Online Safety Act: Age Verification and Data Reuse
Public debate around the UK’s Online Safety Act 2023 (OSA) has intensified since its age verification provisions came into effect in July 2025. Critics have warned that the Act could create a new pipeline for collecting valuable personal data, which technology platform companies and service providers might then monetise and reuse.
Without doubt, the risk of reuse is conceivable, especially where data collected during age verification is used to build advertising profiles, sell identity datasets, or fuel commercial analytics. Also, it appears that the UK Online Safety Act does not directly regulate how age verification data can be reused. This is understandable as its scope is about requiring proof of age for certain content, not setting the privacy standards for processing age verification data.
This concern, while grounded in the realities of how personal data has been exploited in other contexts, requires a review, especially in view of the obligations placed on data processors and data controllers under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). For instance, a platform or service provider collecting age verification data will likely qualify as a data controller (or a processor for a controller) and must comply with strict data processing rules, including:
(a) Lawful Basis & Purpose limitation: Personal data collected for age verification cannot be repurposed for advertising or unrelated analytics without a separate lawful basis. Accordingly, platforms and service providers must identify a lawful basis for processing personal data obtained during age verification.
(b) Special Categories of Data: Biometric verification (face scans, fingerprints) is generally subject to even stricter processing conditions. If a platform or service provider were to use age verification data for unrelated commercial purposes without a valid lawful basis, the ICO can impose significant monetary fines. Data controllers and processors may also be subject to Enforcement Notices to stop the unlawful processing or even civil claims for compensation by affected users for material or non-material damage.
Key Takeaway
(1). For tech platforms and age verification service providers, the key takeaway is this: the OSA creates the requirement for robust age checks, but DPA governs what can be done with the data. Commercial reuse of age verification data is not automatically permitted. In fact, the reuse of age verification data appears to be highly restricted.
(2). The OSA does not override the DPA 2018 protections.
(3). Unauthorised commercial use would almost always be unlawful under existing data protection law.
(4). Privacy-by-design models, such as pass/fail verification without storing personal data, are technically possible and already used by some providers.
In our view, the real compliance challenge is not the letter of the law, but ensuring that privacy commitments are embedded in technology design, operational processes, and contractual safeguards. In the age of mandatory verification, trust will be as important a competitive advantage as technical capability.
Balogun Harold's insights are shared for general informational purposes only and do not constitute legal advice. For tailored guidance, please contact our Technology and Data Protection Lawyers at bhlegalsupport@balogunharold.com
Olu A.
LL.B. (UNILAG), B.L. (Nigeria), LL.M. (UNILAG), LL.M. (Reading, U.K.)
Olu is a Partner in the Firm’s Transactions & Policy Practice. Admitted as a Barrister & Solicitor of the Supreme Court of Nigeria in 2009, he has spent over a decade advising clients on high-value transactions and policy matters at some of Nigeria’s leading law firms.
olu@balogunharold.com
Kunle A.
LL.B. (UNILAG), B.L. (Nigeria), LL.M. (UNILAG), Barrister & Solicitor (Manitoba)
Kunle is a Partner in the Firm’s Transactions & Policy Practice. Admitted as a Barrister & Solicitor of the Supreme Court of Nigeria in 2009, he has spent over a decade advising clients on high-value transactions and policy matters at some of Nigeria’s leading law firms.
k.adewale@balogunharold.comRelated Articles
Pseudonymisation & Anonymisation as Tools for Managing Data Protection Risk
In this update, we explain the key differences, practical applications, and why understanding these concepts is critical for compliance with data protection laws.
The New 200M Minimum Capital for VCs in Nigeria - Market Considerations
On 16 January 2026, the Securities and Exchange Commission (SEC) issued Circular No. 26‑1, raising the minimum share capital for venture capital (VC) fund managers in Nigeria from ₦20 million to ₦200 million.
Sovereign Liability Exposure under Nigeria’s Space Economy Regulations - Key Considerations
The decision to cap an operator’s insurance and indemnity obligations at USD 15 million under sections 39 and 40 of the Regulation on Licensing and Supervision of Space Activities, 2015, raises questions as to the extent of residual exposure borne by the Federal Government of Nigeria under international space law.
Contractual Liability in Agentic Commerce: Key Considerations
It appears that the end user will remain the economic principal in agentic commerce transactions, primarily because, it is the end user’s funds that are deployed, and it is typically the end user who authorises the AI agent to act within defined parameters, such as spending limits or merchant categories.