UK's Online Safety Act 2023: What You Need to Know

What is the Online Safety Act?

The Online Safety Act received Royal Assent in October 2023 and is a set of laws that aim to protect individuals, especially children, online. The Act makes social media companies and search services more responsible for users’ safety on their platform, the risks of their services being used for illegal activity, and removing illegal content when required.

The entry into force of the Online Safety Act is dependent on the regulator, Ofcom, issuing several codes of practice and guidance, as part of a phased approach.

Who does the Online Safety Act apply to?

The Online Safety Act applies to organisations providing online services operating in the UK, even if those providing the services are located outside of the UK. This includes:

• Online services with a significant number of UK users,
• Instances where the UK is a target market,
• Where online services are capable of being accessed by UK users and there is a material risk of significant harm to users.

The regulator, Ofcom has developed a tool to enable organisations to determine whether they need to comply, however the Online Safety Act applies to organisations which fall into one (or more) of the following categories:

1. User to User services – services where end users can publish and/or generate their own content, like and interact with content and interact with other users. This includes social media and content sharing platforms, but it can be broader, because it also applies to organisations which may have an ancillary add-on to core services which enables users to comment on content, leave online reviews or interact with each other, i.e. discussion forums.
2. Search services – for example search engines that search the internet or comparison sites that search specific types of sites and provide users with end results.
3. Pornography providers

What are organisations required to do, and what are the deadlines?

If your organisation is required to comply with the Act, there are several risk assessments that you will need complete, in line with published timelines which are as follows:

• December 2024 – Ofcom published the Illegal Content Risk Assessment Guidance and the Illegal Harms Codes of Practice, kickstarting the requirement for organisations to complete their risk assessments and implement mitigation controls by 31st March 2025.
• January 2025 – Code on Age Assurance and Child Access Assessments – The Child Access Assessments require organisations to consider whether it is possible for children to access the platform, and whether children are likely to be accessing the platform. The deadline for completion for this assessment is 16 April 2025.
• March 2025 – Ofcom issued guidance on the protection of Women and Girls – tackling harms that affect that group i.e. misogyny, harassment, intimate image abuse.
• April 2025 – Children’s code of practice will be finalised, which will introduce the obligation for organisations to complete a children’s risk assessment. This will need to be completed three months after the code of practice is published (approximately July 2025). This is mandatory for organisations that have determined that a Childs Risk Assessment is required based on the outcome of the Child Access Assessment.

What are the risks of non-compliance?

Ofcom has several ways of punishing organisations that do not engage with the requirements of the Act, which include:

• Fines of up to £18 million or 10% of qualifying world revenue (whichever is greater).
• Business disruption – This is a new power whereby Ofcom can order a third party to stop doing business with the offending provider. For example, if a platform did not engage with the requirements of the Act or failed to remove illegal content, Ofcom could issue enforcement to third parties, i.e. payment providers to stop providing services.
• Information gathering powers – Powers to request documents, complete audits, speak to staff members.

It’s also worth considering the reputational risk associated with adverse media coverage in the event of non-compliance.

How is the Online Safety Act enforced?

Ofcom will adopt a risk-based and proportionate approach to enforcement, so enforcement efforts will focus on larger organisations and ‘big name’ platforms with a greater reach and therefore a higher risk, i.e. social media/video sharing platforms.

Ofcom has already contacted a number of larger providers, to advise them of the requirement to complete the risk assessments and the deadlines. Ofcom has also indicated that larger providers may be required to provide copies of their risk assessments when the deadlines have passed.

However, all organisations caught by the requirements of the Act need to comply, irrespective of their size. Smaller organisations will not be ‘off the hook’, particularly if serious breaches occur.

What should your business be considering?

If your organisation has not been contacted by Ofcom, you may not be aware of the compliance requirements or the associated deadlines, so your first action should be to:

1. Complete the interactive tool on the Ofcom website, to check whether the Online Safety Act applies to your service. If the answer to this is yes; then
2. Complete your risk assessments, following the 4-step process and strengthen or implement controls to reduce the risks associated with illegal content appearing on your websites; and
3. Once completed, keep your risk assessments under review, updating these to reflect any changes to existing online services design or operation or to reflect updates to Ofcom makes a significant change to Risk Profiles.
4. Consider resource requirements to implement compliance with the Act – developing the risk assessments can be a time and resource intensive exercise, so consider whether you have the capacity, knowledge and expertise within your organisation.

Get expert support

To find out more, or for an informal chat about how we can help your organisation navigate the requirements of the Online Safety Act, please contact Louise Sadler, Senior Manager, Privacy and Data Protection.