U.K. Online Safety Act: The Impact on Tech Firms and Critical Compliance Considerations

The U.K. Online Safety Act (OSA) is part of a suite of new online-safety and consumer-protection regulations aimed at safeguarding users from harmful content on digital platforms. Its implementation is planned in three phases from 2025 to 2026.

Why it matters: Companies that offer online services — such as social media, photo and video sharing, chat, instant messaging, dating services, search, and mobile gaming — to users in the United Kingdom must act swiftly to meet the stringent compliance timelines.

Key deadlines: The finalization and publication of the illegal harms codes is expected in Q4 2024. After this, services will have just three months to complete an illegal harms risk assessment and comply with the proposed safety measures. (See timeline chart on the right.)

What’s next: Following the initial requirement, companies will need to perform a children’s access assessment by Q2 2025 or within 90 days after the regulator, Ofcom, publishes final guidance on this task.

OSA’s prescriptive nature

According to Ofcom, more than 100,000 companies — mostly user-to-user and search-services providers that target the U.K. market — could be subject to these rules. This means that the law has broad implications for technology firms of all sizes, from very large and well-resourced companies to small businesses or microbusinesses.

OSA is like the European Union’s Digital Services Act (DSA), which aims to protect the digital space against the spread of illegal content, but it is notably more prescriptive. OSA imposes a legal responsibility on companies to shield users, particularly children, from sexual exploitation and abuse, suicide and self-harm content, and terrorist and hateful content.

• Compliance failures could result in fines of up to £18 million or 10% of worldwide revenue, whichever is greater.
• In the most egregious cases, court-ordered business-disruption measures may be imposed.
• Beyond financial penalties, companies that do not act to safeguard their platforms risk reputational damage and loss of customer trust, given the moral severity of the harms and illegalities in question.

How prescriptive are the new rules? The draft illegal-harms codes, for example, consist of more than 2,000 pages of comprehensive guidance on what data should be considered, how product functionalities play into the risk of illegal harms and how measures should be implemented to mitigate those risks.

OSA’s heavy compliance workload demands that companies engage cross-functional teams; this task is not just for compliance and legal departments but also requires the involvement of various teams across the organization, including engineering and product teams.

Here’s a summary breakdown of the various phases:

Under phase 1, companies must assess safety risks arising from illegal content and carry out measures to address those risks:

• Ofcom outlines a methodology for the illegal content risk assessment, which specifies which product features may increase or decrease risk, the data points that must be collected and how they may impact risk.
• The regulator also spells out safety measures related to content moderation, terms of service, reporting and complaint mechanisms for illegal content, and recommender systems that companies must implement.

Phase 2 is structured similarly to phase 1 but focuses on child safety and pornography. In this phase, companies must:

• Perform an accessibility assessment to determine whether children can access their products.
• Conduct children’s safety risk assessments and carry out specific measures depending on the size and risk profile of the company.

Some of the measures also are similar to phase 1, and some touch on new topics such as age-assurance and user-support considerations for children.

Under phase 3, online services that fall under special categories, based on the number of users and functionalities, must comply with an additional set of heightened online-safety duties relating to transparency reporting, user empowerment, fraudulent advertising and user rights. Detailed guidance related to Phase 3 has yet to be released as of September 2024.

Risk assessment: A critical component of OSA

The comprehensive risk assessment is a significant component, and the first step to adhering to OSA’s requirements.

In Phase 1, companies are required to assess the risk of illegal harms, such as child sexual exploitation and terrorism, that may be encountered on their platforms. In Phase 2, the risk assessment must focus on the potential for children to be exposed to harmful content, such as eating disorders or bullying messaging, on their platform.

Each service that a company offers requires a risk assessment, meaning that large organizations with multiple platforms — like Meta with Facebook, Instagram, WhatsApp and Oculus — will need separate evaluations for each.

Major considerations when conducting the OSA risk assessments follow:

• Leverage existing risk assessment processes: OSA’s risk assessments have specific requirements, but they do not need to be conducted in a silo. Companies should evaluate existing risk assessments (e.g., DSA) to determine whether efficiencies can be gained by executing them in tandem with OSA’s and/or using a common methodology.
• Cross-functional support: While the risk assessments may be driven by legal, risk or compliance stakeholders, the process will benefit from the input of subject matter experts within the product, trust, safety and data teams. Specifically, it is critical to understand what data are available at the company that can be leveraged for the risk assessment.
• Tailored approach: Companies should consider the Ofcom guidance in conjunction with their risk profile and available resources when determining the best risk-assessment approach.

An effective risk assessment hinges on understanding and collecting the right types of information:

• User complaint trends are among the prescribed inputs for OSA’s risk assessment.
• For companies with well-tagged complaints processes, performing a complaints trend analysis related to harms should be straightforward.
• However, when complaints are not properly tagged, companies should expect a more labor-intensive process that requires a heavier manipulation of the raw data.

Comprehensive record-keeping and oversight of the controls are critical to ensuring compliance with OSA. Proper documentation and regular compliance reviews not only protect organizations from regulatory penalties but also ensure transparency and ongoing adherence to OSA requirements.

Companies must document and organize all necessary information to provide to the regulator. For companies with more than 7 million U.K. users, an independent assurance function, such as internal audit, must monitor the effectiveness of measures regularly.

OSA as part of a broader compliance program strategy

OSA is part of a broader global movement to enact a more rigorous and highly prescriptive regulatory landscape focused on online and digital service providers. These trends are clear:

• A growing number of regulators in the U.K. and elsewhere in Europe, as well as in Asia and the United States, are increasingly exploring (and, in several cases, enacting) regulation related to moderating harmful content on online platforms.
• Consumers are also demanding that companies change how they deal with the proliferation of illegal and harmful content online, as well as how they protect data privacy and counteract anticompetitive conduct, to name just a few issues.

While companies are tasked with establishing processes and controls to combat the immediacy of the OSA requirements, successful long-term and efficient compliance will be dependent on developing a cohesive strategy. Enabling elements for this strategy may include the following:

• A common risk register: Companies should inventory applicable regulations and develop a common scheme for grouping those requirements into broader risk categories. This risk register can act as a Rosetta Stone to identify areas where common requirements may warrant a more holistic solution and enable more efficient compliance.
• A comprehensive change-management process: Without a change-management process, compliance will always be a retroactive and/or point-in-time exercise. Companies should incorporate compliance in the development or product-design process. This will allow compliance by design, and retroactive product changes based on regulatory or legal obligations will be minimized.
• A common methodology for the assessment and disposition of risks: As noted above, there are several legal obligations (under DSA, for example) and industry standards (ISO) to conducting risk assessments. Companies should consider aligning the process by which risks are assessed and the assessment methodologies used across different obligations. This may include creating a standard scale for how risks are reported (e.g., high, medium, low) and the way information is collected to be used as input to minimize the impact on product and engineering teams.

OSA: Steps companies can take now

Technology companies are dynamic and fast-paced, which means that the specific steps needed to comply with OSA will differ depending on the size, resources and capabilities of each company. Regardless, extensive work will be involved for all companies in the scope of this law.

Here are several actions that companies should be taking now:

• Determine where your organization may have in-scope services, and which measures may be required for those services based on size and estimated risk ratings.
• Assess which of the recommended measures are in place, or where gaps may exist.
• Develop a plan to carry out measures, or alternate measures, within the prescribed timelines.
• Execute the illegal content risk assessment; finalize expected measures for each service based on results.
• Ensure that all risk assessment and measure records are documented.
• Invest in regular measure effectiveness testing and compliance audits to ensure that proper processes and standards are established and consistent with OSA requirements.