Historically, reputable online dating services in the UK have operated under voluntary industry standards, most notably those promoted by the Online Dating Association. These codes emphasised that dating services are not intended for children, set a minimum age of 18, and encouraged action where under-age users were identified.
Voluntary codes remain relevant as good practice, but they no longer represent the full regulatory picture. Dating services are now subject to binding statutory duties that require active and effective exclusion of children, not merely policy statements or reactive moderation.
Minimum age and access controls
Dating services are designed for adults and are not offered to anyone under 18.
It is no longer sufficient to rely solely on:
• Terms and conditions stating a minimum age
• User self-declaration
• Post-hoc moderation once under-age users are discovered
Where a service sets a minimum age, it is expected to apply and enforce that rule in practice.
Age Appropriate Design Code
The Age Appropriate Design Code, also known as the Children’s Code, is fully in force.
It applies to any online service likely to be accessed by children under 18, regardless of whether children are the intended audience.
Dating services fall squarely within scope unless they can demonstrate that children cannot access the service at all.
For dating platforms, this creates a clear regulatory expectation:
• If children can access the service, the service must be made age-appropriate
• If the service cannot be made age-appropriate, children must be excluded
In practice, this means dating services that do not wish to redesign their core functionality for children must adopt effective and proportionate age assurance to prevent under-18 access.
Relying solely on age estimation is unlikely to be sufficient unless applied with a very wide margin of error, given the inherent uncertainty of such techniques. Estimation may reduce risk at higher age thresholds, but estimates close to 18 do not reliably exclude minors.
Risks specific to dating services
Dating services present heightened risks to under-18s, including:
• Sexualised conversations and explicit content
• Exchange of images and videos
• Grooming by adults
• Peer-to-peer pressure and exploitation
• Physical risk arising from offline meetings
These risks are materially different from those posed by many other online services and are central to regulatory expectations.
Because dating services are designed to facilitate intimate interaction and physical encounters, regulators expect stronger safeguards than for general social or content platforms.
Child data protection impact assessment
Dating services are expected to conduct a child-focused data protection impact assessment, considering:
• Whether under-18s are able to access the service
• How frequently this occurs in practice
• The specific risks posed to those users
• What technical and organisational measures are required to mitigate harm
Where evidence shows that under-18s are using the service, continued reliance on weak or easily circumvented controls is unlikely to be defensible.
UK GDPR and special category data
Dating services routinely process special category data, including:
• Sexual orientation and sexual life
• Health-related information
• Racial or ethnic origin
• Political or religious views
Processing this data requires a valid condition under Article 9 UK GDPR, most commonly explicit consent.
In the UK, consent is only valid on a standalone basis if given by someone aged 13 or over. However, this does not override a service’s own minimum age rules or child-safety duties.
If a service does not know a user’s age with sufficient certainty, it cannot know whether consent is valid, whether explicit consent requirements are met, or whether the user should be excluded entirely.
The regulator, the Information Commissioner’s Office, has made clear that services handling children’s data, or data about sex and relationships, are subject to heightened scrutiny.
Online Safety Act 2023
Dating services are in scope of the Online Safety Act 2023 because they are user-to-user services.
Where a dating service is likely to be accessed by children, it must:
• Assess risks to children
• Put proportionate measures in place to mitigate those risks
• Prevent children from encountering harmful content
It is not sufficient to exclude minors purely through policy or terms. Measures must be effective in practice.
Larger dating platforms may fall within enhanced regulatory categories and face additional duties relating to safety, transparency, and governance.
The regulator, Ofcom, has powers to issue enforcement notices, impose service restrictions, and levy fines of up to £18 million or 10% of qualifying worldwide revenue, whichever is higher.
Our view
Dating services operate in one of the highest-risk online environments for children.
Taken together:
• The Age Appropriate Design Code
• UK GDPR
• The Online Safety Act 2023
now create a clear expectation that dating services must actively exclude under-18s unless they are prepared to redesign their service to be age-appropriate.
We therefore consider that robust age verification is required for dating services. Given the risks involved, many services will wish to go beyond a basic check and adopt enhanced measures to prevent impersonation, fake images, and account sharing.
PLEASE NOTE
This website does not constitute legal advice. You should always seek independent legal advice on compliance matters.