,

Online safety moves into the default settings

Teen protections will become part of platform configuration rather than guidance.

Online safety moves into the default settings
Summary
  • Social platforms will have to apply overnight limits and disable selected engagement features by default for 16- and 17-year-olds.
  • Regulations are expected by the end of 2026, with implementation planned for spring 2027.
  • Age assurance, privacy, circumvention, and scope will determine whether the controls operate effectively.

Social-media services operating in the UK will be expected to apply midnight-to-6am restrictions to accounts belonging to 16- and 17-year-olds and switch off selected engagement features by default, moving online-safety policy into the configuration of products used every day.

The Department for Science, Innovation and Technology says autoplay and continuously personalised feeds will be among the features disabled for older teenagers, although users in that age group will retain the ability to alter their settings.

The first regulations are due to be laid before Parliament by the end of 2026 and are expected to take effect in spring 2027. The rules are intended to avoid an abrupt removal of protection when young people move beyond the government’s planned restrictions for children under 16.

A pilot involving more than 300 teenagers and parents found that overnight restrictions became part of some household routines and were associated by participants with improved sleep and concentration. The government’s policy update also proposes mandatory breaks for under-18s using AI chatbots and action against services offering dangerous or unverified mental-health advice.

Defaults create an engineering obligation

Platforms already provide parental controls, time reminders, and optional quiet modes, but a statutory default changes the compliance burden. Product teams must identify affected users, apply the correct configuration, record whether settings were changed, and demonstrate that the controls work across devices, services, and account types.

Age assurance will sit at the centre of implementation because a service cannot apply age-specific settings reliably without knowing whether an account belongs to a 15-year-old, 17-year-old, or adult. Stronger identification can improve enforcement, but additional identity or biometric collection introduces privacy, security, and exclusion risks.

Companies may combine declared age, account behaviour, device information, age-estimation services, parental confirmation, or identity credentials. Every approach produces errors, and the consequences differ depending on whether a child is incorrectly treated as an adult or an adult is placed under restrictions.

Circumvention will add another operational problem as young users create replacement accounts, alter dates of birth, use virtual private networks, share devices, or move to smaller services. Effective regulation requires proportionate enforcement across the market rather than controls that apply only to the largest and most visible platforms.

Engagement design enters the rulebook

The policy advances the argument that online harms are influenced by product architecture as well as individual content. Autoplay, infinite feeds, recommendations, notifications, and streaks affect how long people remain on a service and how rapidly they encounter additional material.

Restricting defaults for older teenagers does not establish that every personalised feed or autoplay feature is inherently harmful. It does require companies to justify how engagement systems operate for younger users and to maintain products capable of differentiating between age groups.

Businesses will need clarity over which services and features fall within the rules. Social networks, video platforms, messaging products, games with social functions, and AI companions overlap, so narrow definitions could encourage relabelling while excessively broad ones could capture products with markedly different risks.

The proposed chatbot measures show how regulation is extending beyond conventional social media. Systems that offer companionship, advice, or conversational support can create risks that content-moderation frameworks were not designed to address, particularly when users treat an automated response as authoritative or emotionally significant.

Smaller platforms will face a different compliance challenge from large companies that can maintain dedicated safety, age-assurance, policy, and engineering teams. Reliance on third-party tools may create a market for compliance technology, although it could also increase entry barriers and concentrate sensitive age data among a few suppliers.

The announcement establishes the direction while leaving decisive details to secondary regulation and enforcement: which features qualify, how user choice should work, what records platforms must retain, which age-assurance techniques are acceptable, and how services should respond when controls are bypassed.

By spring 2027, online-safety compliance will be visible not only in policy documents and transparency reports but in the behaviour of an account after midnight. Regulators gain a measurable product outcome, while platforms inherit the difficult work of balancing protection, privacy, and personal autonomy.