May 22, 2026 · 9 min read
Snapchat, Roblox, and Meta Just Promised Ofcom They Will Change Their Apps to Protect UK Children—YouTube and TikTok Said Their Existing Features Were Already Enough
The split is the story. Three platforms accepted that they had to change. Two told the British regulator their existing controls were sufficient. Ofcom said it would not "hesitate to act" if the promises move too slowly.
What Was Promised, and What Was Not
On May 21, 2026, The Record from Recorded Future News reported that Ofcom—the UK's communications regulator and the enforcement body for the Online Safety Act—had received written commitments from three major platforms after a formal review of how children are contacted, recommended, and exposed to risk on their services.
Snapchat agreed to restrict adult to child contact and eliminate the auto suggested "people you may know" features that have historically connected strangers to minors. Roblox agreed to expand the parental control panel so that direct messaging can be disabled for users under sixteen at the parent's option. Meta agreed to set teenage Instagram accounts to a default where the contact list is hidden, and to deploy AI classifiers that detect sexualized adult to child conversations in direct messages and report them to the National Center for Missing and Exploited Children.
YouTube and TikTok declined to make new commitments. Both told Ofcom their existing protections were already sufficient. Ofcom's response, in writing, was that "these commitments must now translate into action," and that if "promised improvements happen too slowly...we will not hesitate to act."
The Mechanism Behind Each Change
The Snapchat commitment is the most operationally visible. The platform's "Quick Add" feature surfaces other users you might know based on phone contacts, mutual friends, and inferred relationships. For minors, that feature has been the documented mechanism for adults to find children they otherwise had no connection to. Removing or restricting Quick Add for users under eighteen breaks that discovery path. The Quick Add change is the kind of design choice that takes a feature off the table for everyone, not just abusers, because the discovery mechanism itself was unsafe.
The Roblox change keeps the underlying capability—direct messaging—but transfers control to the parent. A child under sixteen logs into an account whose messaging permission depends on the linked parent account's setting. The parent can disable it, restrict it to friends only, or leave it open. The mechanism is structurally similar to how Apple's Screen Time controls work on iOS: the capability exists, but the permission to invoke it sits with someone else.
Meta's commitment has two parts. The default privacy setting for teenagers on Instagram changes from a state where the contact list and followers are visible to others to a state where they are hidden. The change matters because the existing default exposes a sixteen year old's social graph to anyone who lands on their profile, and that exposure is the input to targeted grooming. The second part—AI classifiers on direct messages—is structurally similar to the CSAM detection systems that have operated on cloud storage for years, but applied to live messaging traffic. Meta has committed to forwarding positive classifications to NCMEC, which is the established reporting pipeline for child exploitation material in the United States.
Why YouTube and TikTok Said No
The two platforms that declined to make new commitments are also the two platforms whose primary engagement vector is recommendation rather than messaging. YouTube and TikTok are read mostly platforms: users consume the recommended feed, and the platform's main risk to minors comes from what gets recommended, not from who reaches out to them.
Both platforms argued to Ofcom that their existing recommendation guardrails, age gates, and content moderation already met the standard the Online Safety Act sets for children. That argument is internally consistent: if the risk is what shows up in the feed, then the existing moderation infrastructure is the relevant control. It is also a higher risk argument to make in front of a regulator that has issued six fines under the Act since January and is actively investigating ninety services.
Ofcom's view, as expressed in the report, is that the existing protections are not sufficient. That sets up a near term enforcement test. If YouTube and TikTok do not voluntarily change their practices, the next step is a formal investigation. The most recent investigations have ended in fines—£800,000 against Kick Online Entertainment in February for failing to enforce age verification on pornographic content, with similar fines applied to other services that did not comply.
The Underlying Statute: The Online Safety Act
The UK Online Safety Act, in force since 2023, requires services accessible from the UK to take "proportionate" steps to protect children from harm. The Act is enforced by Ofcom and carries fines of up to ten percent of global revenue, with potential criminal liability for senior managers in the case of serious or persistent failures. The Act gives Ofcom the authority to demand information from platforms, to set codes of practice that platforms must follow, and to block non compliant services from operating in the UK.
