of your service
  • your service is likely to attract a significant number of users who are children

A significant number of users who are children means a number or proportion that is material in the nature and context of your service. This could be an absolute number or percentage or a proportion of users - even a relatively small number or percentage of children could be a significant number.

What constitutes a significant number of children for the purposes of a children’s access assessment is likely to depend highly on the nature and context of your service.

You should err on the side of caution when carrying out your assessment. The Act is intended to ensure that regulated services are designed and operated in a way that secures a higher standard of protection of children than for adults.

You’ll need to consider whether your service has, or is likely to attract, a 'significant number' of users who are children.

You should answer ‘Yes’ if any of the following apply:

  • your service is targeted towards children
  • the design or content of your service is appealing to children – such as its colours, presentation, features or functionalities
  • children form part of your commercial strategy
  • you know that there are child users on your service – noting that it can be challenging to accurately determine if a user is a child unless you use highly effective age assurance.
  • advertising or performance data indicates that children use your service

You should answer ‘Yes’ if any of the following apply:

  • your service is targeted towards children
  • the design or content of your service is appealing to children – such as its colours, presentation, features or functionalities
  • children form part of your commercial strategy
  • you know that there are child users on your service – noting that it can be challenging to accurately determine if a user is a child unless you use highly effective age assurance.
  • advertising or performance data indicates that children use your service

Is the child user condition met?

If you answer ‘yes’, you do not need to gather or provide any further evidence that there are child users on your service.

If you answer ‘no’ or ‘I don’t know’, we will ask further questions and provide factors to consider when making this determination.

If you answer ‘yes’, you do not need to gather or provide any further evidence that there are child users on your service.

If you answer ‘no’ or ‘I don’t know’, we will ask further questions and provide factors to consider when making this determination.

To conclude that the child user condition is not met, you need to confirm some details about your service and the data you may hold about your users.

If you answer ‘yes’ to any of the following questions, you can conclude that the child user condition actually is met and your assessment will be complete.

You may target your service towards children

Some service providers actively design their services for, or target their services at, children. This could be older children above a certain age (for example services targeting teens), or younger children on a service with no minimum age.

It is reasonable to assume that your service has, or is likely to attract, a significant number of users who are children if:

  • you include information that makes clear that children are permitted to use your service and how they may do so – this could be in your terms of service or publicly available statement
  • your commercial strategy includes obtaining revenue from children and parents through advertising, in-service payments or other ways

To conclude that the child user condition is not met, you need to confirm some details about your service and the data you may hold about your users.

If you answer ‘yes’ to any of the following questions, you can conclude that the child user condition actually is met and your assessment will be complete.

You may target your service towards children

Some service providers actively design their services for, or target their services at, children. This could be older children above a certain age (for example services targeting teens), or younger children on a service with no minimum age.

It is reasonable to assume that your service has, or is likely to attract, a significant number of users who are children if:

  • you include information that makes clear that children are permitted to use your service and how they may do so – this could be in your terms of service or publicly available statement
  • your commercial strategy includes obtaining revenue from children and parents through advertising, in-service payments or other ways

Do you target your service towards children?

Children may form part of your commercial strategy

If children form part of your commercial strategy, your service is likely to attract a significant number of children.

You may have data to demonstrate that your service is or is not likely to attract a significant number of children.

This could include:

  • information or data provided to or by advertisers, such as number of clicks on ads that show an interest in child-focused advertising
  • evidence from your business growth strategy
  • performance data, particularly the rate of growth in relation to users and/or revenue - if your service has a fast-growing user base it may reflect an increased likelihood of children engaging with your service.

Children may form part of your commercial strategy if you:

  • actively target children as part of your audience, for example by advertising your service as one for children or by including content types or designing it in a way that is likely to attract children
  • allow advertising, promotions, or competitions targeted at children on your service, as their nature, design, and content may be likely to particularly appeal to children
  • have a revenue stream that is linked to attracting children onto the service

Children may form part of your commercial strategy

If children form part of your commercial strategy, your service is likely to attract a significant number of children.

You may have data to demonstrate that your service is or is not likely to attract a significant number of children.

This could include:

  • information or data provided to or by advertisers, such as number of clicks on ads that show an interest in child-focused advertising
  • evidence from your business growth strategy
  • performance data, particularly the rate of growth in relation to users and/or revenue - if your service has a fast-growing user base it may reflect an increased likelihood of children engaging with your service.

Children may form part of your commercial strategy if you:

  • actively target children as part of your audience, for example by advertising your service as one for children or by including content types or designing it in a way that is likely to attract children
  • allow advertising, promotions, or competitions targeted at children on your service, as their nature, design, and content may be likely to particularly appeal to children
  • have a revenue stream that is linked to attracting children onto the service

Do children form part of your commercial strategy?

You may have evidence about the number of children using your service

This could include:

  • the number of complaints (if any) that you have received relating to children accessing your service, for example reports flagging users below the age permitted on your service
  • any actions taken previously in connection with children to enforce your terms, for example the number of accounts previously removed of users below the age permitted on your service
  • market research
  • quantitative evidence from third parties that track child media consumption, for example media trackers
  • advertising data
  • performance data, particularly the rate of growth in relation to users and/or revenue – a fast-growing user base may reflect an increased likelihood of children engaging with your service
  • evidence from highly effective age assurance

You may have evidence about the number of children using your service

This could include:

  • the number of complaints (if any) that you have received relating to children accessing your service, for example reports flagging users below the age permitted on your service
  • any actions taken previously in connection with children to enforce your terms, for example the number of accounts previously removed of users below the age permitted on your service
  • market research
  • quantitative evidence from third parties that track child media consumption, for example media trackers
  • advertising data
  • performance data, particularly the rate of growth in relation to users and/or revenue – a fast-growing user base may reflect an increased likelihood of children engaging with your service
  • evidence from highly effective age assurance

Do you have evidence about the number of children using your service?

