Social media to be banned for under-16s in the UK

The government recently announced that social media will be banned for under-16s in a landmark move to ‘give kids their childhood back’.

It has indicated that it intends to use the same model as Australia, which was the first country in the world to implement such a ban. The changes are expected from the spring of 2027.

The ban will capture user-to-user platforms that enable social interaction, allow users to post material, and use algorithms. Platforms including Snapchat, TikTok, YouTube, Instagram, Facebook and X will be included in the ban.

Going beyond even the Australian model, the government intends to restrict high-risk features, such as livestreaming and stranger communication with children under 16 on online services. The government says that ‘These restrictions – which together with the ban go further than any other country – will apply to a wider range of online services, including on gaming sites.’

16 and 17-year-olds will be allowed to access social media; however, live streaming and stranger communication for that age group will be switched off by default.

Additionally, the government will introduce more effective age-assurance measures to strengthen compliance and make it harder for children to bypass safeguards. Ofcom has been asked to conduct a ‘rapid’ study of effective age-assurance measures.

What is not included in the ban?

Messaging services such as WhatsApp and Signal will not be included. The ban will also not include education services, e-commerce platforms, or music streaming.

The government has made it clear that the ban will not affect dedicated educational platforms like Google Classroom, which support school work and learning. However, a grey area is educational content on sites like YouTube. In response, the government has said there is now a clear opportunity for these platforms to design spaces where children can safely access educational content.

What are the concerns?

Snapchat said that the ban will result in under-16s using ‘less safe platforms’, whilst YouTube argues that ‘Blanket bans push kids out of such curated, supervised, beneficial experiences and towards anonymous, less safe services.’ A Meta spokesperson raised concern that ‘bans risk isolating teens from online communities and information, and driving them to unregulated alternatives that lack built-in protections and parental controls’.

Commentators also note that the emphasis on privacy and safety comes at a trade-off with the creativity and learning opportunities that social media platforms provide.

From a data protection and privacy perspective, the ‘highly effective age assurance’ measures will likely involve social media platforms using technologies such as facial scans or digital IDs to verify whether someone is over 16. The proposed collection of identification or biometric data like this will also give rise to questions under data protection and privacy law and will need to be done carefully and compliantly.

There are of course concerns that the restrictions may be difficult to enforce, and the government has mentioned that it is researching risk areas, such as how children could seek to circumvent the age-assurance measures by using a VPN or their parents’ accounts to bypass the ban, to try and tackle these risks.

What is the current regulatory framework and how can businesses prepare?

The ban builds on the current regulatory framework. Under Article 8 of the UK GDPR, 13 is currently the age at which a child can give consent to the processing of their personal data in relation to information society services. This is called ‘the digital age of consent’. It is therefore unlawful in the UK for children under 13 to have a social media account without parental consent. Many platforms also implement a minimum age requirement.

Additionally, the Online Safety Act (OSA) 2023 places obligations on social media companies and online search services to implement measures to prevent children from accessing harmful and age-inappropriate content. Service providers must also ensure that parents and children have clear, accessible ways to report issues they encounter. If service providers identify that their platform is likely to be accessed by children, they must conduct a children’s risk assessment; implement measures to protect children accessing their service; and comply with the record-keeping and review duties for these activities.

In the coming months, Ofcom will provide guidance on effective forms of age assurance measures under the new legislation. There is already existing Ofcom guidance on these measures under the Online Safety Act. Platforms falling within the remit of the upcoming ban should be aware that self-declaration methods are unlikely to suffice and are easy to bypass.

The Information Commissioner’s Office (ICO) recently fined Reddit £14.47 million for children privacy failures and criticised the platform for using self-declaration as an age verification tool for opening an account and accessing mature content on the platform.

Companies for whom this is a relevant issue should already be implementing robust age-assurance measures to comply with their existing obligations under the OSA. They should also be taking appropriate measures to ensure they have a lawful basis for processing children’s personal information under UK data protection law, and comply with principles such as the data minimisation principle. However, the recent government announcement and anticipated guidance from Ofcom is intended to build the pressure on digital providers interacting with children to implement even greater safeguards.

This article was co-written by Georgia Morris, trainee solicitor in the IP, IT and commercial team.

Related expertise