Safety by Design: What It Means and Why It Matters
The principle that online safety should be built into platforms from the start — not added as an afterthought. Practical examples of what safety by design looks like in practice.
Safety by design is the principle that online platforms should be engineered so that safety is the default — not an optional setting or a post-hoc fix. The Online Safety Act embeds this principle into UK law. Rather than platforms choosing how to design their services and then dealing with the safety consequences, the Act requires platforms to assess safety risks before those risks materialise and design their services accordingly.
The core principle
Safety by design means that safety considerations must be built into a platform's architecture, algorithms, and default settings — not layered on top as optional features. This contrasts with the historical approach of designing for engagement first and then adding safety features in response to public pressure or regulation. The Online Safety Act requires platforms to carry out risk assessments before implementing new features, not after harmful consequences emerge.
Key takeaway: Safety must be designed in from the start — not bolted on after harm has already occurred.
Practical examples for children's services
Safety by design in practice includes: default private accounts for users under 18 (strangers cannot find them by default); direct messaging restricted to confirmed mutual connections for under-18s; algorithms that do not recommend harmful content to young users; no targeted advertising based on children's data; simple, prominent reporting tools; and age-verification prompts before accessing adult features. These are design decisions, not content moderation decisions — they shape the environment children inhabit online.
Key takeaway: Private accounts by default, restricted messaging, and no algorithmic amplification of harm are core examples of safety by design.
Dark patterns and what the Act says about them
Dark patterns are design techniques that manipulate users into choices that benefit the platform at the user's expense — such as making privacy settings hard to find, using confusing toggle design, or placing 'accept all' cookies buttons prominently and 'reject all' in small print. The Online Safety Act and the ICO's Children's Code both prohibit the use of dark patterns to undermine children's safety and privacy. Age-appropriate design must be genuine and accessible, not a nominal gesture.
Key takeaway: Platforms cannot use confusing design to undermine safety — age-appropriate settings must be findable and genuinely protective.
Algorithmic recommendations and children
One of the most significant safety-by-design requirements in the Act is the regulation of recommendation algorithms. Platforms must ensure their algorithms do not recommend harmful content to children, including content promoting self-harm, eating disorders, or extreme behaviour. The algorithm that drives what children see in their feed is itself a safety-relevant design decision — one that platforms must now justify and control rather than optimise purely for engagement.
Key takeaway: Recommendation algorithms are a core safety mechanism, not just an engagement tool — platforms must control what they serve to children.
What families should expect to see
As safety-by-design requirements are implemented across 2025 and 2026, parents should expect to see: new accounts for under-18s being set to private by default; fewer unsolicited friend or follower requests from strangers for young users; easier-to-find reporting buttons; and reduced exposure to recommended content that promotes self-harm or extreme content. If you set up a new account for a child and find that the defaults are not as protective as expected, you can report this to Ofcom as a potential non-compliance indicator.
Key takeaway: New accounts for under-18s should now be set to private by default — check whether this is happening when you set up accounts.
What the Act does
Requires platforms to assess safety risks before implementing new features or services.
Prohibits the use of dark patterns that undermine children's safety or privacy.
Requires age-appropriate defaults, including private accounts for under-18s.
Obligates platforms to ensure algorithms do not recommend harmful content to children.
What the Act does not do
Understanding the limits of the Act helps you set realistic expectations when using complaint and reporting processes.
Prescribe the exact technical architecture platforms must use — it sets outcomes, not implementation details.
Mean that all risk can be eliminated — it requires proactive risk reduction, not perfection.
Apply only to new platforms — existing services must update their design to comply.
Practical steps
When setting up a new account for your child, check whether the account defaulted to private — if not, note the platform for potential Ofcom reporting.
Check whether the platform uses a chronological feed option (which reduces algorithmic amplification) and enable it where available.
Review whether the platform's reporting button is easy to find — genuinely accessible reporting is a legal requirement.
Talk to your child about the design choices platforms make and why the defaults matter.
Frequently asked questions
Does safety by design mean children's accounts are always private?
Default privacy for new accounts for under-18s is a requirement under Ofcom's Children's Safety Code. However, children or their parents can change settings. The requirement is that the default — what happens when you first sign up — is safe, not that the setting is locked permanently.
Which platforms are furthest ahead on safety by design?
Platform compliance varies. Some platforms — including Instagram and TikTok — had begun implementing teen safety features before the Act came into force, partly in anticipation of regulation. Others have been slower. Ofcom's transparency register and published Children's Safety Code compliance assessments give the most up-to-date picture.
Sources and further reading
Related guides
Last reviewed: 19 April 2026
This is practical educational content to support families. For case-specific concerns about a child's safety, contact the NSPCC helpline on 0808 800 5000 or your local safeguarding team.
Was this page helpful?