The following questions will help you to consider whether you have evidence of child users on your service. Answering these should enable you to determine whether the child user condition is met.

If you answer ‘yes’ to any of the following questions, you may conclude that the child user condition is met, and your assessment will be complete. You do not have to carry out detailed further analysis or provide any evidence to reach this conclusion.

You may target your service towards children

Some service providers actively design their services for, or target their services at, children. This could be older children above a certain age (for example services targeting teens), or younger children on a service with no minimum age.

It is reasonable to assume that your service has, or is likely to attract, a significant number of users who are children if:

  • you include information that makes clear that children are permitted to use your service and how they may do so – this could be in your terms of service or publicly available statement
  • your commercial strategy includes obtaining revenue from children and parents through advertising, in-service payments or other ways

The following questions will help you to consider whether you have evidence of child users on your service. Answering these should enable you to determine whether the child user condition is met.

If you answer ‘yes’ to any of the following questions, you may conclude that the child user condition is met, and your assessment will be complete. You do not have to carry out detailed further analysis or provide any evidence to reach this conclusion.

You may target your service towards children

Some service providers actively design their services for, or target their services at, children. This could be older children above a certain age (for example services targeting teens), or younger children on a service with no minimum age.

It is reasonable to assume that your service has, or is likely to attract, a significant number of users who are children if:

  • you include information that makes clear that children are permitted to use your service and how they may do so – this could be in your terms of service or publicly available statement
  • your commercial strategy includes obtaining revenue from children and parents through advertising, in-service payments or other ways

Do you target your service towards children?

Children may form part of your commercial strategy

If children form part of your commercial strategy, your service is likely to attract a significant number of children.

You may have data to demonstrate that your service is or is not likely to attract a significant number of children.

This could include:

  • information or data provided to or by advertisers, such as number of clicks on ads that show an interest in child-focused advertising
  • evidence from your business growth strategy
  • performance data, particularly the rate of growth in relation to users and/or revenue - if your service has a fast-growing user base it may reflect an increased likelihood of children engaging with your service.

Children may form part of your commercial strategy if you:

  • actively target children as part of your audience, for example by advertising your service as one for children or by including content types or designing it in a way that is likely to attract children
  • allow advertising, promotions, or competitions targeted at children on your service, as their nature, design, and content may be likely to particularly appeal to children
  • have a revenue stream that is linked to attracting children onto the service

Children may form part of your commercial strategy

If children form part of your commercial strategy, your service is likely to attract a significant number of children.

You may have data to demonstrate that your service is or is not likely to attract a significant number of children.

This could include:

  • information or data provided to or by advertisers, such as number of clicks on ads that show an interest in child-focused advertising
  • evidence from your business growth strategy
  • performance data, particularly the rate of growth in relation to users and/or revenue - if your service has a fast-growing user base it may reflect an increased likelihood of children engaging with your service.

Children may form part of your commercial strategy if you:

  • actively target children as part of your audience, for example by advertising your service as one for children or by including content types or designing it in a way that is likely to attract children
  • allow advertising, promotions, or competitions targeted at children on your service, as their nature, design, and content may be likely to particularly appeal to children
  • have a revenue stream that is linked to attracting children onto the service

Do children form part of your commercial strategy?

You may have evidence about the number of children using your service

This could include:

  • the number of complaints (if any) that you have received relating to children accessing your service, for example reports flagging users below the age permitted on your service
  • any actions taken previously in connection with children to enforce your terms, for example the number of accounts previously removed of users below the age permitted on your service
  • market research
  • quantitative evidence from third parties that track child media consumption, for example media trackers
  • advertising data
  • performance data, particularly the rate of growth in relation to users and/or revenue – a fast-growing user base may reflect an increased likelihood of children engaging with your service
  • evidence from highly effective age assurance

You may have evidence about the number of children using your service

This could include:

  • the number of complaints (if any) that you have received relating to children accessing your service, for example reports flagging users below the age permitted on your service
  • any actions taken previously in connection with children to enforce your terms, for example the number of accounts previously removed of users below the age permitted on your service
  • market research
  • quantitative evidence from third parties that track child media consumption, for example media trackers
  • advertising data
  • performance data, particularly the rate of growth in relation to users and/or revenue – a fast-growing user base may reflect an increased likelihood of children engaging with your service
  • evidence from highly effective age assurance

Do you have evidence about the number of children using your service?

Ofcom recognises that it can be challenging to accurately determine how many users of your service are children.

Reviewing the features, design and content of your service will help you consider whether it has, or is likely to attract, a significant number of users who are children – and decide whether the child user condition is met.

Below is a non-exhaustive list of factors you should consider in reaching a conclusion. You should also consider any other factors that may apply to your service, taking all relevant sources of data you may hold into account. 

Case studies are included on this page to illustrate how a service provider may use these factors when determining whether the child user condition is met.

Factors your service may have that are likely to attract children

Even if your service does not actively target children or has a minimum age limit, it may still be of a kind likely to attract a significant number of children. In the context of the Act, a child is a person under 18.

