It doesn’t seem to apply to small servers like OGS though.
10 Likes
100%. And for those wondering who would go through such lengths? We’ve had some very determined trolls over the years. When it’s a weapon someone who has a grudge can wield, they will wield it.
8 Likes
That’s a great find! Maybe we don’t have to do anything at all then, we’re definitely very far from 700k active monthly UK users. When I went through their “does this apply to you?” form they made no mention of a specific number, just an very vague “Is the UK a target market?” question, which since we have UK site supporters, I felt I had to answer yes.
Edit: Can you link where that is coming from?
13 Likes
Might it matter that we use another provider for the forums? I suppose they will be looking at compliance for themselves and are much bigger…
1 Like
OGS hosts the forums, it’s running the open source Discourse software, but it’s all running on our servers fwiw
5 Likes
It’s in the document linked by siimphh, page 64:
However I’m far from having read all of it.
5 Likes
Thanks, I do note that that text has been superseded, I’m having trouble finding those numbers or any minimum limits for that matter in a non-superseded text.
2 Likes
That PCU J1.1 looks like it’s referring to requirements for user blocking and muting:
so unfortunately I don’t think it gets us off the hook 
2 Likes
Not quite. PCU J1.1 is recommended measure for that risk. In simple words the user blocking and muting should be implemented in TOS. And as far as I know OGS have some kind of moderation. 700k UK visitors is the requirement for user blocking. If you have less you are not obliged to terminate abuser accounts. This how I see it.
And it makes perfect sense for me. For example A small US online store without UK targeting doesn’t have to worry about this.
At the end of the day none of us are UK lawyers and even if we were, none of us would put our signature under our forum opinion concerning a complex new law that we are unfamiliar with.
In such cases here in my country (we are known for our bloated bureaucracy) a good idea is to pre-emptively send an application/query to the organisation that presides over all that an inquire what is their opinion about your state of affairs concerning the new law.
For example, if the construction codes change, noone can tell with any certainty (however experienced or qualified in their fields) how the law will be applied within the next months, so what you do is you make a query to the local “Civil Service Construction Bureau” and you ask about your case specifically.
If they reply that “this is a new situation, we are reviewing the new laws ourselves, meanwhile we advise you that the previous situation is still lawful under the provisions of various “transiatory periods of deliberation”” then you are fine now and you can make another, followup, query in the upcoming months. Just because a law changed, that doesn’t mean that it applies next day. There is always a transitory period where people can lawfully be expected to be within the context of the previous law and in deviance of the new law, while they adjust from the previous lawful condition to the next lawful condition.
What this means practically is that you will either have:
a) An official reply from the official organisation whether your business/site/condition/whatever is lawful under the new laws or not
or
b) An official reply from the official organisation that you should probably comply with this and that you have X amounts of months to comply, without any risk of penalties.
This, automatically, shields you from any “bad actor” that might like to snitch on you on that official organisation, since they will have pre-emptively checked you and allowed you to continue with business as usual, either permanently or temporarily.
I have tried this myself in similar cases, it works.
Anything we might say is well meaning, but, ultimately moot.
What the bureaucrats reply is all that matters. Unfortunately, but it is what it is.
6 Likes
https://forums.online-go.com/t/57425
Is it correct that this new law requires age verification from UK users of such site as OGS?
o3-search
No – the Online Safety Act does not automatically force a general-interest forum or games site such as OGS to put every UK visitor through a passport/driver-licence check. What the Act actually says is:
-
All “user-to-user” services (anything that lets people post or chat) must
• do a Children’s Access Assessment within three months of the guidance coming into force, and
• carry out a risk assessment and apply “proportionate” measures to protect children from harm.
These measures may include age-assurance if the service cannot manage the risk any other way, but age-assurance is not mandatory in every case. -
Age-verification becomes compulsory only for services that allow pornography (the Act’s “Part 5” and “regulated provider pornographic content” duties). Those sites must deploy a “highly effective” age-verification method (photo-ID match, bank check, facial-age estimation, etc.) so that children “are not normally able to encounter” the porn.
