Dentons | Paul LangfordDr. Kuan HonAntonis PatrikiosSimon Elliott | Tatiana Kruse

If your business provides online services in the UK which involve any user-to-user interaction, it is likely that the OSA will regulate that activity. The new regime affords significant enforcement powers to Ofcom, including fines of up to £18 million or 10% of global revenue, and potential business disruption or criminal penalties for serious breaches.

On 17 October 2024, Ofcom published an important update on the UK’s new online safety regime under the OSA, detailing revised timelines.

In this update, we cover:

What is the background and scope of the OSA?

The OSA received Royal Assent on 26 October 2023 and now applies to most online services with certain UK links e.g. targeting UK users, regardless of the provider’s location or size. There are duties under the Act which apply to search services, but it is the duties which are imposed on user-to-user services (as the name suggests, services that allow users to post content online or to interact with each other) which have caused the most concern. A wide range of businesses clearly fall within this category – such as consumer file or video sharing sites, forums, chat facilities, dating services and online instant messaging services.

The key initial duties relate to conducting certain risk assessments and also children’s access assessments (on whether the service is likely to be accessed by children, even if in-scope services are not targeted at children). User-to-user services must already include specific provisions in their terms, covering users’ rights to claim for breach of contract in certain circumstances, and in future (when the relevant Ofcom Code takes effect) terms must also cover matters such as how individuals are to be protected from illegal content and how complaints are to be handled.

Those who operate other types of website, apps or online service may also fall within the user-to-user service category, even where these services are not at the core of their regular trade or business. An example would be a business which decides to add a shoutbox/chat widget facility to its website or app, which inadvertently allows a user to make publicly visible remarks about another user/user’s comment. This is the sort of service that could easily be caught; in contrast, most below-the-line review facilities on a trader’s website will generally not be within scope.

Furthermore, services that are designated as “categorised services” based on certain thresholds will be subject to additional duties, depending on the category assigned: 1, 2A or 2B. The designations will determine which businesses will face much stricter requirements, including transparency reports and stronger content controls. However, many of the most popular services are yet to be designated and the final categorisation thresholds remain unknown. Back in March 2024, Ofcom provided its advice to the Secretary of State on which/how services should be categorised, but secondary legislation is necessary to set out the thresholds.

Another issue relates to the fact that the Act applies to services even if the companies providing them are outside the UK, if indeed they have links to the UK. Where a service has a significant number of UK users, focuses on UK users as a target market or is capable of being accessed by UK users and there is a material risk of significant harm to such users, the service will be territorially in-scope. Is everything crystal clear now that the Act is on the statute books? Not quite. Despite being passed over a year ago, many of the duties are still lacking in detail due to the phased implementation of the key duties. However, as Ofcom finalises the remaining codes of practice and guidance documents, further clarification will follow.

What are the key milestones and deadlines?

A key date for diaries is December 2024. This is the month from which your business, if affected, will need to start taking steps to comply with the new duties in relation to each affected service.

We set out below the main expected milestones, timeline, Ofcom action and what you need to do to ensure that your affected service(s) will be compliant with the OSA.

The above timeline gives an indication of anticipated key dates, but note that timings according to Ofcom’s webpage and PDF differ, and actual timings will depend on various factors including Parliament passing the relevant secondary legislation within the anticipated timeframes.

Ofcom’s helpful diagram is below:

© Crown Copyright 2024, from Implementing the Online Safety Act: progress update, October 2024 – Timetable for implementing the Act.

What are Ofcom’s enforcement priorities?

With just a few months before the first set of duties comes into effect, Ofcom has outlined its eight key priorities. The focus remains on tackling illegal harms and protecting children, which is to be achieved by ensuring that those businesses which provide regulated services conduct risk assessments and implement strong safety measures. Please see Ofcom’s diagram below.

© Crown Copyright 2024, from Implementing the Online Safety Act: progress update, October 2024 – Ofcom’s focus for the next three years.

In more detail, Ofcom has stated that its focus for the next three years is as follows:

  • Risk assessment and governance Focusing on user safety and naming senior accountable people.
  • Child protection Ensuring robust age check and content filtering are in place to protect children from harmful material.
  • Child abuse Blocking the possibility of sharing child sexual abuse materials. Ensuring children do not face unsafe contact from adults.
  • Illegal content Ensuring hate speech, terrorism or other illegal content is taken down quickly.
  • Gender abuse Implementing accessible reporting systems for women and girls facing online harassment and misogyny.
  • Online fraud Implementing systems to detect, deter and prevent fraudulent activities.
  • User empowerment Providing users (especially children) with tools to control their online experience, including content filtering tools.
  • Transparency Categorised services will need to demonstrate transparency in how they are protecting users and complying with their obligations.

What does your business need to do now?

  • Determine whether each service offered by your business is within the scope of the OSA If the answer to the above question is yes, consider whether each service is categorised and, if so, what category. Begin preparing for the necessary risk assessments and designing systems to mitigate those risks. Also ensure service terms have been updated as necessary, as certain provisions on what must be included in in-scope services’ terms are already in force.
  • Gather evidence Start gathering evidence of potential risks, as Ofcom has indicated it plans to take swift enforcement action for non-compliance.
  • Get set for technological change Ofcom has advised that services should remain proactive in implementing safety technologies e.g. robust age assurance systems and the OSA is set to impose even more onerous duties. Additionally, Ofcom is expected to consult in spring 2025 on further automated tools to detect harmful content, which may lead to even stricter rules.

What sort of challenges might your business face in meeting the demands of the OSA? How significant will these be, given the scale of the changes required, both technical and organisational (e.g. terms updates)? If, for example, your business needs to implement age verification and proactive monitoring tools, this is going to require substantial technological investment and ongoing maintenance. There will be some financial assistance to ease the burden – Ofcom indicates that measures will be put in place – but this will only be the case for small and medium-sized enterprises. The majority will have to bear the full brunt of the significant costs involved.

In summary, the revised timeline is a welcome update by Ofcom. Despite some aspects being later than originally expected, much work is still required – not just from Ofcom, but also from the multitude of affected businesses which must ensure they are compliant by the relevant deadlines.

With thanks to Katja Obed for preparing this article.

This article first appeared on Lexology. You can find the original version here.