For example, if your service is likely to attract a significant number of older children aged between 15 and 17, this would be sufficient to meet the child user condition, even if you are confident younger children are not using your service.

You should consider factors and evidence about your service when making a judgement of whether your service is likely to attract children. These include:

  • whether your service provides benefit to children
  • the range of content on your service
  • the design and functionalities of your service

Some factors will be more relevant to your service than others, and there may be other relevant factors and types of evidence that we have not listed.

Ofcom recognises that it can be challenging to accurately determine how many users of your service are children.

Reviewing the features, design and content of your service will help you consider whether it has, or is likely to attract, a significant number of users who are children – and decide whether the child user condition is met.

Below is a non-exhaustive list of factors you should consider in reaching a conclusion. You should also consider any other factors that may apply to your service, taking all relevant sources of data you may hold into account. 

Case studies are included on this page to illustrate how a service provider may use these factors when determining whether the child user condition is met.

Factors your service may have that are likely to attract children

Even if your service does not actively target children or has a minimum age limit, it may still be of a kind likely to attract a significant number of children. In the context of the Act, a child is a person under 18.

For example, if your service is likely to attract a significant number of older children aged between 15 and 17, this would be sufficient to meet the child user condition, even if you are confident younger children are not using your service.

You should consider factors and evidence about your service when making a judgement of whether your service is likely to attract children. These include:

  • whether your service provides benefit to children
  • the range of content on your service
  • the design and functionalities of your service

Some factors will be more relevant to your service than others, and there may be other relevant factors and types of evidence that we have not listed.

You should consider whether your service may provide benefits to children and may therefore be more appealing to children. For example, the types of benefits may include, but are not limited to:

  • providing educational value for children
  • entertaining or allowing children to be creative
  • enabling children to express themselves
  • facilitating the sharing of advice and support between children
  • providing a supportive environment for child users, where some may feel a sense of belonging
  • facilitating children connecting with others, including to build friendships or relationships

If your service has a wide range of types of content this will usually mean that the service is more likely to have some type of content that appeals to children. This would meet the child user condition.

If your service only has a narrow range of content, you should assess whether this content is likely to appeal to children. For example, evidence suggests that children are attracted to dating and pornography services.

Types of content
that appeal to children

Many types of content are particularly appealing to children. If your service hosts, displays, or makes accessible content of this nature, it may suggest that you are likely to attract a significant number of children.

Entertainment and popular culture
  • music
  • videos
  • humour or funny content
  • influencers
  • celebrities
  • music
  • film
  • TV
  • books
  • comics
  • cartoons
  • animation
Creative activities
  • art
  • music
  • singing
  • photography
  • videography
  • drawing
  • painting
  • cooking
  • drama and acting
  • crafts
  • creative writing
  • beauty, makeup and fashion

Content created by children may particularly appeal to other children.

Games and sports
  • gaming
  • sports
  • esports
  • sports personalities
Making connections
  • friendships
  • dating
  • relationships
  • content of a sexual nature
Lifestyle and careers
  • content about future careers and finance and content from lifestyle influencers
Health, challenges, and support
  • content about relationships
  • physical, mental or personal issues and challenges
  • content enabling engagement with other individuals experiencing the same challenges
  • content proposing to offer support, guidance or advice for the above
  • content about wellness, health, and fitness
Education, learning, and knowledge
  • content enabling the development of new skills
  • content to help with schoolwork and homework (looking up information)
  • content providing advice on further education and careers
  • motivational content around self-improvement
  • financial content (making money and becoming financially independent)
  • Current affairs and engaging in civil activity
  • consuming content through non-traditional media
  • news about music and musicians, celebrities, and other influencers
  • petitions
  • informal political commentary

These examples are indicative and this list is not exhaustive; your service may still be of a kind likely to attract a significant number of children if it does not include any of the content types listed.

Some services may have content which would fall into one of the above categories but may not be of a kind likely to attract a significant number of children because of the specific nature of the type of content in question. For example, while older children may be interested in making money and becoming financially independent, it is less likely that they will be interested in a forum discussing re-mortgaging or pensions.

The colours and presentation of your service may attract children. Bright, bold colours and characters that capture their imagination, cartoons, graphics, storylines, and other interactive features all play a role in attracting children.

The functionalities of your service may be likely to attract children or encourage use by children (both independently and with adult supervision) if those functionalities augment or improve their online experience.

This could include:

  • the ability to make a user profile
  • the ability to create and post their own content
  • making connections with other users
  • direct messaging

Social media services are an example of a service type that contains these functionalities.

There may be other functionalities and features that appeal to children. You should consider whether your service has any design features that may attract children and encourage access, whether independently or with adult supervision.

Your service may unintentionally target children, for example if it is advertised on other services that are targeted at children or are known to be accessed by children, as this may encourage children onto your service.

Children may also be attracted to new and innovative services, as they are typically early adopters of technology.

Case studies

These examples demonstrate how you can use the list of factors to determine whether the service is likely to be accessed by children in practice.

Case studies

These examples demonstrate how you can use the list of factors to determine whether the service is likely to be accessed by children in practice.

A micro-business sets up a forum where users can discuss retirement plans. 

Such a service would not be targeted at children, and this would likely be reflected in its business plan and marketing, therefore the service may conclude that children do not form part of the service’s commercial strategy. The service provider may also consider that the service does not provide a benefit to children, that the content would not appeal to children, and that the design is not attractive to children. The content on the forum is about retirement plans and would therefore appeal to adults. The service provider in this case may therefore conclude that the service is not of a kind likely to attract a significant number of users who are children.