-
For all other services (forums, chat rooms, multiplayer games, etc.) Ofcom’s draft Children’s Codes say the provider can choose from a menu of mitigations— tighter content moderation, separate junior accounts, feature restrictions, or age-checks— and must pick something that is effective for the level of risk on that particular service. There is no blanket requirement to collect photo-IDs from every UK user.
Why small sites such as OGS are worried
• The duties apply even to tiny services; there is no “small business” exemption.
• Maximum penalties are hefty (up to £18 million or 10 % of global turnover) and Ofcom can ask payment processors, ad networks or hosting companies to cut off a non-compliant site.
• Implementing and documenting risk assessments, safety measures and (where necessary) age-assurance can be expensive and legally complex, so some small providers would rather geo-block UK traffic than shoulder the compliance burden.
So the forum announcement you read is a business decision made out of caution, not something explicitly demanded by the Act. The law does not say “every UK visitor must show photo ID to read a Go forum” – it says “the service must keep children safe, and if that cannot be done in any other proportionate way, it must add an effective age check.”
Sources:
- https://www.ofcom.org.uk/online-safety/protecting-children/age-checks-to-protect-children-online
- https://commonslibrary.parliament.uk/research-briefings/cdp-2025-0043/
- https://www.legislation.gov.uk/ukpga/2023/50/body/enacted
- The Online Safety Act: Child Access Duties for the Gaming Industry // Cooley // Global Law Firm
- What are the new UK online safety rules and how will age checks on adult content be enforced? | Internet safety | The Guardian
quote first 2 paragraphs from announcement from the link that I gave
o3-search
For our players in the United Kingdom only:
The “Online Safety Act” is now effective in the UK and prohibits sites from offering services which facilitate any sort of communication between users unless they are age verified via strong methods (no “I’m over 18” check boxes, they want photo ids verified). We have no infrastructure or resources to facilitate dealing with age verification so as a result we, like most other small forums and games, are being forced to prohibit access from our UK player base.Unfortunately this will also necessarily apply to chat and other user generated content on the online-go.com for players coming from the UK.
Sources:
So, you think that anoek will not get any penalty if will do nothing?
o3-search
Not quite.
• OGS (and therefore its owner anoek) is already under the Act’s “children’s access-assessment” and “children’s risk-assessment” duties, which became legally enforceable this year:
– Write a Children’s Access Assessment (CAA) by 16 April 2025.
– If the CAA shows the service is “likely to be accessed by children” (almost every open forum or game is), complete a full Children’s Risk Assessment (CRA) by 24 July 2025.
• Ofcom has started an enforcement programme that is actively asking some providers for copies of those assessments and says it may open investigations and “use the full force of our enforcement action” where records are missing or the risks are not being managed.
• If Ofcom does open a case and finds OGS has simply done nothing—no CAA/CRA, no plan to mitigate child-safety risks—it can:
– Fine up to £18 million or 10 % of worldwide turnover.
– Serve “business-disruption” orders that tell hosting, payment or DNS providers to block the service for UK users.
– (For the most serious, persistent refusal to cooperate) pursue criminal charges against senior managers for ignoring information notices.
What “doing nothing” does and does not mean
-
Age-verification: OGS is not automatically required to upload everyone’s passport. Age checks are only compulsory for porn sites; for ordinary user-to-user services Ofcom lets you use other proportionate measures (moderation filters, junior accounts, feature restrictions, etc.). So if OGS decides the residual risk to children is low, it could document that judgment and avoid hard ID checks. That is what “not mandatory” means.
-
Compliance paperwork and mitigation: The paperwork is mandatory. Even if OGS concludes that its existing chat filters are enough, it still has to write the CAA and CRA and keep them on file. Failing to do so is already a breach.
Will Ofcom actually come after a small Go server?
Realistically, the regulator’s first wave of investigations is aimed at bigger social-media and adult-content platforms. A niche game site may never hear from Ofcom—but the legal exposure exists, and the fine can be imposed whenever Ofcom chooses to act. Whether the risk feels acceptable is a business decision, but it is wrong to assume there is zero chance of penalty if the site simply ignores the duties.
