TikTok could be fined as much as 10 per cent of its worldwide revenue after British communications regulators, Ofcom, opened a child safety investigation that goes to the heart of how the platform decides whether the person scrolling through its videos is an adult or a child.
The formal investigation, announced by Ofcom this week, will examine whether TikTok is doing enough to prevent children from encountering adult material, or material promoting suicide, self-harm and eating disorders.
At the centre of the case is TikTok’s reliance on age-inference technology, which attempts to estimate whether a user is a child by examining signals including their activity and behaviour on the platform.
Evidence presented in Ofcom’s latest age-check report raised “serious doubts” about whether some of these systems work effectively. In certain cases, the regulator said, age-inference models may have failed to identify a significant proportion of children, leaving them exposed to material that should have been blocked.
The investigation will therefore consider whether TikTok has used age-assurance measures that are “highly effective” in correctly determining whether a user is a child, as required under Britain’s Online Safety Act.
The obligation is not simply to remove dangerous videos once children have already encountered them. Since the UK’s child protection duties came into force on July 25, 2025, platforms accessible to children have been required to establish systems designed to stop minors from seeing the most harmful material in the first place.
These protections cover pornography and content encouraging suicide, self-harm or eating disorders. Platforms must also protect children in particular age groups from other material judged likely to cause them harm.
The action comes as Britain prepares to introduce a separate under-16 ban covering major social media platforms, placing even greater pressure on companies to prove that their age checks can work before a child enters the service, rather than trying to estimate their age after they have already begun using it.
Ofcom’s wider review found that more than 69 million age checks were completed across a sample of 32 UK services between July and December 2025, representing a 23-fold increase from the previous six months.
However, the regulator said the job was far from complete. Although the proportion of children encountering highly effective age checks almost doubled, from 25 per cent to 43 per cent, children could still find pornography websites/adult websites without adequate protections through search engines. Ofcom also found that social media and dating platforms continued to struggle to identify underage users correctly.
TikTok rejected suggestions that it was failing to meet its responsibilities.
“We strictly enforce age-appropriate experiences through expert-informed platform rules and advanced age inference technologies, in line with major industry peers,” the company said in a TikTok response, adding that it was confident it complied with the Online Safety Act and would work with Ofcom to demonstrate this.
The launch of the investigation does not mean that Ofcom has concluded that TikTok broke the law. The regulator will now use its formal powers to collect and analyse evidence, a process expected to take at least three months, before providing its first update in October.
However, the financial exposure is considerable. Where breaches are established, Ofcom can impose a penalty of up to £18 million, 10 per cent of the company’s qualifying worldwide revenue, whichever is higher.
In the most serious cases, the regulator can also seek a court order requiring payment providers, advertisers or internet service providers to withdraw their services from a company or block access to its platform in Britain.
TikTok, which is owned by Chinese technology group ByteDance, has faced previous action from British authorities.
Ofcom imposed a £1.875 million previous penalty in July 2024 after finding that the company had submitted inaccurate information about the use of its Family Pairing parental control feature.
A year earlier, Britain’s Information Commissioner’s Office issued a separate £12.7 million data penalty for breaches of data protection law, including failing to use children’s personal information lawfully.
The British case also forms part of a much wider struggle over how governments can protect children online without creating systems that identify, track or restrict every internet user.
In February, the European Commission published preliminary EU findings that TikTok’s design may breach the Digital Services Act.
The Commission raised concerns about infinite scrolling, autoplay, push notifications and the platform’s highly personalised recommendation system, saying TikTok may not have adequately assessed their effects on the physical and mental wellbeing of minors and other vulnerable users.
It also questioned whether TikTok’s screen-time and parental control tools were effective, noting that restrictions could be easily dismissed and often depended on parents having the time and technical knowledge to activate them. The findings remain preliminary and do not determine the final outcome of the investigation.
Meanwhile, Greece has provided an example of how quickly ambitious political announcements can collide with legal and technical reality.
In April, the Greek government announced that children under 15 would be banned from social media, with age verification expected to take place through the state’s Kids Wallet and Gov.gr Wallet applications.
