Last updated: July 2025

From July 2025, robust age verification is a legal requirement for UK Shopify stores selling vapes, alcohol, adult products, and other age-restricted goods. Here's what the Online Safety Act requires, what no longer counts as compliant, and how to build a store that meets the standard.

Age verification is no longer a best practice — it's a legal requirement

For UK Shopify merchants selling age-restricted products, the regulatory landscape changed significantly in 2025. Under the Online Safety Act, robust age verification is now a legal requirement for any online store selling products or services that are restricted to adults under UK law. The checkbox disclaimer — "I confirm I am 18 or over" — is no longer compliant. Self-declaration is no longer sufficient. The law now requires verification methods that actually confirm a customer's age rather than asking them to assert it.

The consequences of non-compliance are serious: fines of up to £18 million or 10% of global annual turnover (whichever is higher), potential store takedowns, and in serious cases, ISP-level blocks preventing UK users from accessing the site. For merchants in affected categories, understanding what the law now requires — and what doesn't meet the standard — is a commercial necessity, not just a compliance exercise.

This guide covers which products are affected, what verification methods now meet the legal threshold, what Shopify provides by default and where it falls short, and how Pay by Bank via Fena integrates compliant age verification with the payment step for merchants in regulated categories.

Quick summary

• The Online Safety Act requires robust age verification for UK ecommerce stores selling age-restricted products, effective from July 2025 — self-declaration checkboxes are no longer compliant

• Affected categories include vapes and nicotine products, alcohol, adult content and products, knives and weapons, and certain supplements and pharmaceuticals

• Robust verification means methods that actually confirm age — government ID upload, bank-based age confirmation via open banking, or biometric verification cross-referenced with ID

• Shopify does not provide compliant age verification tooling by default — third-party solutions are required for all affected merchants

• Pay by Bank via Fena integrates age verification into the payment flow for affected Shopify and WooCommerce merchants, combining compliance and payment in a single step

• Non-compliance carries substantial regulatory risk — the enforcement framework under the Online Safety Act gives Ofcom meaningful powers to act against non-compliant sites

Which products are affected

The Online Safety Act age verification requirements apply to any UK ecommerce operation selling products or services that are legally restricted to adults — defined as 18 and over. The categories that are clearly affected include:

Vapes and nicotine products.

The Tobacco and Related Products Regulations have required age verification for nicotine product sales for some time. The Online Safety Act strengthens this at the digital storefront level, requiring verification that meets the robust standard rather than self-declaration.

Alcohol.

The Licensing Act restricts the sale of alcohol to adults, and online sales are subject to the same age restriction as in-person sales. Digital age verification that meets the Online Safety Act standard is now required for online alcohol retail.

Adult content and products.

Sites hosting user-generated pornographic content must use robust age verification under the Online Safety Act. For merchants selling adult products, the same verification standard applies to prevent access by under-18s.

Knives and bladed articles.

The Criminal Justice Act restricts knife sales to adults, and this applies equally to online retail. Age verification is required at the point of sale.

Certain supplements and pharmaceuticals.

Products making sexual health claims or containing restricted substances may fall within the requirement depending on their specific regulatory classification.

If any of your products fall into a restricted category, the requirement applies to your entire store's access to that content — not just to individual product pages. The law does not permit under-18s to browse age-restricted sections and then be age-verified only at checkout. Verification should gate access before the restricted content is accessible.

What "robust" age verification actually means

The shift from voluntary declaration to legally required verification is the central change merchants need to understand. The Online Safety Act specifies that age verification must use methods that are technically and procedurally capable of confirming age with a reasonable level of certainty — not simply asking users to state their age.

Methods that meet the robust standard include:

Government-issued ID verification.

The customer uploads a photograph of a government-issued document — passport, driving licence, or equivalent — which is processed to confirm the holder's age. This is a verifiable, document-based confirmation rather than a self-declaration.

Bank-based age confirmation.

Open banking data can confirm account holder age through the customer's existing banking relationship. Because UK banks hold verified customer identity data including date of birth, open banking-based age confirmation draws on existing, KYC-verified information rather than requiring the customer to submit documentation separately. This is particularly relevant for merchants using Pay by Bank — the payment and the age verification draw on the same underlying bank account data.

Biometric verification.

Facial recognition or liveness detection cross-referenced with ID documentation can confirm that the person making the purchase is the person documented and of legal age. This method provides strong verification but requires more customer effort than bank-based confirmation.

Digital identity services.

Accredited digital identity providers that hold verified identity information — such as those operating within the UK digital identity trust framework — can confirm age against their records.

What no longer meets the standard:

Self-declaration checkboxes ("I confirm I am 18 or over") are not robust age verification and do not meet the Online Safety Act requirement. Neither are date of birth entry forms without subsequent verification, popups asking the customer to confirm they are an adult, or any other mechanism that relies solely on the customer's own assertion of their age.

The principle the Act establishes is that the burden of confirming age should not rest on customer honesty — it should rest on a verification mechanism that is technically capable of confirming what it claims to confirm.

What Shopify provides — and where it falls short

Shopify includes some age verification functionality as part of its native platform, primarily the ability to display a pop-up or entrance page requesting age confirmation. This built-in functionality uses self-declaration — it asks customers to confirm they are over 18 before proceeding.

This does not meet the Online Safety Act robust verification standard.

For merchants in affected categories, Shopify's built-in age verification tools are not sufficient for 2025 compliance. Third-party solutions — either standalone age verification apps or integrated payment solutions that incorporate verification — are required.

