The Online Safety Act (OSA) received Royal Assent on 26 October 2023, following its long journey through Parliament. It regulates the safety of users online in relation to user-generated content, requiring in-scope online user-to-user and search services (referred to as regulated services) to protect their users from certain types of illegal content and harms. In-scope services likely to be accessed by children (under-18s) will have additional obligations relating to different types of harmful content.
Duties in the OSA which relate to pornographic content are not covered in this article.
Are your services likely to be accessed by Children?
The OSA places obligations on providers of regulated services (or the relevant parts of them) likely to be accessed by children.
Services are likely to be accessed by children where:
- it is possible for children to access the service (or any part of it), and
- there is a significant number of children who are users of the service/part of the service, or the service/part of the service is of a kind likely to attract a significant number of users who are children (the "child user condition").
A “significant” number means a number which is significant in proportion to the total number of UK users of a service or (as the case may be) a part of a service.
Potentially in-scope services are required to conduct a children's access assessment to determine whether children are able to access the service and the child user condition is met. The assessment should be based on the actual number of users of a service as opposed to its intended users and should be regularly repeated, in addition to being repeated on the occurrence of certain specified events.
Service providers can only conclude that children are not able to access the service (or part of it) if age verification/estimation is used with the result that children are not normally able to gain access. This does not include self-declaration of age. If a provider fails to carry out a first access assessment, the service will be considered as likely to be accessed by children until such time as the access assessment has been completed. Ofcom will also have powers to determine that a service is likely to be accessed by children where it has conducted an investigation of a service provider that has failed to carry out the assessment.
What are the child-specific duties?
If an in-scope service provider determines that its services (or any part of them) are likely to be accessed by children, it will have a wide range of children-specific obligations under the OSA including:
- duties to conduct children's risk assessments
- various safety duties, and
- transparency, reporting and redress duties.
Primary priority content vs. priority content
Many of the children-specific obligations in the OSA apply to the different types of content that are harmful to children. The OSA splits these content types into the following categories:
- Primary priority content that is harmful to children - pornographic content or content that encourages/promotes suicide, self-injury and eating disorders/behaviours
- Priority content that is harmful to children - bullying content or content which: (a) is abusive and targets race, religion, sex, sexual orientation, disability or gender reassignment, (b) incites hatred against people based on these characteristics, (c) encourages/promotes/instructs on serious violence against a person or a challenge/stunt likely to result in serious injury, (d) depicts serious violence or (in graphic detail) serious injury against a person/animal/fictional creature, (e) encourages self-administration of physically harmful substances)
- Non-designated content that is harmful to children - includes content not within the above categories but which presents a material risk of serious harm to an appreciable number of children in the UK.
There are provisions which set out how providers should make judgements about which category content falls into in Part 11. These include, among other factors, giving consideration to the impact the content will have on the way an individual acts as a result of the nature of the content and the manner of its dissemination. Cumulative harm can be considered.
Children's risk assessments
The OSA takes a risk-based approach. As such, in-scope service providers are required to carry out a variety of risk assessments (as discussed in more detail here). Providers of services likely to be accessed by children are required to carry out children's risk assessments in addition to illegal content risk assessments and any others they may be required to conduct.
Ofcom will publish guidance on carrying out children's risk assessments. Service providers should then complete the children's risk assessment within three months from the "relevant day" (the first day on which the service is treated as likely to be accessed by children).
Service providers must take appropriate steps to keep the children's risk assessment up to date, including when Ofcom makes any significant change to a risk profile that relates to the services of the kind in question. A further children's risk assessment should be carried out ahead of any significant change to any aspect of a service's design or operation.
Where the children's risk assessment identifies the presence of non-designated content, the service provider must notify Ofcom of the kinds of non-designated content identified and the incidence of those kinds of content on the service.
All children's risk assessments should take account of the following matters (among others) that will have an impact on the risk profile of the service:
- the user base (including the number of users who are children in different age groups)
- the level of risk to children who are users of the service encountering the different types of content harmful to children, taking into account different age groups, each type of content, and algorithms used by the service, and how easily, quickly and widely content may be disseminated
- the level of risk of harm to children presented by different kinds of content that is harmful to children, giving separate consideration to children in different age groups.
- the level of risk of harm to children presented by content that is harmful to children which particularly affects individuals with a certain characteristic or members of a certain group
- the different ways in which the service is used and the impact of such use on the level of risk of harm that might be suffered by children
- the nature and severity of the harm that might be suffered
- how the design and operation of the service (including the business model, governance, use of proactive technology, measures to promote users' media literacy and safe use of the service) may reduce or increase the risks identified, as well as identifying functionalities that present higher levels of risk.
Safety duties
The OSA's provisions which relate to safety duties for protecting children apply to regulated user-to-user and search services that are likely to be accessed by children and only to the parts of a service likely to be accessed by children. Key obligations include requirements to:
- Take or use proportionate measures relating to the design or operation of the service to effectively mitigate and manage the risks (and impact) of harm to children in different age groups (as identified in the risk assessment)
- Operate a service using proportionate systems and processes designed to prevent children from encountering primary priority content that is harmful to children by using age verification or estimation unless the terms and conditions indicate such content is prohibited and the policy applies to all users
- Protect children in age groups judged to be at risk of harm from other content that is harmful to children or that is non-designated content harmful to children from encountering that content via means of the service
- Specify in the terms and conditions (or another form of a publicly available statement) how the above and other protections under the OSA are to be achieved, including the use of any proactive technology. Providers should ensure that these explanations are clear and accessible in the terms and conditions/the public facing statement.
Age verification and assurance to identify who is a child user or which age group a child user is in are examples of measures which could be taken for the purpose of complying with the above, even where there is no requirement to use them. Where they are required, they must be of such a kind and used in such a way to be highly effective at correctly determining whether or not a particular user is a child.
When determining what is "proportionate" for the purposes of compliance with the child protection requirements, the findings any children's risk assessment that has been conducted and the size and capacity of the service provider will be relevant factors.
Content reporting and complaints procedure
Service providers are required to operate a service with systems and processes that allow users and affected persons to easily report content which they consider to be content that is harmful to children and that is present on a part of a service that is possible for children to access.
In addition, there must be an easy to access and use (including easy to use for children) complaints procedure allowing complaints about content that is harmful to children; compliance by services with children's safety duties; take downs of content; user sanctions; and incorrect age assessments.
Record-keeping and review
The OSA sets out duties to maintain records of:
- all risks assessments (including how these were carried out and their findings). A copy of this record should be provided to Ofcom
- measures taken to comply with duties under the OSA including the rationale behind a decision not to use methods provided for in codes of practice
- a review of compliance duties after making significant changes to any aspect of a service's operation or design.
What's next?
Ofcom will now begin to produce draft guidance and codes of practice around child safety duties. Ofcom currently plans to produce a draft code of practice relating to the protection of children around six months after its powers commence as discussed here.
It is clear that this new piece of legislation will create a lot of compliance work for in-scope service providers. Genuine thought will be required to assess risk and then implement appropriate mitigation measures. For further information on the OSA, please see here.