Such a service may also have user data to suggest that there are not a significant number of children on the service. For example, the service’s total user base is 5,000 UK monthly users. It has never deleted any accounts due to reports of the user being a child, or received complaints or reports about users who are children on the service.

The provider concludes that the child user condition is not met. The provider records the date, the outcome, the steps taken, and the evidence used to justify their conclusion.

A service is offering an online community forum on travel, building friendships and overcoming challenges. The service is targeted at adult users who are 40 and over. The articles and discussion on the forum relate mainly to travel for women over 40. The other content on the forum discusses new job opportunities for women seeking a career change.

Such a service would not be targeted at children, and this would be reflected in the content of the service. The service provider may also consider that the service does not provide a benefit to children, that the design is not attractive to children, and the advertising on the service is targeted at an older adult demographic. 

The provider considers that the size of its user base allows it to profile it accurately using internal information. It may analyse a range of user data, which suggest that existing users are highly unlikely to be children. It may also look at publicly available statistics on children’s access to services similar to its own. The service also considers whether there have been any reports of users being children, or any under-age accounts being blocked. It has never deleted any accounts due to reports of the user being a child, or received complaints or reports about users who are children on the service.

The provider concludes that the child user condition is not met. The provider records the date, the outcome, the steps taken, and the evidence used to justify their conclusion.

A service is offering an online site for information and discussion on local sporting activities. The service does not have an age limit on users, but it targets senior citizens in London.

Such a service would not be targeted at children, and this would be reflected in the content of the service. This service provides information to users on sports and other social activities across London targeted at senior citizens. The service provider may also consider that the service does not directly benefit children. In addition, although the service has particular features that children like to use, given the nature of the content and the purpose of the service, the provider may find that it is unlikely that the service will appeal to children. The provider may also consider the marketing strategy for the site. They target an older demographic only and advertising data reflects engagement with adult users. Consequently, the provider may conclude that children do not form part of their commercial strategy.

The provider concludes that the child user condition is not met. The provider records the date, the outcome, the steps taken, and the evidence used to justify their conclusion. 

A large dating service states in its terms of service that users must be over 18 and asks users to declare their age during registration. The service states publicly that it is not targeted at children and it does not have children on its service. The service provider is initially confident that its service will not be considered ‘likely to be accessed by children’. 

As the service does not have highly effective age assurance in place, the provider moves on to consider the child user condition. The provider reads through the guidance provided by Ofcom. The provider considers the list of factors provided across both criteria of the child user condition. The provider decides to start their assessment with the second criterion (whether the service is “of a kind likely to attract a significant number of children”). 

The provider has reviewed available evidence and information on whether children are attracted to their service or similar ones. Publicly available evidence suggests that children, particularly older children, are interested in making connections and building relationships. Research and media reports indicate that this is part of what makes a dating site appealing to children. The provider also acknowledges that some of their sites’ functionalities, such as the ability to create a user profile and to direct message other users are functionalities that are attractive to children. The provider is also aware of news reports of children who have gained access to similar services. Despite the provider’s intention, terms of service, and commercial strategy, it is evident that services similar to theirs appeal to children. In addition, the provider has also received complaints about children using the service. The provider has reason to believe that some children have given false ages.

In light of this information and recognising that ‘significant’ is context-specific and can mean a relatively small number, the provider concludes that the child user condition is met. The provider records the outcome. The provider does not need to record any evidence. The provider moves on to the children’s risk assessment. 

A search engine provides links to other websites and information. The service’s publicly available statement does not have a minimum age requirement for users. No account is needed to access the service. However, there is an option to create an account. 

The provider reads through the guidance provided by Ofcom. Under stage 1 of the assessment, the provider notes that children can normally access the service. This is because the service does not have highly effective age assurance in place. 

The provider moves on to stage 2 of the assessment. In order to complete the assessment swiftly, the provider decides to start with the second criterion (whether the service is ‘of a kind likely to attract a significant number of children”). It is publicly known that the service is used by children.

The provider also recognises that their service provides benefits from children, for example for educational and entertainment purposes. The provider concludes that the child user condition is met. The provider records the outcome. The provider does not need to record any evidence. The provider moves on to the children’s risk assessment.

Considering how all relevant factors relate to your service

You will now need to consider whether the child user condition is met, considering how these factors relate to your service.

The child user condition is met if one or both of the following criteria is true for your service:

  • there is a significant number of children who are users of the service
  • the service is of a kind likely to attract a significant number of users who are children

If you conclude that your service has or is likely to attract a significant number of child users, and therefore that the child user condition is met, you do not need to gather additional evidence or keep a detailed record of the evidence you have relied on to support this conclusion.

If you conclude that your service does not have and is not likely to attract a significant number of child users, and therefore that the child user condition is not met, you must record this decision. You must be able to justify your decision-making, demonstrating the steps you have taken to reach your decision. You must record evidence against both criteria of the child user condition.

Considering how all relevant factors relate to your service

You will now need to consider whether the child user condition is met, considering how these factors relate to your service.

The child user condition is met if one or both of the following criteria is true for your service:

  • there is a significant number of children who are users of the service
  • the service is of a kind likely to attract a significant number of users who are children

If you conclude that your service has or is likely to attract a significant number of child users, and therefore that the child user condition is met, you do not need to gather additional evidence or keep a detailed record of the evidence you have relied on to support this conclusion.