Under the proposed system, platforms would have requested digital confirmation before allowing a person to create an account or log in. Similar technology is already used in Greece to confirm whether someone meets the required age for buying alcohol or tobacco, producing a simple green or red response without revealing additional personal details.
However, the Kids Wallet element has disappeared from the legislation now undergoing public consultation.
The measures were posted on July 7 as articles 75 to 78 of a much wider and largely unrelated Justice Ministry bill, with the consultation due to close on Monday, July 20.
The draft sets 15 as the minimum age for accessing social media and appoints the National Council for Radio and Television and the Data Protection Authority as supervisory bodies. However, it contains no reference to Kids Wallet or Gov.gr Wallet and places no specific obligation on platforms to introduce an age-verification mechanism.
As a result, a child could, in practice, continue declaring a false age when opening an account, much as users can do today. Greek legislation has already required parental consent since 2019 where a child declares that they are younger than 15, meaning the new proposal adds an age limit without introducing the tool needed to verify it.
Lefteris Chelioudakis, co-founder and executive director of digital rights organisation Homo Digitalis, described the original Kids Wallet plan as a “communication firework”, arguing in a detailed Greek report that individual EU governments cannot independently impose new age-verification obligations on social media providers.
According to Chelioudakis, an earlier version submitted to the European Commission did include two provisions requiring platforms to use Kids Wallet and Gov.gr Wallet, but these were subsequently removed. Homo Digitalis said it had warned that such requirements risked conflicting with EU law and could force the identification of adults as well as children.
The organisation was among 25 Greek and international groups that signed a joint letter opposing the original proposal. Their concerns included the potential erosion of internet anonymity, the exclusion of families without adequate digital access and the possibility that children would simply move towards less regulated platforms or use virtual private networks to bypass restrictions.
Technology experts have also warned that even a state-backed verification system could be circumvented through relatively simple methods, including VPNs, borrowed adult accounts or devices verified by an adult and later handed to a child.
Without a technical enforcement mechanism, responsibility would largely return to parents and guardians, while the legislation treats social media within a framework similar to alcohol, tobacco and gambling.
However, critics argue that social media is not simply a product consumed by a child. It is also a means of communication, expression and access to information, making restrictions more complicated than checking whether someone is old enough to buy cigarettes or enter a betting shop.
The Greek retreat has effectively pushed the most difficult part of the debate back to Brussels.
On July 13, European Commission president Ursula von der Leyen received the final report of a special expert panel examining child safety online and potential age restrictions for social media.
The Commission said the report would inform future proposals covering a common EU approach, age-appropriate access, platform responsibility and stronger protections for minors. Von der Leyen said the Commission would study the recommendations before presenting a proposal after the summer, expected during September.
One of the tools already available is the EU age system, which allows users to prove that they meet an age threshold without giving a platform their identity, exact date of birth, passport details or facial image.
The current version was initially developed to confirm that users are over 18 when accessing restricted services, including pornography and gambling, although the technology can be adapted for other age limits and incorporated into national digital wallets.
Cyprus has announced plans to follow the same path. President Nikos Christodoulides said in April that the government intended to set 15 as the minimum age for creating and maintaining a social media account, while integrating the European age-verification system into the Digital Citizen application.
The original Cyprus announcement said legislation would regulate the scope of the measure, platform obligations, penalties for non-compliance and transitional arrangements.
However, earlier also raised practical questions over whether the system would effectively make the supposedly voluntary Digital Citizen app necessary for anyone wishing to access social media.
Deputy Research Minister Nicodemos Damianou told the Cyprus Mail that platforms would be required to carry out adequate age checks, although not necessarily through one specific application. In practice, however, Cyprus planned to provide the verification tool through Digital Citizen.
The government was aiming to introduce the verification mechanism by the end of 2026 or early 2027, while the wider legislative process was expected to be completed during 2027. Questions were also raised over access for foreign residents, asylum seekers and others who may not hold documents immediately compatible with the Cypriot application.
Children’s rights commissioner Elena Perikleous had earlier said that any Cypriot age restriction should be supported by an impact study, include children’s views and undergo public consultation.
Perikleous warned that restrictions could have unintended consequences for vulnerable children, including those in remote areas and those who depend on digital spaces for communication and expression.
Click here to change your cookie preferences