Sources:
- https://www.ofcom.org.uk/online-safety/protecting-children/enforcement-programme-to-monitor-if-services-are-meeting-their-childrens-risk-assessment-duties-under-the-online-safety-act-2023
- Online Safety Act: Ofcom illegal harms enforcement action
- What are the new UK online safety rules and how will age checks on adult content be enforced? | Internet safety | The Guardian
- 2025: Ofcom's Year of Enforcement | HUB | K&L Gates
its not UK site and its small
o3-search
“Not being a UK-based company” and “being small” do not, by themselves, take an online forum such as OGS out of the Online Safety Act.
-
Extraterritorial reach
• The Act “applies to services even if the companies providing them are outside the UK should they have links to the UK – for example, if the service can be accessed by UK users” .
• Legal commentaries make the same point: the Act “extends beyond UK-based services… If a service targets the UK market, or has a significant number of UK users, it falls within the OSA’s reach” .In practice, any site that UK residents can reach (and that has user-generated content) is automatically “in scope” unless it geo-blocks the UK.
-
No “small-site” carve-out
• The government says duties are “proportionate to… the size and capacity of each provider”, but it gives no blanket waiver .
• Lawyers underline that “small and medium enterprises are not exempt” , and that “there are no specific exemptions for small services” .What “proportionate” means is that Ofcom’s codes let a tiny forum rely on simpler, cheaper mitigations (manual moderation, basic filters, clearer T&Cs) rather than enterprise-grade AI or full ID-verification—provided the operator has done the required paperwork and can show those measures manage the risk.
-
Minimum things every in-scope service has to do right now
• Keep a written Illegal-Content Risk Assessment (deadline passed 16 March 2025).
• Complete a Children’s Access Assessment (deadline passed 16 April 2025).
• If children are likely to access the service, finish a Children’s Risk Assessment by 24 July 2025 and implement suitable child-safety measures from 25 July 2025. -
Enforcement reality
Ofcom is currently collecting risk assessments from “large services and smaller services posing particular risks” and has already opened investigations where records are missing .
Penalties on paper remain severe—up to £18 million or 10 % of global turnover, plus possible business-disruption orders and (for refusal to cooperate) criminal liability for senior managers —but Ofcom says it will apply them in a “targeted and proportionate” way, focusing first on higher-risk platforms. -
How a small, foreign-hosted site can fall out of scope
The Act only reaches services that have a “link with the UK”. If OGS (a) blocks UK IP addresses, (b) stops marketing to or taking payments from UK users, and (c) removes any other deliberate UK targeting, it can argue it no longer has that link. Many niche sites are choosing this route precisely to avoid the compliance burden.
So: size and foreign hosting reduce the likelihood of Ofcom knocking on the door, but they do not eliminate the legal duty to produce the required risk assessments and child-safety measures as long as UK users can reach the service. Doing literally nothing while remaining accessible to the UK still carries a (small but non-zero) enforcement risk.
Sources:
If anoek tries to do something, is there risk anyway?
o3-search
Yes. Doing something (i.e., making a genuine effort to comply with the Online Safety Act) is far safer than doing nothing—but it does not eliminate risk altogether. A small, non-UK operator such as anoek / OGS still has several residual exposure points:
1 . “Paperwork” risk
• Ofcom now treats the Children’s Access Assessment (CAA) and Children’s Risk Assessment (CRA) as legally enforceable records.
• Providers that were already live on 24 April 2025 had to finish the CRA by 24 July 2025 and must be able to show it on request; Ofcom has begun sending statutory information notices and threatening investigations where the record is missing.
• An assessment that is late, superficial, or not kept up to date can still trigger fines of up to £18 million / 10 % global turnover, even if the provider can show “good intentions”.
2 . “Wrong judgment” risk
• The Act is “risk-based”: you choose measures that are “proportionate” to the child-safety risk on your specific service.
