The UK Government has today announced its much-anticipated plans to ban social media platforms from offering services to children under 16. 

Measures are expected to extend beyond a blanket ban, also targeting other harmful functionality in online services including livestreaming and certain messaging functionalities with children (including on gaming sites). Further detail will follow in July 2026 on additional measures, such as overnight social media curfews for under-18s, when the Government publishes its full response to its national consultation into children’s online safety. Initial results from the consultation showed overwhelming public demand for action, with 9 in 10 parents backing a social media ban for under‑16s. 

The proposal marks a significant escalation in the UK’s approach to children’s online safety and follows growing regulatory focus on implementing effective age assurance measures and tackling harmful content online (evidenced by ICO and Ofcom’s joint statement on age assurance published in March 2026). 

Modelled on similar restrictions introduced in Australia last year, the ban is expected to capture user-to-user platforms whose purpose is to enable social interaction (and which allow users to post material and interact with algorithms) including Snapchat, TikTok, YouTube, Instagram, Facebook and X.

Ofcom is now expected to work with the Department for Science, Innovation and Technology ("DSIT") on the practical design of the regime, including which services fall in scope, expectations for what age assurance and verification measures should be implemented, and the supervisory and enforcement approach that will sit alongside Ofcom’s existing Online Safety Act 2023 (“OSA”) functions.

The detail of the enforcement framework is yet to be finalised (more on that when we know it!), but the likely direction of travel is clear: platforms should expect a more robust, evidence-led approach to age assurance and child safety compliance.

• Minimum age rules: Platforms are likely to be required to prevent under-16 access, not merely state age limits in their terms.
• Risk assessments and evidence: Organisations will need to show how they identify child users, assess risks to children, test controls and keep compliance records capable of withstanding regulatory scrutiny.
• Age assurance: Self-declaration is unlikely to be sufficient. Services are likely to be required to deploy strong and effective age assurance, proportionate to the risks presented by the service. Upholding data privacy principles will be key here.
• Regulatory action: Ofcom is expected to use its information-gathering, monitoring and enforcement powers where services fall short. 

Sir Keir Starmer’s comments at London Tech Week this month, in which he gave companies “three months to show us that they will do the right thing”, make clear that measures to assess and mitigate online risks to children must be demonstrably effective, not merely available. If protections aren’t switched on by default or can be easily bypassed, companies are likely to struggle to show compliance when scrutinised by regulators.

As the legislation follows, we are set to move into a much sharper enforcement landscape: regulatory investigations, significant fines, and potentially follow-on civil claims if harm can be evidenced, particularly in cases involving grooming, sextortion or the sharing of self-generated content. For larger tech players, this also raises the risk of large-scale group litigation and reputational exposure.

What Should Organisations Do Now?

The message for online platforms is clear: child safety has moved from a policy discussion to a live end-to-end compliance and enforcement priority. Organisations likely to be in scope should not wait for the final rules before preparing for upcoming changes. 

Age assurance, in particular, must be seen as an immediate compliance priority. Businesses should be auditing their age verification frameworks and access control mechanisms now, not when regulatory attention arrives. It will no longer be enough to rely on user settings or parental controls: organisations need to be able to evidence, in a meaningful way, that their products are designed to prevent harm by default. 

Organisations, particularly those operating in-scope or child-accessible services, should be: 

• Determining whether they are likely to be in-scope of the new rules;
• Monitoring the legislative timetable, DSIT announcements and Ofcom consultation activity;
• Assessing current age assurance tools against Ofcom and ICO expectations, including accuracy, robustness, fairness, usability and privacy impact;
• Mapping age assurance data flows to ensure that any personal data collected is accurate, limited to what is necessary, not repurposed for unrelated uses, and protected by security measures in compliance with data protection requirements;
• Reviewing children’s risk assessments, onboarding journeys, terms of service and recommender system controls;
• Building governance and audit trails that evidence how decisions were made and tested; and
• Preparing for further Ofcom engagement and scrutiny.

If you have any questions or would like to discuss any of these points further, please contact us or your usual Stephenson Harwood contact