Abstract of glass building

Ofcom issues draft guidance and launches consultation on the Online Safety Act 2023

Published on 11 December 2023

The question

What can platforms expect from Ofcom, as it steps into its new role regulating compliance with the Online Safety Act 2023 (the Act)?

The key takeaway

Ofcom is deploying its new resources and increased headcount to implement a fast-moving approach to regulation, and has already issued draft compliance measures and guidance on risk assessments and record keeping for industry review.

The background

After years of debate and parliamentary review, the Act came into force on 26 October 2023. It will impose requirements on firms to take steps that will aim to protect children and adults from all manner of online harms, ranging from content promoting suicide, to human trafficking communications, to child pornography. Read more about the Act here.

Much of the Act requires secondary legislation from the Secretary of State before it is effective, and Ofcom (as promised) is taking an active role in guiding what that secondary legislation, and later Codes of Practice, may look like.

The development

Mere days after the Act received Royal Assent, Ofcom launched the first of four consultations on how the Act will be implemented and enforced. The regulator is calling for industry input on measures it believes firms should implement, and also on draft guidance that will seek to inform and direct firms when they are considering how to implement the proposed measures which include:

  • measures proposed for user-to-user (U2U) services
  • measures proposed for search services
  • draft guidance on risk assessments and reviews
  • draft guidance on record keeping duties.

Proposed measures

The proposed measures are wide-ranging and comprehensive. For U2U services, they are split into the following headings:

  • Governance & Accountability
  • Content Moderation
  • Automated Content Moderation
  • Reporting and Complaints
  • Terms of Service
  • Default Settings and Support for Child Users
  • Recommender Systems
  • Enhanced User Control
  • User Access

Search service measures currently overlap slightly with the U2U proposals, although naturally there are deviations:

  • Governance & Accountability
  • Search Moderation
  • Search Automated Content Moderation
  • Reporting and Complaints
  • Publicly Available Statements
  • Search Design

Not all of the measures suggested by Ofcom are intended to apply to all firms. Instead, a firm will be required to implement more measures based on the size of the service provided, and the risk profile of that service.

This means a firm providing larger services (ie one serving an average user base greater than 7m users per month in the UK) will be subject to higher standards than a firm providing smaller services (ie less than 7m users). Further, a services risk profile will fall into one of three categories: (1) low risk; (2) specific risk; and (3) multi risk.

Draft guidance

Based on the current guidance, all firms (irrespective of size), will be under a duty to carry out a suitable and sufficient risk assessment. These risk assessments will need to be reviewed annually, but also whenever Ofcom makes an update to the risk profile of the relevant services, or the firm makes a significant change in relation to the design or operation of its services.

The guidance in relation to record keeping is currently quite vague and fairly uncontroversial, providing that risk assessment records must be kept in a durable, easy-to-understand format for at least 5 years. They must also be kept up to date, including making any necessary amendments when Ofcom issues new Codes of Practice – and it appears there will be many of those to come.

Why is this important?

The Act imposes broad compliance duties on firms providing online services. Larger firms are subject to heavier regulatory burdens, but even smaller companies are subject to a large portion of the measures Ofcom expects to see from complying businesses.

The consultation represents an opportunity to engage with Ofcom and to provide input that will be necessary to ensure the regulation and enforcement of the Act is done sensibly and practically. Non-compliance with the Act can incur criminal liability in some cases, and Ofcom has powers to fine firms up to 10% of global turnover.

Finally, whilst the guidance may be in draft form, it still offers useful insights into the approach Ofcom will be expecting firms to take when they conduct their risk assessments and the measures they are expected to put in place, as required by the Act.

Any practical tips?

  • Respond to the consultation. It represents a critical opportunity for businesses to have their say on how this critical piece of legislation will be interpreted and enforced by Ofcom.
  • Review the draft measures and consider their application to your business. Although not yet binding, it offers an insight into the sorts of measures which will need to be implemented once Ofcom is clear on what it wants to see. If your current processes fall short of the draft measures, the sooner you can identify your weak spots and areas for improvement, the better.
  • Look out for future Ofcom activity. Ofcom has been clear that it is working quickly on this and expects to launch four consultations on the Act in total. There is more to come, so keep it on your radar.Winter 2023