The May 21 announcement is part of an ongoing implementation cycle. Ofcom is publishing reports throughout 2026 on how specific categories of risk—child contact, harmful content recommendation, age verification—are being addressed by the platforms in scope. The next major report is due by the end of July 2026 and will assess how services have used age assurance technology and how effective it has been.
The Act is also the legal foundation for Ofcom's January 2026 investigations into X over the Grok AI chatbot's role in generating sexualized deepfakes of minors, and into a separate AI service called Joi.com. Those investigations remain open. The same statutory power that allowed Ofcom to demand commitments from Snapchat is what compels X to respond to the deepfake investigation.
The Pattern in Europe
The UK is not alone. The European Commission has taken a parallel approach under the Digital Services Act. In April 2026, the EU Commission told Meta its age check on Instagram was effectively a birthday field, and 12% of European children under thirteen were already on the platform. Meta is now under formal DSA investigation in the EU and under voluntary commitment review in the UK simultaneously.
Brazil moved earlier in the same direction. Its updated Digital ECA—the Child and Adolescent Statute—turned privacy by default into a baseline requirement for any service used by minors. Parental consent is no longer sufficient on its own. The platform also has to design defaults that do not expose the child even if a parent later changes the setting.
In the United States, the FTC updated its Children's Online Privacy Protection Act rule in April 2026, with new requirements taking effect April 22. The American approach remains opt in rather than opt out, but the enforcement tempo has picked up.
Why the UK Pressure Is Different
Three things distinguish what is happening in the UK from analogous regulatory pressure in other jurisdictions. First, Ofcom can name and shame in public, and has done so repeatedly. The Snapchat, Roblox, and Meta commitments are public commitments. The YouTube and TikTok refusals are also public. The reputational pressure is part of the enforcement design, not an accidental byproduct.
Second, the Act's fine cap of ten percent of global revenue is large enough to matter at the corporate parent level. A ten percent of revenue fine against Alphabet would be measured in tens of billions of dollars. The risk profile is materially different from a per incident fine. Behavioral change becomes cheaper than the risk of a top line revenue hit.
Third, the Act includes criminal liability for named senior managers in cases of "serious or persistent failure." That clause has not yet been tested in court. It does not need to be. Its existence is enough to change how compliance is staffed inside the regulated companies. Senior managers whose personal liability is at stake make different prioritization choices than senior managers whose only exposure is to corporate fines.
What Happens If the Promises Do Not Convert to Action
Ofcom's report is unusually clear on what comes next. Voluntary commitments have a deadline implied by the next published assessment. The July 2026 report will measure age assurance implementation. The remaining 2026 reports will measure contact restriction and recommendation safety. Each report is a checkpoint.
If a platform that promised changes has not implemented them by the relevant checkpoint, the next step is a formal investigation under Section 100 of the Act. Investigations can result in compliance orders, fines, or both. The orders can be specific—delete a feature, change a default setting, retain certain data for audit. The fines can be appealed but cannot be paused during appeal.
For platforms that declined to commit—YouTube and TikTok—the path to enforcement starts now. Ofcom does not need a missed deadline to investigate a service that has refused to make changes the regulator considers necessary. The investigation can begin on its own initiative.
The Wider Privacy Question
Almost every meaningful child safety control implies a privacy trade for adults. AI scanning of direct messages, the Meta commitment that drew the strongest civil liberties commentary, means that the same classifier that detects predatory adult contact will see every other message too. Apple's CSAM scanning proposal in 2021 was ultimately withdrawn after a similar concern that the necessary infrastructure could be repurposed.
Meta's implementation will determine whether the scanning is genuinely limited to the policy goal or whether the same infrastructure becomes available for other content categories later. The UK's rollback of Instagram's end to end encrypted DMs on May 8 made the question more pointed. The platform that promised default encryption for years and then removed it is now also the platform deploying message classifiers under regulatory pressure.
The compliance pattern that emerges is a familiar trade. Child safety controls compel content visibility. Content visibility compels less private messaging. The regulator pushing for one outcome is structurally connected to the other. For users—and for the parents the policy is supposed to protect—the operational reality is that messaging on the platforms covered by these commitments will be measurably less private going forward.