UK Online Safety Act: Ofcom Publishes First Codes of Practice

The first binding Codes of Practice under the UK’s Online Safety Act 2023 (OSA) have now been published, requiring those in scope to take immediate action to become compliant. In particular, it is now a legal duty to carry out risk assessments for in-scope services against 17 kinds of illegal harms – including terrorism, hate, child sexual exploitation and abuse, fraud, and encouraging or assisting suicide.

Background  

Under the OSA, providers of regulated user-to-user and search services (service providers) have a raft of new duties, including to keep people safe from illegal harm. The duties are focused on service providers having the right systems in place to protect people from harm that could take place on their services.

Latest developments

On 16 December 2024, the UK’s Office of Communications (Ofcom), the online safety regulator, published:

1. Illegal content Codes of Practice setting out separate recommended measures for user-to-user services and search service providers to take to ensure that they are compliant with their duties under the OSA.
2. Risk assessment guidance to assist in assessing how likely users are to encounter illegal content on services – and, in the case of user-to-user service providers, how the service could be used to commit or facilitate certain criminal offences and what the impact could be. 

These are the first binding Codes of Practice issued under the OSA (with more to follow relating to children’s safety in spring 2025). Publication of the Codes of Practice means the countdown to potential enforcement action has begun.

Key compliance takeaways

1. Your risk assessment dictates the steps you must take.

As part of your illegal content risk assessment, you will need to assess if your service has a negligible/low, medium or high risk for each of the 17 kinds of illegal content that need to be separately assessed.

This rating should be as accurate as possible because the recommended measures set out in the Codes of Practice apply based on the level of risk identified.

For example:

• If your service is negligible/low risk for all kinds of illegal harm, it is a ‘low-risk service’, and the minimum number of measures (i.e., likely those which apply to all service providers) would apply.

• If your service is medium or high risk for just one kind of illegal harm, it is a ‘single-risk service’, and more measures may apply.

• If your service is medium or high risk for two or more kinds of illegal harm, it is a ‘multi-risk service’, and further measures may apply.

2. Risk assessments must be completed by 16 March 2025, with implementation required from 17 March 2025.

The Codes of Practice must receive parliamentary approval before they are effective. Provided approval is obtained by 17 March 2025, in-scope service providers will need to start implementing the applicable measures set out in the Codes of Practice by then or run the risk of enforcement action, resulting in possible fines of up to 10% of global revenue or 18 million pounds (whichever is greater). Ofcom has been clear that it will not be pulling any punches when it comes to taking enforcement action straight away.

3. The new Codes of Practice have some differences from previous drafts.

Whilst the content of the final Codes of Practice (subject to parliamentary approval) remains similar to the previous drafts, there are some notable changes, including:

• The removal of the exemption for smaller file-storage and file-sharing services with less than 70,000 monthly UK users from the list of services having to implement ‘hash matching’ technology to flag child sex abuse material.

• The removal of the requirement to use keyword detection technology to analyse whether certain content is likely to amount to an offence for fraud.

• The introduction of a new content moderation measure for all service providers, which obliges services to implement a content moderation function to review and assess suspected illegal content.

• Requiring large service providers, or those providing services at medium or high risk of illegal harm, to allow a complainant to opt out of communications following their complaint.

• Allowing manifestly unfounded complaints (accurately identified as such) to be disregarded from the complaints procedure.

4. What can you do now to prepare?

• Appoint a team to carry out a risk assessment (if not already underway).
  • A substantial amount of time and effort will be required to carry out a risk assessment and implement new compliance measures to mitigate identified harms in time.
  • To be ready by mid-March 2025, if not already started, the time to delve into your specific obligations under the OSA is right now, with the first step being completion of a risk assessment.

• Carry out a scoping exercise to ensure you are completing the correct assessments (given different measures in the Codes of Practice apply to different services based on a range of factors). Relevant considerations include:
  • The type of service provided: Different Codes of Practice apply depending on whether you are providing a user-to-user service or a search service
  • The number of users your service has: The number of monthly active UK users is the criterion used to classify services by size – e.g., a service which has more than seven million monthly active UK users is considered a ‘large service’.
  • The features of your service: Certain measures apply in respect of particular functionalities – e.g., predictive search functionality.

• Read Ofcom’s risk assessment guidance to find out more about how to complete your risk assessment. The guidance is lengthy and detailed – therefore, it is important to ensure you assess risks accurately, as your risk rating will have an impact on the measures that you must put in place to protect against those risks.  

• It is possible to take alternative measures to the ones recommended in the Codes of Practice; however, if you choose to do this, it is important that you maintain a record of what you have done and how you consider the alternative measures to provide equivalent protection. Given the uncertainty involved in assessing whether your alternative measures are adequate and the risk of significant penalties if you get this wrong, we recommend seeking expert advice if you decide to adopt this approach.

• Set up a process which allows the risk assessment to be updated on an ongoing basis to reflect any changes to the design and operation of your service, as well as any further codes or guidance published by Ofcom in 2025.

What’s next?

There are several events on the horizon as the online safety regulatory regime takes form, including:

• The deadline to respond to Ofcom’s consultation about the fees and penalties regime for online safety.

• In January and February 2025, Ofcom plans to publish guidance on children’s access assessments, age assurance approaches, and protecting women and girls.

• Further Codes of Practice in respect of children’s online safety are anticipated in April 2025 (with July 2025 as the estimated deadline for completion of related risk assessments).