Online platforms play a central role – from social media and search engines to messaging apps and marketplaces. However, as digital interaction grows, so does the responsibility to keep users safe. That’s where the UK’s Online Safety Act comes in.
This landmark legislation aims to create a safer online environment for children and vulnerable users by establishing new legal obligations for a wide range of online services. Whether your business is based in the UK or operates here from overseas, if you provide user-generated content, messaging, or search functionalities, the Act may apply to you.
This article explains what the Online Safety Act means for your business, the key obligations you must know, and what practical steps you should take next. While the legislation is complex and implemented in phases, the need to act is immediate. Our data protection solicitors can help you confidently navigate your obligations if you're unsure how they affect your organisation.
Contents:
What does the Online Safety Act mean for your business?
The Act was built on frameworks like the Information Commissioner’s Age-Appropriate Design Code to protect individuals online. It introduced new, stringent requirements to strengthen child protection, tackle illegal online activity, and enhance accountability.
The Act applies to various online services, including user-to-user services (such as social media platforms, messaging apps, marketplaces, and gaming platforms), search services (such as search engines that enable users to search for content), and platforms that host pornographic content. This law introduced substantial business responsibilities within its scope and appointed Ofcom as the primary regulator for online safety.
Ofcom is responsible for issuing guidance and codes of practice to help you meet your obligations. Although Ofcom’s codes of practice are not legally binding, and businesses can take alternative measures, following them will be presumed as compliance.
Key obligations are being introduced in phases. We will provide regular updates from Ofcom, so please check this regularly or contact our team of data protection lawyers. Some guidance and duties are already in place, while more will follow as implementation continues. Ofcom has begun enforcing specific responsibilities.
Ofcom estimated that over 100,000 online services will be subject to this law. This includes businesses across various sectors, such as social media, messaging, gaming, search, online advertising, and pornography. The law doesn’t just apply to UK businesses – it has an international reach and applies to services with “links” to the UK, regardless of where the company is based.
You must carefully assess if your services fall under the Act and take immediate steps to understand how to meet your specific obligations.
What are your key obligations?
The Act sets out various obligations based on the size, risk profile, and extent of children’s access to your service. The Act’s provisions are highly detailed, but in broad terms, some key obligations include:
- Taking steps to mitigate and remove illegal content quickly as directed under the Act
- Taking measures to prevent children from accessing harmful or age-inappropriate material using age assurance systems
- Conducting risk assessments to identify and address potential harms
- Providing accessible mechanisms for users to report harmful or illegal content
- Balancing safety measures with users’ rights to freedom of expression and privacy
- Maintaining compliance records and reviewing them regularly
- Implementing robust content moderation and age-verification systems
- Strengthening accountability through senior oversight and user reporting mechanisms
- Additional obligations apply to specific categorised services, determined by thresholds set in secondary legislation.
What are the risks of non-compliance?
Ofcom enforces the Act and holds significant powers to address non-compliance with it. Businesses that fail to meet certain key obligations could face fines of up to £18 million or 10% of their global turnover. Senior managers may even face criminal liability, such as failing to comply with Ofcom’s information requests. Beyond the financial penalties, non-compliance carries serious risks to a business's reputation, with widespread media attention and potential loss of trust from customers and stakeholders.
How can your business comply with the Online Safety Act?
The law is being implemented in phases, and if your business provides online services, now is the time to act by:
- Assessing your services: If you have not already done so, immediately determine whether your business falls under the scope of the Act by reviewing its provisions and Ofcom’s relevant guidance. Identify the covered services, applicable categorisations, and their specific requirements. Make sure you allocate resources effectively and minimise compliance risks.
- Staying informed: Monitor Ofcom’s updates and consultations to meet new compliance requirements. As implementation progresses, businesses will face increasing obligations. Regularly reviewing updates and refining your compliance practices will help you stay ahead of the curve. Ofcom publishes implementation updates and compliance roadmaps to help businesses prepare for the changes. You must stay on top of Ofcom’s requirements and meet new deadlines as they are introduced.
- Seeking legal advice: Given the law’s complexity, expert legal guidance is vital to fully understanding and effectively meeting your specific obligations.
Why taking action now matters
Understanding and responding to the Online Safety Act is not just a legal necessity – it’s a reputational imperative. With enforcement underway and additional provisions coming into force, now is the time to take action.
We recommend reviewing your digital services in light of the Act, assessing your risk exposure, and implementing appropriate safeguards to mitigate potential risks. Staying compliant will require careful planning, ongoing monitoring of Ofcom’s guidance, and, most importantly, a clear strategy tailored to your business model.
Our data protection solicitors can help you assess your obligations and establish a compliance framework to protect your users, fulfil your legal duties, and stay ahead in a rapidly evolving regulatory landscape.