If you conclude that your service does not have and is not likely to attract a significant number of child users, and therefore that the child user condition is not met, you must record this decision. You must be able to justify your decision-making, demonstrating the steps you have taken to reach your decision. You must record evidence against both criteria of the child user condition.

Is the child user condition met?

You must only conclude that the child user condition is not met if you have evidence that demonstrates that neither of the two criteria is met.

As a reminder, the two criteria of the child user condition are:

  • there is a significant number of children who are users of the service; and/or
  • the service is of a kind likely to attract a significant number of users who are children

Evidence must be recorded against both criteria. You must be able to justify your decision-making, demonstrating the steps you have taken to reach your decision.

Using evidence to determine whether your service has a significant number of child users

It can be challenging to accurately determine if a user is a child unless you have data from highly effective age assurance. You may have other evidence to suggest that there is not a significant number of children using the service.

Evidence that is not appropriate

Some sources of information are not appropriate for establishing the number of users on your service who are children. Below, we’ve outlined a non-exhaustive list of sources of information that are not appropriate.

Self-declaration of age

If you allow users to self-declare their age, you should not rely on this data alone to conclude that you do not have a significant number of users who are children, as the Act states that measures which require users to self-declare their age (without other methods) are not to be regarded as age assurance.

Online payment methods

You should not rely on data from online payment methods which do not require a person to be over the age of 18, for example debit cards or any other card where the card holder is not required to be 18.

User traffic data from only one type of device (desktop, mobile, or tablet)

You should not rely on data from only one type of device if your service can be accessed using multiple different types of devices, as this may lead you to underestimate the actual number of children accessing the service.

Data that only counts registered users

If your service allows access by unregistered users, you should not rely only on data about registered users. This data source may not be a reliable indicator of the number of children on your service.

You must only conclude that the child user condition is not met if you have evidence that demonstrates that neither of the two criteria is met.

As a reminder, the two criteria of the child user condition are:

  • there is a significant number of children who are users of the service; and/or
  • the service is of a kind likely to attract a significant number of users who are children

Evidence must be recorded against both criteria. You must be able to justify your decision-making, demonstrating the steps you have taken to reach your decision.

Using evidence to determine whether your service has a significant number of child users

It can be challenging to accurately determine if a user is a child unless you have data from highly effective age assurance. You may have other evidence to suggest that there is not a significant number of children using the service.

Evidence that is not appropriate

Some sources of information are not appropriate for establishing the number of users on your service who are children. Below, we’ve outlined a non-exhaustive list of sources of information that are not appropriate.

Self-declaration of age

If you allow users to self-declare their age, you should not rely on this data alone to conclude that you do not have a significant number of users who are children, as the Act states that measures which require users to self-declare their age (without other methods) are not to be regarded as age assurance.

Online payment methods

You should not rely on data from online payment methods which do not require a person to be over the age of 18, for example debit cards or any other card where the card holder is not required to be 18.

User traffic data from only one type of device (desktop, mobile, or tablet)

You should not rely on data from only one type of device if your service can be accessed using multiple different types of devices, as this may lead you to underestimate the actual number of children accessing the service.

Data that only counts registered users

If your service allows access by unregistered users, you should not rely only on data about registered users. This data source may not be a reliable indicator of the number of children on your service.

Do you have evidence demonstrating that the service does not have, and is not likely to attract, a significant number of users who are children?

You have let us know that you have highly effective age assurance and effective access controls in place on your service. Based on the answers you have given, you can conclude that the service or that part of it is not likely to be accessed by children.

This result is indicative only and based on the answers you have provided. It does not constitute legal advice or an Ofcom decision.

Ensure your assessment is suitable and sufficient

Your assessment must be suitable and sufficient. This means:

  • you must complete the relevant stages of the children’s access assessment outlined in the Act
  • in certain cases, your assessment must be supported by evidence

If we suspect that a service has failed to carry out a suitable and sufficient children’s access assessment properly or at all, we may consider taking enforcement action.

Keep a written record of your assessment

You must keep a written record of children’s access assessments in a format that is easily understandable. The record of the outcome of your children's access assessment must be in English or, for services in Wales, it can be in Welsh.

You can download a copy of our template that contains your answers. This template can be used to make your records. To complete your record, you must input the required information into the remaining sections of the template.

You have let us know that you have highly effective age assurance and effective access controls in place on your service. Based on the answers you have given, you can conclude that the service or that part of it is not likely to be accessed by children.

This result is indicative only and based on the answers you have provided. It does not constitute legal advice or an Ofcom decision.

Ensure your assessment is suitable and sufficient

Your assessment must be suitable and sufficient. This means:

  • you must complete the relevant stages of the children’s access assessment outlined in the Act
  • in certain cases, your assessment must be supported by evidence

If we suspect that a service has failed to carry out a suitable and sufficient children’s access assessment properly or at all, we may consider taking enforcement action.

Keep a written record of your assessment

You must keep a written record of children’s access assessments in a format that is easily understandable. The record of the outcome of your children's access assessment must be in English or, for services in Wales, it can be in Welsh.

You can download a copy of our template that contains your answers. This template can be used to make your records. To complete your record, you must input the required information into the remaining sections of the template.

Download template

What to include in your record

Evidence of highly effective age assurance

As you have highly effective age assurance in place to prevent children from normally accessing your service or part of it, you must record evidence of the highly effective age assurance and access controls you have used.

You should be able to demonstrate that you have considered the criteria that underpin highly effective age assurance as set out in our Part 3 Guidance on highly effective age assurance (PDF, 394 KB) and explain why the age assurance process used is highly effective.