• Ofcom may later disagree that your mix of filters, moderation and (if you have them) age checks is strong enough. A small factual mistake—e.g., under-estimating the number of under-18 UK users—can invalidate the whole assessment and expose you to enforcement.
3 . Moving target risk
• The Act is being rolled out in phases. After the child-safety duties come further codes on illegal content, transparency reporting, user-complaints handlers, etc. What is compliant this year may fall short next year; the operator has to keep revisiting the paperwork and the technical measures.
4 . Extraterritorial and “size-blind” enforcement
• The Act expressly covers non-UK services that can be used by UK residents. citeturn1search0
• There is no exemption for micro-services; size only affects what Ofcom considers “proportionate”, not whether you are subject to the duties.
• Ofcom says its first wave of enforcement targets the largest or “riskier” platforms, but its information-request powers apply to any in-scope service and it has already opened several investigations against smaller providers.
5 . Data-protection and commercial risks
• If you adopt an ID-based age-verification product, you inherit GDPR duties for the identity data you collect or pass to that provider. A data-breach fine or user lawsuit is a separate (but very real) risk.
• Any change that limits chat for UK minors or geo-blocks UK users could alienate part of the player base or trigger contractual issues with payment processors.
Practical ways to keep the residual risk low
a. Do the CAAs/CRAs thoroughly, keep dated records, and schedule reviews when Ofcom updates its codes.
b. Document why less-intrusive measures (e.g., manual post-moderation, language filters, junior-only chat rooms) adequately mitigate the identified child-safety risks; revisit that reasoning if usage patterns change.
c. Monitor Ofcom consultations and stakeholder updates so you are ready for later phases (illegal-content duties, transparency reports, etc.).
d. If the burden becomes disproportionate, be prepared to geo-block the UK entirely; once UK access is technically impossible you fall outside the Act’s territorial scope and the duties cease.
Summary
Trying to comply greatly reduces the chance of a penalty, but it is not a “no-risk” state. The main residual dangers are (1) getting the assessments wrong or letting them go stale, and (2) future regulatory changes that raise the bar. Systematic record-keeping and periodic reviews are the best defence against those risks.
Sources:
5 Likes
LLM deosn’t always do agood job of picking details for laws of such scale.
However, it does convey the rough ideas most picked up after looking through them at first glance, that is most small-to-medium business without much UK user-bases would simply opt to avoid the UK beuracacy and vague procedures and simply geo-block all UK IPs and be done with it. Even larger corporations might opt for it too, if they deem the risk factor too high if they really start to enforce them.
4 Likes
This horrible law is an Orwellian flex by the totalitarians in government. It uses the usual self-justifying tactic of highlighting problems that we can all agree are bad and need to be addressed, while slyly piggybacking items inimical to free speech (see the article reference to “disinformation,” newspeak for things the government doesn’t like). This law establishes a principle that could eventually be applied to anything.
@Counting_Zenist’s question is very appropriate: “I wonder what this would do to newspaper or other forums as well as blogs comments/replies, do they have to follow the age check as well?” Would electronic book services be subject to the law for supplying adult literature such as Lady Chatterley’s Lover or I, Claudius, or bullying content like Lord of the Flies or Tom Brown’s Schooldays?
Worst of all is the nature of the ID requirement. No one has mentioned it in this thread or in the article, but this law is a goldmine for identity thieves. Compliance will vacuum up a vast amount of personal information: photo, birthdate, address, etc., depending on the ID used. This info will eventually be breached as it passes through various hands. All government is corrupt to a greater or lesser extent, and we need look no further than the U.S. OPM data breach of 2014, which exposed all U.S. covert spies active between 1985 and 2014.
I do agree with @anoek’s caution, however.
We can hope that blowback on the British people will in time pressure the government to modify or repeal the law.
9 Likes
@Conrad_Melville you only need effective age verification if you are going to claim that you are protecting children from harm by not allowing them. And even then, it does not have to be with an ID, some providers apparently also claim to be able to determine your age from a selfie (sounds very dubious).
