Internationally there has been a significant drive to address online harms, particularly in protecting children's experiences online. In the UK, Ofcom have recently published their final version of the Illegal Harms Codes and guidance on Age Assurance, which follows on from the UK Online Safety Act.
In the UK, the Online Safety Act (OSA) passed into law in October 2023. At that time the basic provisions of the Act came into force, including appointing Ofcom as the regulator responsible for enforcement.
The detail of enforcement was left to guidance and Codes of Practice, which were to be developed by Ofcom. Following a long consultation period, Ofcom published the final version of the Illegal Harms Codes and related guidance in December 2024. Ofcom then further developed the enforcement guidance this month, setting out how it expects the industry to carry out children's access assessments and achieve effective age checks.
Publication of the Illegal Harms Codes and guidance now means that online platforms have certain obligations that must be completed by 16 March 2025. As explained in our earlier article there are different categories of services identified under the OSA, with different obligations on each, but broadly speaking the OSA is targeted towards user-to-user services (where content is generated by the users), search services, and businesses that publish or display pornographic content.
This marks a significant shift from the current regulatory framework (based on the EU e-Commerce Directive of 2000), which only creates liability for such service providers if they are put on notice of illegal content. The new framework requires service providers to be proactive and demonstrate their accountability.
One of the key aspects of the OSA is that the laws do not just apply to those businesses located in the UK but also to those that have a significant number of users in the UK or where the UK is a target market. As a result, Ofcom estimates that around 100,000 businesses may be caught by the provisions of the OSA.
Ofcom has also published a tool to allow businesses to do a preliminary check of whether they are subject to the provisions of the OSA.
What do businesses need to do by 16 March 2025?
Service providers subject to the OSA must complete assessments by the 16 March deadline, assessing the risks that illegal harms may pose to users of their service.
These assessments must also set out how the service provider intends to tackle these risks. Ofcom has provided guidance on what it expects to be included in the risk assessment, including risk profiles which can be used as the basis for the assessment.
Each service provider must appoint a senior person who is responsible for overseeing the accountability of the business, i.e. ensuring the business is compliant with the illegal content safety duties, as well as reporting and complaints requirements. There should also be a written statement of the responsibilities for senior managers who make decisions relevant to illegal harms.
These measures demonstrate accountability, but service providers must go further and establish mechanisms for proactively seeking and removing this content. Such mechanisms include content moderation teams, easily found reporting functions, and regular algorithm testing to ensure that it is harder to disseminate such content on their platforms. These measures must be in place by 17 March – it is not enough to have simply conducted the risk assessment.
Ofcom has indicated there will be further expansions of the Codes in Spring 2025, which will include guidance around crisis response protocols for emergency events, e.g. dealing with misinformation around such events and on the use of artificial intelligence (AI) in tackling illegal harms, in particular in obstructing Child Sexual Abuse Material (CSAM).
Effective age checks
Phase 2 of the OSA's implementation has a particular focus around children and, as noted above, Ofcom has begun this phase by publishing its guidance on how it expects providers caught by the OSA to prevent children from encountering harmful content online, as well as providing template children's access assessments.
User-to-user and search services now have less than three months (until 16 April 2025) to carry out their children's access assessment, i.e. to assess whether or not their service is likely to be accessed by children. Ofcom has stated that it anticipates that service providers are likely to determine that their services will be accessed by children, unless they can show that they already have robust age assurance measures in place.
The next stage will see publication of the Protection of Children Codes and further guidance on children's risk assessments in April 2025. Those services that have carried out their children's access assessment and concluded that their services are likely to be accessed by children will have a further three-month period from April in which they must carry out a children's risk assessment. On the back of that assessment they must then implement appropriate protection measures in line with the Protection of Children Codes, which may include age verification.
Services that publish their own pornographic content must also now take steps to have age assurance processes in place. Those services that allow user-generated pornographic content have slightly longer but they too must have highly effective age assurance measures in place by July 2025, with the result that by July all services offering pornographic content should have age assurance measures in place.
The guidance issued around age verification is intended to be technology neutral and future proofed. It includes statements around methods that Ofcom considers are not effective, e.g. self-declaration and contractual restrictions, as well as methods that they consider to be effective. The latter is non-exhaustive but, whatever the method chosen, no harmful content should be visible before the age verification check has been completed.
Penalties
Ofcom can impose penalties of up to £18 million or 10% of worldwide revenue, so the threat to businesses found to be non-compliant is significant.
While wishing to allow businesses time to ensure they have the relevant functions in place, Ofcom's statement in December indicated that it "won't hesitate to take early action against deliberate or flagrant breaches".
While Ofcom may be focussing its early supervisory engagement on the largest and riskiest providers, this does not mean that non-compliance by smaller providers will be ignored. It is therefore key that all service providers caught by the legislation – whether large or small – complete their risk assessments without delay.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
