Introduction
The UK’s Online Safety Act (OSA) imposes extensive obligations on certain types of online service providers to protect users from illegal and harmful content. A key focus of the OSA is the protection of children online, and special obligations are conferred on service providers whose platforms are “likely to be accessed by children”.
Under the OSA, Ofcom, the UK’s online safety regulator, is required to issue guidance and Codes of Practice setting out the practical steps relevant services should take to comply with these duties (Children’s Codes) to help protect children online. Related to this, Ofcom launched a consultation on that guidance and the Children’s Codes.
Interested parties have until 17 July 2024 to submit responses. Businesses which could be impacted by these measures – e.g., those that operate or are involved with regulated user-to-user (U2U) services and regulated search services which children can access – should consider whether to file a response. This may be the only opportunity to make your voice heard in relation to these important changes.
In order to better help you understand the proposals in the consultation and determine whether to respond, this blog summarises:
- The background to the child safety duties imposed by the OSA.
- How a provider can determine if its services are “likely to be accessed by children”.
- The risks of enforcement for breaching those duties.
- Ofcom’s key proposals in the Children’s Codes.
- Next steps for the consultation.
For more background on the OSA, please see this November 2023 Cooley alert, Decoding the UK Online Safety Act 2023: Latest Draft Guidance, Key Features and Insights, which describes the types of services that are in scope of the legislation, the wide-reaching obligations the legislation imposes, compliance tips and enforcement risks. Also see our April 2024 update, Online Safety Act Update: Ofcom Proposes Categorisation Thresholds, summarising some of the latest key developments.
What child safety duties are imposed under the OSA?
While many OSA obligations apply to all in-scope providers, there are additional obligations which apply to services that are “likely to be accessed by children”. These duties relate only to the parts of a service possible for children to access.
Service type/category | Summary of child safety obligations |
Regulated U2U services likely to be accessed by children (e.g., social media, messaging services, marketplaces, etc.) | Take proportionate measures relating to the design or operation of the service to effectively: Mitigate and manage the risks of harm to children in different age groups, as identified in the regulated service’s most recent children’s risk assessment. Mitigate the impact of harm to children posed by content that is harmful to children present on the service. Use proportionate systems and processes designed to: Prevent, including through age verification or age estimation (or both), children of any age from encountering ‘primary priority content that is harmful to children’ (e.g., pornographic content or content which encourages suicide).Protect children in age groups judged to be at risk of harm from encountering other content that is harmful to children, which is classified as ‘priority content that is harmful to children’ (e.g., abusive content and content which incites hatred, bullying and/or unsafe challenges/stunts). |
Regulated search services likely to be accessed by children (e.g., search engines) | Take proportionate measures relating to the design or operation of the service (including age verification or age estimation) to effectively: Mitigate and manage the risks of harm to children identified in the service’s most recent children’s risk assessment. Mitigate the impact of harm to children presented by search content that is harmful to children. Use proportionate systems and processes designed to: Minimise the risk of children of any age from encountering primary priority content that is harmful to children.Minimise the risk of children in age groups judged to be at risk of harm from encountering other content that is harmful to children. |
How can a provider determine if its services are ‘likely to be accessed by children’?
All regulated U2U services and regulated search services must conduct a children’s access assessment to determine whether their service (or a part of it) is likely to be accessed by children. This assessment must be kept under review and conducted annually. Most providers must complete their first assessment within three months of Ofcom publishing its final children’s access assessment guidance (which may be in early 2025).
Additional considerations here include that:
- Providers must use age verification or age assurance (e.g., photo ID matching) to conclude that it is not possible for children to access their service. Certain age assurance methods are considered unacceptable for these purposes – including payment methods which do not require the user to be over 18 and self-declaration of age.
- If a children’s access assessment determines that the service (or part of it) is likely to be accessed by children, it must then carry out a children’s risk assessment and take appropriate steps to keep it up to date.
- If a service fails to complete a children’s access assessment, it will be considered likely to be accessed by children from the date by which the access assessment should have been completed and will be subject to the relevant duties.
What are Ofcom’s enforcement powers, and what is the risk to buinsess of noncompliance?
The stakes are high when it comes to noncompliance (summarised below), which is why ensuring that the guidance and Children’s Codes are helpful and practical for businesses is important. With strong enforcement powers like these, businesses do not want confusion over how they are meant to comply.