Assessment dates

You should record the date that you completed this assessment and the expected date for your next children’s access assessment.

When to carry out a new children’s access assessment

As you have concluded that your service is not likely to be accessed by children, you will need to carry out children’s access assessments of the service not more than one year apart.

In addition, there are various circumstances that will mean you need to complete a new children’s access assessment.

Annual assessment

You must carry out a new children’s access assessment no later than 12 months following the completion of the first assessment, and annually thereafter. You can use this tool to carry out a new children’s access assessment.

Circumstances that trigger a new assessment

There are three circumstances in which you must carry out a new children’s access assessment, even if it has been less than 12 months since your previous assessment. These are:

  • before making any significant change to any aspect of the service’s design or operation to which such an assessment is relevant
  • in response to evidence about reduced effectiveness of age assurance
  • in response to evidence about a significant increase in the number of children using the service

What to include in your record

Evidence of highly effective age assurance

As you have highly effective age assurance in place to prevent children from normally accessing your service or part of it, you must record evidence of the highly effective age assurance and access controls you have used.

You should be able to demonstrate that you have considered the criteria that underpin highly effective age assurance as set out in our Part 3 Guidance on highly effective age assurance (PDF, 394 KB) and explain why the age assurance process used is highly effective.

Assessment dates

You should record the date that you completed this assessment and the expected date for your next children’s access assessment.

When to carry out a new children’s access assessment

As you have concluded that your service is not likely to be accessed by children, you will need to carry out children’s access assessments of the service not more than one year apart.

In addition, there are various circumstances that will mean you need to complete a new children’s access assessment.

Annual assessment

You must carry out a new children’s access assessment no later than 12 months following the completion of the first assessment, and annually thereafter. You can use this tool to carry out a new children’s access assessment.

Circumstances that trigger a new assessment

There are three circumstances in which you must carry out a new children’s access assessment, even if it has been less than 12 months since your previous assessment. These are:

  • before making any significant change to any aspect of the service’s design or operation to which such an assessment is relevant
  • in response to evidence about reduced effectiveness of age assurance
  • in response to evidence about a significant increase in the number of children using the service

If you are planning to make a significant change to any relevant aspect of the design or operation of your service, you must carry out a children’s access assessment before you make the significant change.

What amounts to a significant change can vary across the wide range of services likely to be accessed by children. Below we have set out examples of the types of significant changes that may increase the likelihood of children accessing your service.

  • A change targeted at the user base, for example changing your terms of service or publicly available statements to reduce your specified minimum user age, allowing younger children on the service than before.
  • Developing a new marketing strategy that targets children or allows advertising for children
  • A change to your service or a new element (for example hosting a new type of content) that may make your service more appealing to children, or easier to access, even if this is not your intention.
  • A change in ownership which also results in a change in the direction of the service which may affect whether children are accessing the service.
  • A change that affects a substantial portion of your service’s user base may result in children accessing your service or may change your service’s user base by attracting more children- you should consider if this could result in children gaining access to your service or your service becoming more attractive to children.
  • If users under 18 become part of your service’s growth strategy, and you reflect this in the way the service is marketed, as this will likely directly result in children using the service.

These examples are illustrative and the above list is not exhaustive. There may be other circumstances which may represent a significant change, which are unique to your service. It is for you to assess and determine what other circumstances may be relevant.

If you have highly effective age assurance in place on your service, you will need to carry out a new children’s access assessment in response to evidence about reduced effectiveness of your age assurance and access control methods on your service.

This would mean that your age assurance and access control methods are no longer highly effective at correctly determining whether or not a particular user is a child and therefore preventing children from being able to normally access your service.

How to consider whether effectiveness is reduced

Evidence of reduced effectiveness could come from user reports, post-signup age checks, media reports, independent research, and vendor updates/warnings, as well as other sources not listed here.

Effectiveness in the context of the children’s access assessment should be considered in relation to the technical accuracy, robustness, reliability and/or fairness of the age assurance methods.

  • Technical accuracy: children (or some children, for example those with a particular protected characteristic) are inaccurately being identified as adults
  • Robustness: children are circumventing age assurance or access controls
  • Reliability: children are able to access a service that they previously could not gain access to, while using the same information
  • Fairness: age assurance methods or processes are discriminating against a particular protected characteristic. For example, an AI model that is systematically biased against a particular protected characteristic

Evidence of a reduction in technical accuracy, robustness, reliability and/or fairness may therefore trigger a new children’s access assessment.

Relevant evidence
Not all changes will necessarily mean the service needs to carry out a new children’s access assessment. This is because not all evidence will be considered as relevant. For example, one-off technical failures that do not relate to children that result in a decline in accuracy.

You must also carry out a new children’s access assessment in response to evidence about a significant increase in the number of children using your service.

Any increase in users that are children is relevant as it may be evidence that your service is of a kind likely to attract a significant number of children. What may be a significant increase for your service, may not be for another, and it is up to you to determine whether there is a significant increase.

If you are made aware of evidence demonstrating that there is an increase in the number of children using your service, you should carry out a new children’s access assessment. This is because the increase may reflect a significant increase. Indicators of a significant increase could include those from the internal and/or external sources. Given that there are many possible threats to the effectiveness of an age assurance process, it is possible an increase in total UK users may reflect a significant increase in child users.

