Last updated: July 2025

The UK Online Safety Act came into full enforcement in July 2025. For Shopify merchants selling vapes, adult products, supplements, or alcohol, the legal obligations are specific and the penalties for non-compliance are substantial. Here's what changes and what you need to do.

The Online Safety Act is no longer upcoming — it's in force

For the past two years, the UK Online Safety Act has been described as something that's coming. From July 2025, it's here. Ofcom's enforcement powers are active, the age verification requirements are legally binding, and the window for treating compliance as a future concern has closed.

For most Shopify merchants, the Act doesn't change anything. But for those selling age-restricted products — vapes, nicotine products, alcohol, adult content, adult products, and certain supplements — the changes are direct and operational. The Act requires age verification methods that actually confirm a customer's age. Self-declaration mechanisms that have been in widespread use don't meet the new standard. And the consequences of non-compliance are substantial enough to warrant taking the requirement seriously.

This guide explains what the Online Safety Act requires from Shopify merchants in regulated categories, what the enforcement landscape looks like, what no longer counts as compliant, and how to build a checkout that meets the standard — including how Pay by Bank via Fena integrates compliant age verification into the payment flow.

Quick summary

• The Online Safety Act came into full enforcement in July 2025, with active Ofcom powers to fine, restrict, and in serious cases require ISP-level blocks of non-compliant sites

• The Act requires robust age verification for any UK ecommerce operation selling or providing age-restricted content or products — self-declaration no longer meets the legal threshold

• The affected categories include vapes and nicotine products, alcohol, adult content and products, knives and bladed articles, and certain regulated supplements

• Shopify does not provide compliant age verification natively — merchants in affected categories need third-party solutions

• The Act sits alongside other existing legal frameworks — the Licensing Act for alcohol, TRPR for vape products, the Criminal Justice Act for bladed articles — which remain in force alongside the new requirements

• Pay by Bank via Fena provides integrated, bank-verified age confirmation at the payment stage, combining compliance and payment for merchants in regulated categories

What the Online Safety Act actually says — and what it means for ecommerce

The Online Safety Act was designed primarily to address the harms that children face through social media platforms and online content — but its scope extends beyond major platforms to any online service accessible to UK users that includes age-restricted content or products.

The core obligation for ecommerce merchants is age verification before access to restricted content or before purchase of restricted products. The Act defines what counts as restricted and what counts as sufficient verification — and the definition of sufficient verification is the change that directly affects merchants who have been relying on self-declaration.

The law doesn't just require that merchants try to prevent under-18s from accessing restricted content. It requires that the mechanisms used to prevent access are technically capable of confirming age — not just asking users to state it. This is the distinction between the old standard, where a tick box was broadly considered adequate, and the new one, where verification must use methods that draw on confirmed identity data.

For Shopify merchants, this means that the age gate currently on your store — if it uses a checkbox or a date-of-birth entry form — needs to be replaced with a solution that meets the robust verification standard before you take any more transactions involving age-restricted products.

Who is specifically affected

The Online Safety Act age verification requirements apply to UK-accessible ecommerce operations selling:

Vapes and nicotine products.

This category was already subject to age verification requirements under the Tobacco and Related Products Regulations. The Online Safety Act reinforces and extends this, requiring that the verification method meets the robust standard rather than relying on self-declaration.

Alcohol.

Online alcohol retail has been required to verify age under the Licensing Act for some time. The Online Safety Act raises the standard of that verification — the existing obligation to prevent sales to under-18s now needs to be met through robust verification at the digital storefront.

Adult content and products.

Sites hosting pornographic content have specific requirements under the Act. Merchants selling adult products are also within scope — the requirement to prevent access by under-18s applies to both the products and any associated content.

Knives and bladed articles.

The Criminal Justice Act prohibits the sale of knives to under-18s. Online retailers are within scope of both the existing criminal law and the Online Safety Act's verification requirements.

Regulated supplements and pharmaceuticals.

Products making specific health or performance claims that place them in a restricted category fall within scope. The specific boundary here requires individual assessment depending on the product and its regulatory classification.

