On 19 June 2026, Ofcom announced it had fined First Time Videos LLC, operator of FTVGirls.com and FTVMilfs.com, £80,000 for failing to comply with section 81 of the Online Safety Act 2023 — the duty requiring pornography providers to use "highly effective" age verification or age estimation so that children cannot normally encounter their content. Ofcom's decision is small in absolute terms next to the headline fines the regulator has issued elsewhere. That is the point, not a flaw.
A System, Not a One-Off
The First Time Videos case did not happen in isolation. Ofcom opened its investigation on 10 June 2025, issued a formal information notice in January 2026 after the company failed to respond, reached a provisional finding of contravention on 31 March 2026, and finalised a Confirmation Decision on 18 June 2026 — a full year of process before a penalty was struck. As Ofcom's enforcement programme page shows, First Time Videos is one of more than 20 providers under investigation, alongside completed cases against Youngtek Solutions (£600,000), AVS Group (£1.05 million), 8579 LLC (£1.4 million) and Kick Online Entertainment (£830,000). The statutory ceiling is £18 million or 10% of qualifying global revenue, whichever is greater. Ofcom's Director of Enforcement, George Lusty, put the underlying logic plainly: "Age checks are not optional, and are a cornerstone of our laws to protect children from harmful content, including pornography."
The spread of fines — from £80,000 to £1.4 million — is itself informative. Ofcom is explicitly calibrating penalties to the size and turnover of each operator, which is the correct design choice for a regime that governs everything from a two-site LLC to companies with tens of millions in revenue. A flat fine schedule would have either been meaningless to large operators or ruinous to marginal ones.
The Case for the Regime
Ofcom's mandate here deserves a fair hearing before any criticism. Section 81, which took effect on 17 January 2025 per the government's own explainer, responds to a genuine and long-documented problem: pornographic content has been trivially accessible to minors on the open web for two decades, gated by nothing more than a click-through "I am 18" checkbox that verifies nothing. Ofcom's guidance sets a real bar — technically accurate, robust, reliable and fair — and explicitly rules out self-declaration as insufficient. Acceptable methods include photo-ID matching, facial age estimation, open banking checks and mobile-operator verification. Given the scale of harm campaigners and clinicians have attributed to early, unmoderated exposure to pornography, a statutory duty backed by real penalties is a defensible policy response, not moral panic dressed up as law.
Where the Regime Still Strains
The harder question is whether the compliance burden this creates is proportionate to the problem it solves, and whether it is being implemented in a way that respects privacy. The Open Rights Group's briefing on VPNs and the Online Safety Act makes a point too often skipped over in enforcement-focused coverage: age gates are trivially circumvented by VPNs, borrowed credentials, or the many pornography sites outside UK jurisdiction that simply never comply. ORG's assessment is that the users most likely to route around age checks are exactly the teenagers the law is trying to protect, while the compliance burden falls heaviest on smaller, UK-adjacent, or law-abiding operators — precisely the ones Ofcom can practically fine. That creates an uncomfortable asymmetry: enforcement capacity tracks jurisdictional reach, not risk to children.
There is a parallel privacy cost. EFF's reporting has documented that some age-assurance vendors collect far more than a yes/no age signal — in one widely cited case, a provider ran identity checks screening users against categories of "adverse media" unrelated to age at all. A regime built to keep children off pornography sites should not become a backdoor mechanism for expansive identity profiling of adults, particularly for populations — LGBT users chief among them — who have specific reasons to fear data exposure tied to browsing habits.
The Proportionate Path
None of this argues for abandoning section 81. It argues for narrowing the compliance model around what actually works: mandate data minimization in age-assurance contracts, require providers to delete verification data immediately after a pass/fail determination, and treat VPN and jurisdiction-based circumvention as a permanent limit on what domestic enforcement can achieve — rather than escalating toward VPN restrictions that Ofcom has not sought but that some parliamentarians have floated. Ofcom's revenue-scaled fine structure already shows the regulator can calibrate for proportionality. The next test is whether it can hold providers to a privacy-protective standard with the same rigor it now applies to age-check compliance. The First Time Videos fine suggests the enforcement apparatus works. Whether it is enforcing the right standard, on the right targets, is the debate that £80,000 doesn't settle.