If you make changes to your service that mean it may no longer be likely to be accessed by children (for example, if you implement highly effective age assurance), then you can carry out a new children’s access assessment to determine whether your service no longer has to comply with the safety duties protecting children. You can carry out a new children’s access assessment if you have implemented highly effective age assurance in line with our recommendations, although you do not have to.

Based on the answers you have given, you can conclude that the child user condition is not met. This means that your service does not have, and is not likely to attract, a significant number of users who are children.

This result is indicative only and based on the answers you have provided. It does not constitute legal advice or an Ofcom decision.

Ensure your assessment is suitable and sufficient

Your assessment must be suitable and sufficient. This means:

  • you must complete the relevant stages of the children’s access assessment outlined in the Act
  • in certain cases, your assessment must be supported by evidence

If we suspect that a service has failed to carry out a suitable and sufficient children’s access assessment properly or at all, we may consider taking enforcement action.

You must keep a written record of your assessment

You must keep a written record of children’s access assessments in a format that is easily understandable. The record of the outcome of your children's access assessment must be in English or, for services in Wales, it can be in Welsh.

You can download a copy of our template that contains your answers. This template can be used to make your records. To complete your record, you must input the required information into the remaining sections of the template.

Based on the answers you have given, you can conclude that the child user condition is not met. This means that your service does not have, and is not likely to attract, a significant number of users who are children.

This result is indicative only and based on the answers you have provided. It does not constitute legal advice or an Ofcom decision.

Ensure your assessment is suitable and sufficient

Your assessment must be suitable and sufficient. This means:

  • you must complete the relevant stages of the children’s access assessment outlined in the Act
  • in certain cases, your assessment must be supported by evidence

If we suspect that a service has failed to carry out a suitable and sufficient children’s access assessment properly or at all, we may consider taking enforcement action.

You must keep a written record of your assessment

You must keep a written record of children’s access assessments in a format that is easily understandable. The record of the outcome of your children's access assessment must be in English or, for services in Wales, it can be in Welsh.

You can download a copy of our template that contains your answers. This template can be used to make your records. To complete your record, you must input the required information into the remaining sections of the template.

Download template

What to include in your record

Evidence that the child user condition is not met

You must record:

  • the decision that the child user condition is not met
  • the methodology you used
  • evidence you have relied on in reaching your decision against both criteria of the child user condition

You should consider the factors listed when you are thinking about what evidence you need to support your conclusion.

You must be able to justify your decision-making, demonstrating the steps you have taken to reach your decision.

Assessment dates

You should record the date that you completed this assessment and the expected date for your next children’s access assessment.

When to carry out a new children’s access assessment

As you have concluded that your service is not likely to be accessed by children, you will need to carry out children’s access assessments of the service not more than one year apart.

In addition, there are various circumstances that will mean you need to complete a new children’s access assessment.

Annual assessment

You must carry out a new children’s access assessment no later than 12 months following the completion of the first assessment, and annually thereafter. You can use this tool to carry out a new children’s access assessment.

Circumstances that trigger a new assessment

There are three circumstances in which you must carry out a new children’s access assessment, even if it has been less than 12 months since your previous assessment. These are:

  • before making any significant change to any aspect of the service’s design or operation to which such an assessment is relevant
  • in response to evidence about reduced effectiveness of age assurance
  • in response to evidence about a significant increase in the number of children using the service

What to include in your record

Evidence that the child user condition is not met

You must record:

  • the decision that the child user condition is not met
  • the methodology you used
  • evidence you have relied on in reaching your decision against both criteria of the child user condition

You should consider the factors listed when you are thinking about what evidence you need to support your conclusion.

You must be able to justify your decision-making, demonstrating the steps you have taken to reach your decision.

Assessment dates

You should record the date that you completed this assessment and the expected date for your next children’s access assessment.

When to carry out a new children’s access assessment

As you have concluded that your service is not likely to be accessed by children, you will need to carry out children’s access assessments of the service not more than one year apart.

In addition, there are various circumstances that will mean you need to complete a new children’s access assessment.

Annual assessment

You must carry out a new children’s access assessment no later than 12 months following the completion of the first assessment, and annually thereafter. You can use this tool to carry out a new children’s access assessment.

Circumstances that trigger a new assessment

There are three circumstances in which you must carry out a new children’s access assessment, even if it has been less than 12 months since your previous assessment. These are:

  • before making any significant change to any aspect of the service’s design or operation to which such an assessment is relevant
  • in response to evidence about reduced effectiveness of age assurance
  • in response to evidence about a significant increase in the number of children using the service

If you are planning to make a significant change to any relevant aspect of the design or operation of your service, you must carry out a children’s access assessment before you make the significant change.

What amounts to a significant change can vary across the wide range of services likely to be accessed by children. Below we have set out examples of the types of significant changes that may increase the likelihood of children accessing your service.

  • A change targeted at the user base, for example changing your terms of service or publicly available statements to reduce your specified minimum user age, allowing younger children on the service than before.
  • Developing a new marketing strategy that targets children or allows advertising for children
  • A change to your service or a new element (for example hosting a new type of content) that may make your service more appealing to children, or easier to access, even if this is not your intention.
  • A change in ownership which also results in a change in the direction of the service which may affect whether children are accessing the service.
  • A change that affects a substantial portion of your service’s user base may result in children accessing your service or may change your service’s user base by attracting more children- you should consider if this could result in children gaining access to your service or your service becoming more attractive to children.
  • If users under 18 become part of your service’s growth strategy, and you reflect this in the way the service is marketed, as this will likely directly result in children using the service.

