The Online Safety Act (OSA) received Royal Assent on 26 October 2023, following its long journey through Parliament. It regulates the safety of users online in relation to user-generated content, requiring in-scope online user-to-user and search services (referred to as regulated services) to protect their users from certain types of illegal content and harms. In-scope services likely to be accessed by children (under-18s) will have additional obligations relating to different types of harmful content.
Duties in the OSA which relate to pornographic content are not covered in this article.
The OSA places obligations on providers of regulated services (or the relevant parts of them) likely to be accessed by children.
Services are likely to be accessed by children where:
A “significant” number means a number which is significant in proportion to the total number of UK users of a service or (as the case may be) a part of a service.
Potentially in-scope services are required to conduct a children's access assessment to determine whether children are able to access the service and the child user condition is met. The assessment should be based on the actual number of users of a service as opposed to its intended users and should be regularly repeated, in addition to being repeated on the occurrence of certain specified events.
Service providers can only conclude that children are not able to access the service (or part of it) if age verification/estimation is used with the result that children are not normally able to gain access. This does not include self-declaration of age. If a provider fails to carry out a first access assessment, the service will be considered as likely to be accessed by children until such time as the access assessment has been completed. Ofcom will also have powers to determine that a service is likely to be accessed by children where it has conducted an investigation of a service provider that has failed to carry out the assessment.
If an in-scope service provider determines that its services (or any part of them) are likely to be accessed by children, it will have a wide range of children-specific obligations under the OSA including:
Many of the children-specific obligations in the OSA apply to the different types of content that are harmful to children. The OSA splits these content types into the following categories:
There are provisions which set out how providers should make judgements about which category content falls into in Part 11. These include, among other factors, giving consideration to the impact the content will have on the way an individual acts as a result of the nature of the content and the manner of its dissemination. Cumulative harm can be considered.
The OSA takes a risk-based approach. As such, in-scope service providers are required to carry out a variety of risk assessments (as discussed in more detail here). Providers of services likely to be accessed by children are required to carry out children's risk assessments in addition to illegal content risk assessments and any others they may be required to conduct.
Ofcom will publish guidance on carrying out children's risk assessments. Service providers should then complete the children's risk assessment within three months from the "relevant day" (the first day on which the service is treated as likely to be accessed by children).
Service providers must take appropriate steps to keep the children's risk assessment up to date, including when Ofcom makes any significant change to a risk profile that relates to the services of the kind in question. A further children's risk assessment should be carried out ahead of any significant change to any aspect of a service's design or operation.
Where the children's risk assessment identifies the presence of non-designated content, the service provider must notify Ofcom of the kinds of non-designated content identified and the incidence of those kinds of content on the service.
All children's risk assessments should take account of the following matters (among others) that will have an impact on the risk profile of the service:
The OSA's provisions which relate to safety duties for protecting children apply to regulated user-to-user and search services that are likely to be accessed by children and only to the parts of a service likely to be accessed by children. Key obligations include requirements to:
Age verification and assurance to identify who is a child user or which age group a child user is in are examples of measures which could be taken for the purpose of complying with the above, even where there is no requirement to use them. Where they are required, they must be of such a kind and used in such a way to be highly effective at correctly determining whether or not a particular user is a child.
When determining what is "proportionate" for the purposes of compliance with the child protection requirements, the findings any children's risk assessment that has been conducted and the size and capacity of the service provider will be relevant factors.
Service providers are required to operate a service with systems and processes that allow users and affected persons to easily report content which they consider to be content that is harmful to children and that is present on a part of a service that is possible for children to access.
In addition, there must be an easy to access and use (including easy to use for children) complaints procedure allowing complaints about content that is harmful to children; compliance by services with children's safety duties; take downs of content; user sanctions; and incorrect age assessments.
The OSA sets out duties to maintain records of:
Ofcom will now begin to produce draft guidance and codes of practice around child safety duties. Ofcom currently plans to produce a draft code of practice relating to the protection of children around six months after its powers commence as discussed here.
It is clear that this new piece of legislation will create a lot of compliance work for in-scope service providers. Genuine thought will be required to assess risk and then implement appropriate mitigation measures. For further information on the OSA, please see here.
Louise Popple provides a table summary of the main obligations under the OSA.
1 of 9 Insights
Louise Popple looks at the range of businesses caught within the scope of the OSA.
2 of 9 Insights
Xuyang Zhu and Danielle Owusu give an overview of safety duties in relation to the different types of illegal and harmful content covered by the OSA.
3 of 9 Insights
Debbie Heywood looks at Ofcom's wide range of duties and powers under the Online Safety Act.
5 of 9 Insights
Debbie Heywood looks at what to expect from Ofcom as its powers under the Online Safety Act commence.
6 of 9 Insights
Miles Harmsworth takes a high level look at some of the key overlaps and differences that in-scope digital service providers will need to consider under both regimes.
7 of 9 Insights
Mark Owen looks at requirements to carry out risk assessments under the OSA.
8 of 9 Insights
Timothy Pinto asks whether the OSA has found the right balance between protecting freedom of expression, privacy, journalistic content and content of democratic importance, and protecting online users.
9 of 9 Insights