The Notice Landed on One Company

On 16 July 2026 Ofcom, the UK communications regulator, opened a formal investigation into the age-assurance measures used by TikTok Information Technologies UK Ltd. The duty in question is section 12 of the Online Safety Act 2023, and those duties have been live since 25 July 2025. One named entity, one named statutory provision, one regulator that has now decided the informal phase is over.

The maximum penalty under the Act is GBP 18 million or 10% of qualifying worldwide revenue, whichever is greater. For a company of TikTok's scale the second limb is the one that matters, and the first limb - roughly EUR 21 million by current conversion - is the floor rather than the ceiling. Ofcom has said evidence-gathering will take at least three months and that it will provide an update in October 2026.

Read as a news item, this is one platform under scrutiny. Read as a signal, it is something considerably wider, because of what Ofcom chose to question.

The Method Is What Is on Trial

Ofcom's concern is not that TikTok did nothing. It is that TikTok relies on age inference - estimating a user's age from behavioural and profile signals the user already emits - rather than age verification. Age inference is explicitly not listed in Ofcom's guidance as a method capable of being highly effective at age assurance.

That distinction is the whole case, and it does not stop at one company. A regulator that opens an investigation on the premise that a technique falls outside its own list of acceptable methods has put the technique on notice, not only its most visible user. Any operator of a UK-facing service that chose inference has the same exposure, minus the headline.

The uncomfortable part for a board is that inference does not look like a gap. It looks like a control. It produces an age, it logs a decision, it can be described in a compliance paper as an age check. The regulator's position is that describing it that way does not make it one.

Inference Was Chosen Because It Does Not Ask

Inference became the default for a commercial reason, not a technical one. It requires no document upload, produces no drop-off at signup, and creates no biometric consent conversation to explain to users or to a data protection officer. It is the age check that costs nothing at the top of the funnel.

That is precisely the problem. The property that made inference attractive is the property that makes it insufficient: it works by not asking. A method built to avoid friction is, by construction, a method built to avoid the moment where a user asserts something checkable. Ofcom's guidance recognises methods that create that moment. Inference is designed to skip it.

So the commercial case and the compliance case point in opposite directions, and every operator who ran that trade-off in 2025 ran it before the regulator showed its hand. That is not a failure of judgement. It is a position that now needs revisiting on the record.

The Circumvention Trap

The second half of the exposure arrived on the same day, from the same regulator. Ofcom published research on 16 July 2026 finding that daily VPN use in the UK has roughly doubled since the age-check duties came into force: about 2.2 million daily users, up from about 1.2 million before 25 July 2025. Users are routing around the checks at roughly twice the previous rate.

The UK Technology Secretary, Liz Kendall, said VPNs will not be age-gated or banned, and that the onus sits on platforms to stop circumvention. That is a coherent policy choice. It is also, for an operator, a hard one to absorb: the tool being used to defeat your age gate is out of scope, and you are accountable for the outcome anyway.

Put the two halves together and the compliance position is sharper than it first reads. A platform may be answerable for a circumvention rate it does not control, using a verification method it may not be permitted to rely on. That is not what "we added an age check" implies when it appears in a board pack.

What Is in Scope, and What Is Not

This is UK law. It is the UK Online Safety Act 2023, enforced by a UK regulator, and it does not apply in the EU. The EU's own child-protection and age-verification work is proceeding on a separate track, and nothing about the TikTok investigation changes an EU-only operator's legal position.

The scope that does bite is territorial rather than corporate. An operator established anywhere in the EU that serves UK users falls within the UK regime regardless of where it is incorporated. And the category is broader than social platforms: alcohol, gambling, cosmetics, knives, finance, dating and gaming all run age-restricted content, products or features into the UK market. Our reading, offered as a reading and not as law, is that the direction of travel on both sides of the Channel is shared, and that inference-based assurance is the method most likely to be tested first.

The action is narrow and specific. Find out which age-assurance method your service actually relies on today, and whether it is one Ofcom's guidance recognises as capable of being highly effective. "We have an age gate" is not an answer to that question. Ask your product team before Ofcom's October 2026 update, because after that date the answer stops being a planning matter.