The Shopify App Store includes several age verification applications that offer higher verification standards, including ID document upload and third-party identity checking. These provide a higher standard than Shopify's native pop-up, but the quality and compliance level of individual apps varies, and merchants should evaluate whether the specific verification method offered by any app meets the robust standard the Online Safety Act requires.

For merchants who also need a payment processing solution that works for their regulated category — particularly those who are finding card processors unwilling to support their product type — an integrated solution that combines age verification with payment is a more efficient approach than maintaining them as separate systems.

How Pay by Bank via Fena addresses age verification for UK merchants

Fena's Pay by Bank integration for Shopify and WooCommerce incorporates age verification capabilities as part of the payment flow for merchants in age-restricted categories. This is significant because it combines two requirements that affected merchants need to address simultaneously: a payment method that works for their product category and a verification mechanism that meets regulatory standards.

Bank-based age confirmation.

The open banking infrastructure that underlies Pay by Bank provides access to verified account holder data including date of birth, which banks hold as part of their KYC (Know Your Customer) process. This means the age confirmation is based on bank-verified information rather than customer self-declaration — meeting the robust standard at the payment stage without requiring the customer to submit additional documentation.

FCA-authorised infrastructure.

Fena operates under FCA authorisation for open banking payment services. The compliance foundation is regulatory rather than self-certified, which provides a verifiable basis for the verification standard being applied.

Integrated rather than additive.

Rather than implementing age verification as a separate step before checkout and payment as another step after it, the Fena integration handles both within the same flow. For the customer, this means a single, coherent checkout experience. For the merchant, it means a single integration rather than two separate compliance systems to maintain and update.

No chargebacks on Pay by Bank transactions.

Merchants in regulated categories face elevated chargeback rates with card processors, which compounds the compliance challenge — non-compliant merchants may lose card processing relationships, but compliant merchants also face elevated dispute exposure from the categories they operate in. Pay by Bank removes the card chargeback mechanism entirely for transactions processed through it, which addresses a secondary operational challenge alongside the primary compliance one.

Shopify and WooCommerce native integration.

Fena's integration connects directly to both platforms as a checkout payment option. It doesn't require replacing the existing store setup or undertaking significant development work.

Practical steps for becoming compliant

Audit your product range.

Identify every product category in your store that falls within the age-restricted definitions under UK law. If any products are restricted, the age verification requirement applies to your store.

Review your current verification method.

If your current approach is a self-declaration checkbox or a date of birth entry field without subsequent verification, it does not meet the 2025 standard and needs to be replaced.

Choose a verification method that meets the robust standard.

This means government ID verification, bank-based confirmation through open banking, or biometric verification. Evaluate the customer experience impact of each — bank-based confirmation through the payment flow is typically the lowest-friction option for customers who are making a purchase anyway.

Update your legal pages and product descriptions.

Your terms and conditions, privacy policy, and product pages should reflect the age verification requirement and the method you're using. This documentation is relevant both for customer transparency and for any compliance review.

Maintain verification logs.

Keep records of age verification events — timestamped confirmation that verification was completed for specific transactions. This documentation is relevant for demonstrating compliance if the store is ever reviewed by Ofcom or another regulatory body.

Test the full customer journey.

After implementing your chosen verification solution, go through the complete customer journey — from site access through checkout — to confirm the verification gate is working as intended and that the customer experience is acceptable.

Frequently asked questions

Is age verification legally required for UK Shopify stores in 2025?

Yes, for stores selling age-restricted products. Under the Online Safety Act, robust age verification is legally required from July 2025 for UK ecommerce operations selling products restricted to adults under UK law. This includes vapes, nicotine products, alcohol, adult products, knives, and certain other categories.

What counts as robust age verification under the Online Safety Act?

Robust verification requires a method that is technically capable of confirming a customer's age — not just asking them to declare it. Compliant methods include government ID upload and verification, bank-based age confirmation using open banking data, and biometric verification cross-referenced with ID. Self-declaration checkboxes and date-of-birth entry forms do not meet the standard.

Does Shopify have built-in compliant age verification?

Shopify's native age verification tools use self-declaration, which does not meet the Online Safety Act robust standard. Merchants in affected categories need to implement third-party verification solutions. Shopify does not provide government ID verification, bank-based confirmation, or biometric verification natively.

What are the penalties for non-compliance?

Ofcom has enforcement powers under the Online Safety Act that include fines of up to £18 million or 10% of global annual turnover, whichever is higher. In serious cases, Ofcom can require ISPs to block access to non-compliant sites for UK users, and can require app stores to remove non-compliant apps.

How does Pay by Bank via Fena help with age verification compliance?

Fena's Pay by Bank integration includes bank-based age confirmation as part of the payment flow, using verified account holder data held by banks through their KYC processes. This meets the robust verification standard at the payment stage, combining compliance and payment in a single integrated step rather than requiring separate systems for each.

Is bank-based age confirmation compliant with the Online Safety Act?

Yes. Bank-based confirmation that draws on bank-verified identity data — including date of birth held through the bank's KYC process — meets the robust age verification standard because it relies on previously verified information rather than customer self-declaration.

Do I need age verification even if I only sell some age-restricted products?

Yes, if any of your products fall within restricted categories, the age verification requirement applies to access to those products or content. The law requires that under-18s are prevented from accessing age-restricted content — this means verification should gate access to restricted sections or products, not only occur at the point of purchase.

What records should I keep for age verification compliance?

Timestamped logs confirming that age verification was completed for each relevant transaction, the verification method used, and the outcome. These records are relevant for demonstrating compliance in any regulatory review and should be retained for a reasonable period — at minimum in line with your existing data retention policy.