These examples are illustrative and the above list is not exhaustive. There may be other circumstances which may represent a significant change, which are unique to your service. It is for you to assess and determine what other circumstances may be relevant.

If you have highly effective age assurance in place on your service, you will need to carry out a new children’s access assessment in response to evidence about reduced effectiveness of your age assurance and access control methods on your service.

This would mean that your age assurance and access control methods are no longer highly effective at correctly determining whether or not a particular user is a child and therefore preventing children from being able to normally access your service.

How to consider whether effectiveness is reduced

Evidence of reduced effectiveness could come from user reports, post-signup age checks, media reports, independent research, and vendor updates/warnings, as well as other sources not listed here.

Effectiveness in the context of the children’s access assessment should be considered in relation to the technical accuracy, robustness, reliability and/or fairness of the age assurance methods.

  • Technical accuracy: children (or some children, for example those with a particular protected characteristic) are inaccurately being identified as adults
  • Robustness: children are circumventing age assurance or access controls
  • Reliability: children are able to access a service that they previously could not gain access to, while using the same information
  • Fairness: age assurance methods or processes are discriminating against a particular protected characteristic. For example, an AI model that is systematically biased against a particular protected characteristic

Evidence of a reduction in technical accuracy, robustness, reliability and/or fairness may therefore trigger a new children’s access assessment.

Relevant evidence
Not all changes will necessarily mean the service needs to carry out a new children’s access assessment. This is because not all evidence will be considered as relevant. For example, one-off technical failures that do not relate to children that result in a decline in accuracy.

You must also carry out a new children’s access assessment in response to evidence about a significant increase in the number of children using your service.

Any increase in users that are children is relevant as it may be evidence that your service is of a kind likely to attract a significant number of children. What may be a significant increase for your service, may not be for another, and it is up to you to determine whether there is a significant increase.

If you are made aware of evidence demonstrating that there is an increase in the number of children using your service, you should carry out a new children’s access assessment. This is because the increase may reflect a significant increase. Indicators of a significant increase could include those from the internal and/or external sources. Given that there are many possible threats to the effectiveness of an age assurance process, it is possible an increase in total UK users may reflect a significant increase in child users.

If children can no longer access your service

If you make changes to your service that mean it may no longer be likely to be accessed by children (for example, if you implement highly effective age assurance), then you can carry out a new children’s access assessment to determine whether your service no longer has to comply with the safety duties protecting children. You can carry out a new children’s access assessment if you have implemented highly effective age assurance in line with our recommendations, although you do not have to.

If children can no longer access your service

If you make changes to your service that mean it may no longer be likely to be accessed by children (for example, if you implement highly effective age assurance), then you can carry out a new children’s access assessment to determine whether your service no longer has to comply with the safety duties protecting children. You can carry out a new children’s access assessment if you have implemented highly effective age assurance in line with our recommendations, although you do not have to.

Based on the answers you have given, you can conclude that the child user condition is met.

Because children can access your service, you will need to comply with additional duties under the Act.

This result is indicative only and based on the answers you have provided. It does not constitute legal advice or an Ofcom decision.

Ensure your assessment is suitable and sufficient

Your assessment must be suitable and sufficient. This means:

  • you must have completed the relevant stages of the children’s access assessment outlined in the Act
  • in certain cases, your assessment must be supported by evidence

If we suspect that a service has failed to carry out a suitable and sufficient children’s access assessment properly or at all, we may consider taking enforcement action.

What to do next

Keep a written record of your assessment

As you have concluded that the child user condition is met, you only need to record your outcome. This meets the requirements for a suitable and sufficient children’s access assessment. You do not need to gather additional evidence or keep a detailed record of the evidence you have used for your assessment.

You can download a copy of our template that contains this outcome. To complete your record, you must input the date you completed your assessment.

Based on the answers you have given, you can conclude that the child user condition is met.

Because children can access your service, you will need to comply with additional duties under the Act.

This result is indicative only and based on the answers you have provided. It does not constitute legal advice or an Ofcom decision.

Ensure your assessment is suitable and sufficient

Your assessment must be suitable and sufficient. This means:

  • you must have completed the relevant stages of the children’s access assessment outlined in the Act
  • in certain cases, your assessment must be supported by evidence

If we suspect that a service has failed to carry out a suitable and sufficient children’s access assessment properly or at all, we may consider taking enforcement action.

What to do next

Keep a written record of your assessment

As you have concluded that the child user condition is met, you only need to record your outcome. This meets the requirements for a suitable and sufficient children’s access assessment. You do not need to gather additional evidence or keep a detailed record of the evidence you have used for your assessment.

You can download a copy of our template that contains this outcome. To complete your record, you must input the date you completed your assessment.

 Download template

You must keep a written record of children’s access assessments in a format that is easily understandable. The record of the outcome of your children's access assessment must be in English or, for services in Wales, it can be in Welsh.

Carry out a children’s risk assessment

You must now carry out a children’s risk assessment.

All in‑scope services have three months to do this, including new services and those that have become in scope due to operational changes.

For information and guidance on carrying out children’s risk assessments, visit the Protection of children duties under the Online Safety Act page.

You must keep a written record of children’s access assessments in a format that is easily understandable. The record of the outcome of your children's access assessment must be in English or, for services in Wales, it can be in Welsh.

Carry out a children’s risk assessment

You must now carry out a children’s risk assessment.

All in‑scope services have three months to do this, including new services and those that have become in scope due to operational changes.

For information and guidance on carrying out children’s risk assessments, visit the Protection of children duties under the Online Safety Act page.