Merchants with any products in these categories should treat the Act as applying to their store and implement accordingly.

What the enforcement landscape looks like

Understanding who enforces the Act and what their powers are is important context for assessing the compliance requirement.

Ofcom is the regulator responsible for the Online Safety Act. Its enforcement powers include issuing fines of up to £18 million or 10% of qualifying worldwide revenue, whichever is higher. For most Shopify merchants, the £18 million cap is the relevant figure, but for larger operators the percentage-based calculation may be higher.

Beyond fines, Ofcom can require business disruption measures — including directing internet service providers to block access to non-compliant sites for UK users. This is the enforcement mechanism that has the most immediate operational impact: a non-compliant store could become inaccessible to UK customers without notice, which for a UK-focused business is effectively a shutdown.

Ofcom has also indicated it will operate on a risk-based enforcement model, prioritising the platforms and operations where harm is most likely. For high-volume retailers in categories with direct child harm risk — vapes marketed to younger audiences, for example — the risk profile is higher than for merchants in less obvious categories.

The practical implication is that the risk is real and the timeline is now. Waiting for an enforcement action before taking compliance seriously is not a rational risk management position.

What the Online Safety Act requires — and what no longer counts

The central change for most Shopify merchants is the move from any verification to robust verification.

What constitutes robust age verification under the Act:

Government-issued photo ID verification — the customer submits a photograph of a valid UK driving licence, passport, or equivalent document, which is processed to confirm the holder's date of birth and that the document is genuine.

Bank-based age confirmation — using open banking infrastructure to confirm account holder age through the bank's own KYC-verified records. Because UK banks hold verified identity information including date of birth as part of their regulatory obligations, confirmation drawn from this data is based on independently verified information rather than customer self-declaration.

Biometric verification — facial recognition or liveness detection cross-referenced with identity documentation to confirm both identity and age of the person making the purchase.

Accredited digital identity services — verification through providers operating within the UK digital identity trust framework, where the provider holds verified identity data.

What no longer meets the standard:

"I confirm I am 18 or over" checkboxes. Date of birth entry forms without verification. Pop-up age gates asking users to confirm their age. Any mechanism that relies on the user's own assertion of their age without independent verification.

The principle is straightforward: the law requires that the system performing verification is technically capable of confirming what it claims to confirm. Self-declaration by definition isn't — it confirms only that the user has ticked a box, which an under-18 user can do as easily as an adult.

Why Shopify's native tools aren't sufficient

Shopify includes an age verification feature as part of its platform, primarily implemented as a pop-up or page-level entry gate that asks customers to confirm they meet the age requirement. This is exactly the self-declaration mechanism that does not meet the robust verification standard.

For merchants in affected categories, Shopify's built-in age check cannot be relied on for Online Safety Act compliance. It was designed for a pre-Act standard and hasn't been updated to meet the robust verification requirement.

Third-party solutions are required. These fall into two broad categories: standalone age verification apps in the Shopify App Store that add verification as a step before or during checkout, and integrated solutions that combine age verification with the payment method.

The integrated approach has practical advantages for merchants who also need to address the payment processing challenge that most regulated category merchants face. Card processors — including Shopify Payments — don't support most regulated categories, which means merchants need a specialist payment solution alongside their age verification solution. An integration that handles both in a single checkout step is simpler to implement and maintain than two separate systems.

How Pay by Bank via Fena integrates compliance with payment

Fena's Pay by Bank integration for Shopify and WooCommerce addresses both the compliance requirement and the payment processing challenge for merchants in regulated categories.

Bank-verified age confirmation.

When a customer pays via Pay by Bank, the open banking infrastructure provides access to the bank's verified account holder data, including date of birth confirmed through the bank's KYC process. This provides robust age confirmation — drawn from bank-verified identity information, not customer self-declaration — at the payment stage.

FCA-authorised payment infrastructure.

Fena operates under FCA authorisation. The payment infrastructure is regulated under UK financial law, which provides a verifiable compliance foundation that goes beyond self-certification.