All other sites are either going to (1) do the assessment and explain how they have implemented sufficient measures or (2) geoblock (or I guess (3) hope they never get investigated).
1 Like
The issue of claiming that it is allowed for underage people to access would require even more hurdles and effectively allow Ofcom has supervising power over you, not only you need to present and store every information in file on paper (with moderations, and open to complain and lawsuit if anyone using your services can complain and troll you), also everytime you make a change or modification you need to refile the procedure again. Also Ofcom has the right to make judgment and punishment annually, and block your service, and if you want to appeal, good luck and prepare to spend years in bureaucracy and lawsuits. So if you don’t want to outsource the verification to 3rd party services, and let them have access to your user base, your only option is to simply geoblock (like OGS is currently doing is a form of geoblocking).
I feel a lot of them will outsource the issue and create a big private data issue in the very near term, while most small services simply just geoblock
5 Likes
Isn’t that their parent’s job? Am I missing something? 
Why on earth should the rest of the UK citizens have to send their IDs to random companies all over the world, to access basic parts of the internet? How does that even make sense?
There are far easier and less intrusive solutions. Here is one:
The government uses one of those online dot gov platforms to automatically issue a statement of age verification for each person that is an adult. That person then can take that verification (which will only contain a unique number - usually comprised from the index number of the verification along with the date) and send it to the websites.
Those verifications will be tied with their dot-gov singular government issued IDs, but will not contain any personal data or ID numbers. IF and ONLY IF, there is some transgression with your username, could a legal service ask from the website the number of the verification of your nickname and then the court will go to the government and find your ID to proceed with whatever case is needed. That way:
a) The citizens and their data are safe, since no random website has your ID, driver’s licence or selfie or name. There is no fuss, other than logging into your dot-gov account (which every adult has by now), download your verification and email it or upload it to whatever website asks for it.
b) The websites are legally cleared that no underage person is using their services and they can easily ban whoever cannot provide it. If someone scams them (e.g. a child is using their parent’s account) they are not legally liable and they are cleared.
c) Whatever goal of protecting people/children/whatever the government has is being achieved since it can locate any transgressors as fast, easy and accurately, as if the websites had the full data of those people.
d) You have less bureaucracy and oversight, since you only need to keep track of the people that are involved in actual legal cases.
Instead of that you all got a standard bureaucratic mess. And in the “vibe coding” era, soon we will be filled with “Tea app” leaks:
Tea confirmed the breach in an official statement, stating that approximately 72,000 images were exposed. It includes 13,000 selfies and photo IDs submitted for verification, as well as 59,000 images from users’ posts, comments, and direct messages.
At the time, Tea also claimed that “only users who signed up before February 2024 were affected.” That assurance, however, didn’t hold up. The second database, flagged to 404Media, had private messages sent as recently as last week.
What makes matters worse is that these chats mentioned social media handles, phone numbers, and real names. A little research could actually reveal the identities of people mentioned, 404Media says.
Calling it a “breach” was very generous since, apparently, they were using unprotected public databases for everything.
However, with the aforementioned solution, all that was going to “leak” was the number of your automated verification, which means nothing unless you are a court that has an official order to dot-gov to locate your verification number and find which person it belongs to.
Sounds unlikely that a selfie without an ID/license to compare it with, could do the trick, since:
a) You could fake/alter a selfie.
b) Have someone else take a selfie
4 Likes
To be fair, we’ve never been good at making secure computer systems. Not that we haven’t tried for a long time, so hopefully one will be made any day now…
The holy grail of computer science isn’t AGI, but instead just writing any significant software that does not have bugs.
4 Likes
Apparently happening also
https://www.reddit.com/r/gaming/comments/1ma2t26/people_in_the_uk_are_using_norman_reedus_highly/
6 Likes
France now also requires age verification for porn websites (and only for them, not for websites like OGS), and recommends something like what you say:
As fas as I know, this hasn’t been implemented yet. A few of the major porn websites have suspended their service in France, but a few others are continuing like before, and of course people can use a VPN.
3 Likes
Congratulations to France for a more sensible policy.
2 Likes