The enforcement powers and risks of noncompliance include:
- Investigations:Children’s access assessments are an “enforceable requirement” under the OSA. This means that in-scope companies must co-operate with investigations by Ofcom into whether a service has failed to comply with the requirements. Ofcom has stated that it will engage with the largest and riskiest services via continuous regulatory supervision, including – where necessary – by making formal and enforceable requests for information.
- Fines:Following an investigation, if Ofcom finds a service has contravened its obligations, it has the power to impose a penalty of up to 10% of qualifying worldwide revenue or 18 million pounds (whichever is greater) and require remedial action to be taken. Ofcom has been vocal about its willingness to use its enforcement powers where necessary, with its Chief Executive Dame Melanie Dawes reportedly stating that Ofcom will drive change “with every possible tool that we’ve got”.
- Business disruption:In the most serious cases of noncompliance, Ofcom can seek a court order imposing business disruption measures – effectively shutting down access to services in the UK.
- Data protection risk: As set out in a recent joint statement, services subject to both the online safety and data protection regimes may be considered “companies of mutual interest” by Ofcom and the Information Commissioner’s Office (ICO). If so, Ofcom and the ICO may decide to collaborate on regulation of that company, such as by routinely sharing information with each other. For the ICO, the protection of children online has long been a key priority, signified by its Children’s Code, updated Opinion on Age Assurance and 2024 – 2025 Priorities for Protecting Children’s Personal Information Online. “Companies of mutual interest” should therefore take particular care to address the requirements of both regulators in respect of children’s safety.
- Reputational risk: Interestingly, there have been several reports indicating that Ofcom may publicly name service providers that fail to implement appropriate measures to protect children. Ofcom also has wide-ranging powers to require services to be more transparent, and certain providers have a duty to include measures taken to protect children in their terms and conditions.
What is Ofcom’s focus under the draft Children’s Codes?
The draft Children’s Codes build on the child protection measures in Ofcom’s consultation on protecting people from illegal harms online published in November 2023. Ofcom’s approach is risk-based, and many of the proposed measures will not be relevant to all services.
The Children’s Codes are extensive, with more than 40 recommended safety measures that fall into a number of broad categories. In particular, Ofcom spotlights three key areas:
1. Strong governance and accountability.
- Service providers should have appropriate internal oversight and accountability for children’s online safety.
- Ofcom recommends that U2U services and search services likely to be accessed by children should have a person accountable for the child safety, reporting and complaints duties.
2. Safer algorithms and foundational design choices.
- Services should know which of their users are children to ensure they are protected. Ofcom’s draft Children’s Codes therefore expect much greater use of highly effective age assurance.
- If a service operates a recommender system and is at higher risk of harmful content, it should identify who the child users are and configure algorithms and content moderation systems to filter out the most harmful content from children’s feeds and reduce the visibility of other harmful content. Children also should be able to provide negative feedback directly to the recommender feed, so it can better learn what content they do not want to see.
3. Providing children with information, tools and support.
- Should ensure clear and accessible information is provided to children in terms and conditions and publicly available statements.
- Should ensure children can easily report content and make complaints.
What happens next?
The consultation closes on 17 July 2024, and responses will be published both during and after. If you think that part or all of your response should be treated as confidential, you can let Ofcom know, and it will consider that request.
Ofcom will then assess the responses received and prepare its final guidance and codes. Below, we have set out the anticipated timeline thereafter:
- Early 2025 – Final guidance on children’s access assessments is expected to be published. Most services will then have three months from publication to carry out these assessments.
- Spring 2025 – Ofcom’s main statement on children’s safety duties is expected to be published along with its finalised proposals, including its final guidance on children’s risk assessments. In parallel, Ofcom will submit its Children’s Codes to the Secretary of State.
- Summer 2025 “ Subject to government approvals, the Children’s Codes are expected to come into force. Relevant services must then comply with the protection of children’s safety duties, and Ofcom can enforce against noncompliance.
Ofcom is planning an additional consultation later this year on how automated detection tools can be used to mitigate the risk of illegal harms and content harmful to children.
The consultation is an opportunity for in-scope companies to help shape the practical application of the OSA. Respondents can opt for responses (or parts of responses) to be kept confidential. If you would like to talk about responding, or about the application of the OSA more generally, please contact any of the lawyers below.
Contributors