No card processor restrictions.

Because Pay by Bank uses open banking payment rails rather than card network infrastructure, the card network acceptable use policies that restrict regulated categories don't apply. Merchants selling legal vape products, adult items, or regulated supplements can use Fena without the account termination risk that card-based processors carry for these categories.

No chargebacks.

Pay by Bank transactions don't go through card networks, so card chargeback mechanisms don't apply. For merchants in regulated categories where chargeback rates are elevated, this removes a compounding operational risk alongside the compliance challenge.

Same-day settlement.

Revenue settles to the merchant's bank account same-day or faster — without the rolling reserves or delayed payout cycles that specialist high-risk card processors typically impose.

Direct Shopify and WooCommerce integration.

Fena adds Pay by Bank as a checkout payment option on both platforms without requiring significant development work or replacement of the existing store setup.

What to do now

If you're selling age-restricted products in any of the categories described above and your current age verification is a self-declaration mechanism, these are the immediate steps:

Identify your restricted products.

Go through your product range and categorise anything that falls within the affected categories. If you have any doubt about whether a specific product is in scope, err on the side of treating it as restricted.

Audit your current verification method.

If it's a checkbox or date-of-birth entry, it needs to be replaced. Document what you currently have as the starting point for the compliance audit trail.

Choose a compliant verification method.

For most UK ecommerce merchants, bank-based confirmation through an open banking payment integration is the lowest-friction option for customers and the most straightforward to implement. Government ID upload apps are an alternative where the payment integration doesn't include verification.

Update your store's legal documentation.

Your privacy policy, terms and conditions, and any age verification notices should be updated to reflect the method you're using and what data is collected and processed as part of the verification.

Maintain verification records.

Keep timestamped logs that a verification check was performed for each relevant transaction. These are relevant for any Ofcom review and should be retained in line with your data retention obligations.

Test the customer journey.

Walk through the complete purchase flow to confirm verification is working as intended, the customer experience is acceptable, and there are no gaps between the age-restricted content being accessible and the verification gate being applied.

Frequently asked questions

Does the Online Safety Act apply to all UK Shopify merchants?

No. The age verification requirements apply specifically to merchants selling or providing content that is restricted to adults under UK law — vapes, alcohol, adult content, adult products, knives, and certain regulated supplements. Merchants whose product ranges don't include any restricted categories are not directly affected by the age verification provisions.

What exactly counts as "robust" age verification?

The robust standard requires a verification method that is technically capable of confirming age using independently verified data — not just a customer's self-declaration. Methods that meet the standard include government ID verification, bank-based confirmation using open banking and bank-held KYC data, and biometric verification cross-referenced with identity documents.

Can I still use a checkbox age gate?

No. Self-declaration mechanisms — including checkboxes, date-of-birth entry, and age confirmation pop-ups — do not meet the Online Safety Act robust verification standard. Using these methods after the enforcement date does not constitute compliance.

What are the penalties for non-compliance?

Ofcom can impose fines of up to £18 million or 10% of qualifying worldwide revenue, whichever is higher. Ofcom can also require ISPs to block access to non-compliant sites for UK users — which is effectively a site shutdown for UK-focused businesses.

Does Shopify provide compliant age verification?

Shopify's native age verification uses self-declaration, which doesn't meet the robust standard. Merchants in affected categories need third-party solutions — either standalone age verification apps or integrated solutions that combine verification with payment.

How does Pay by Bank via Fena help with Online Safety Act compliance?

Fena's Pay by Bank integration incorporates bank-based age confirmation using verified account holder data held by the customer's bank through its KYC process. This meets the robust verification standard at the payment stage, and combines compliance with a payment method that works for regulated categories — without card network restrictions, chargebacks, or rolling reserves.

What records do I need to keep to demonstrate compliance?

Timestamped logs confirming that age verification was completed for each relevant transaction, the verification method used, and the outcome. These records are the evidence base for any regulatory review and should be maintained for a period consistent with your data retention obligations.