In a high-risk space like the adult industry, overlooking or ignoring ever-changing rules and regulations can cost you dearly. In the United Kingdom, significant change has now arrived in the form of the Online Safety Act — and failure to comply with its requirements could cost merchants millions of dollars in fines.
The OSA became law in October 2023, and has been rolling out in phases. Aimed at regulating online content and improving internet safety in the U.K., its goal is to protect users, especially children, from illegal or harmful material online. That includes terrorism, fraud, content related to suicide or eating disorders — and of course, pornography.
The Ofcom requirements are not much different than many of the age verification laws in place in U.S. states, as well as the content compliance requirements of the card brands.
To that end, the OSA requires adult sites to implement “highly effective” age assurance measures to keep minors from viewing their content.
Meet Your Regulator: Ofcom
Ofcom is short for the Office of Communications, which is the U.K.’s media regulatory body, and its name has become synonymous with the Online Safety Act. For those in the U.S., think of it as the U.K. version of the Federal Communications Commission (FCC).
To make sure adult providers are in compliance with the Online Safety Act, Ofcom has been reaching out directly to merchants, even those outside the U.K., requesting information. If you get a message from Ofcom, you need to respond. The agency is seeking constructive dialogue, not confrontation.
Risk Assessment: Your Must-Have Document
The OSA set forth a series of milestones to help adult merchants get in compliance. One is the completion of a risk assessment, which must be updated yearly and kept on file. The risk assessment can be found here. This web page is a directory tailored to adult services and includes steps to determine whether your service falls within the scope of the legislation, how to conduct your risk assessment and how to choose an age assurance method. It also includes templates to simplify the process.
The risk assessment lists 17 types of illegal content. Merchants need to assess the risk of various types of content that appear on their site, rating each as negligible, low, medium or high. Then, they must document what safety measures are in place and how those reduce the risk. This documentation should be kept on file and available if Ofcom requests it.
Compliance Tips and Tools
For studio-produced content, the OSA’s new rules went into effect Jan. 1, 2025. Merchants that host user-generated content — such as cam and fan sites — were given a bit more time. Those sites were required to conduct a risk assessment by March 2025 and must have consumer age assurance in place by July 25.
For anyone reading this and feeling a bit behind the eight ball, the Ofcom requirements are not much different than many of the age verification laws in place in U.S. states, as well as the content compliance requirements of the card brands. If you are complying with those laws and regulations, you will likely already be in good shape when it comes to meeting OSA standards.
The Online Safety Act also offers a clearer definition of what constitutes effective and acceptable age assurance than do most state age verification laws in the U.S., and Ofcom offers specific tools that you can use to comply. Those include age estimation, meaning that a service estimates a user’s age; and age verification, meaning that the user provides actual proof of their age. For adult content, services must use one of these methods to ensure that U.K. users are over 18.
In order to allow innovation and accommodate budgets, Ofcom chose not to prescribe one specific method. Instead, a variety of age assurance methods are permissible. Services can use facial age estimation, credit card checks, open banking, mobile network checks or email-based age verification. The method must meet Ofcom’s standards for technical accuracy, robustness, reliability and fairness.
Global Reach, Real Consequences
It’s important to recognize that this law applies to everyone, not just U.K.-based merchants. Ofcom has contacted a number of merchants outside of the U.K., asking for their risk assessments and contact information. Ofcom prioritizes which merchants to reach out to, based on factors like risk of harm, user volume and sector. Ofcom will also respond to tips or concerns. If the agency hears about an issue, it will request a risk assessment. This is similar to how the card brands research potential issues.
What happens if you don’t comply? If a service ignores communications and fails to meet requirements, the consequences can be severe: fines of up to 18 million pounds — $24 million — or 10% of global revenue, whichever is greater; and potential loss of U.K. market access. Merchants that respond and show their willingness to comply will be given time and guidance to get there.
With the Supreme Court's recent ruling in favor of age verification laws in the U.S., the European Union ramping up enforcement of the Digital Service Act, and individual nations enforcing their own online safety laws, this is a good time for adult merchants to assess what systems they have in place to comply with the Online Safety Act and similar laws around the globe.
Cathy Beardsley is president and CEO of Segpay, a merchant services provider offering a wide range of custom financial solutions. Under her direction, Segpay has become one of four companies approved by Visa to operate as a high-risk internet payment services provider. For questions or help, contact sales@segpay.com or compliance@segpay.com.